[{"content":"","date":"25 December 2021","externalUrl":null,"permalink":"/","section":"AlvenTech","summary":"","title":"AlvenTech","type":"page"},{"content":"","date":"25 December 2021","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"25 December 2021","externalUrl":null,"permalink":"/categories/packer/","section":"Categories","summary":"","title":"Packer","type":"categories"},{"content":"","date":"25 December 2021","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":" Introduction # From my last blog post link /azure-image-builder-or-packer-for-wvd/ , I used a JSON packer template, and I promised a new blog post regarding how to upgrade to HCL2.\nHashiCorp recommends using the HCL2 as from version 1.7.0, so it’s about time, I finally do the switch!\nThe documentation Packer is really good, so I will basically just follow along with their documentation to see If I struck any challenges. https://learn.hashicorp.com/tutorials/packer/hcl2-upgrade\nDuring this post, we will bring the JSON template and upgrade it. I will also try to improve the template since HCL gives us better options to document annotations.\nGetting started # I’ve got an existing JSON file from GitHub below\nfrom my terminal I use the command packer hcl2_upgrade -with-annotations .\\Packer_w10_20h2_SIG.json\nSuccessfully created .\\Packer_w10_20h2_SIG.json.pkr.hcl. Exit 0\nTime to review the HCL2 Configuration after the upgrade. I opend up the new *..pkr.hcl file in vs code to check the annotations, parameters, and variables. Working with the new template is way better and I didn’t have to change much other than the variables and Update the annotations to suit my needs.\nBuild_the_packer_HCL2_template_in_Azure_DevOps # In Github, I’ve added the raw configuration from the HCL2 upgrade, but I’ve changed the variables to my needs.\nI’m using an Azure CLI task to test the new configuration template. Go back to my old blog /azure-image-builder-or-packer-for-wvd/ if you need more details on how to configure the Azure DevOps Pipeline.\nIn the Inline Script, I will add the build shell script. I’m adding the variables with export and generating timestamp for one of the variables (image_version) to set the semantic version that’s required by SIG / Azure Compute Gallery. You can also use a variable file if you prefer setting your variables that way.\n)\nVoila! When running the build we can see that it’s started the azure-arm packer Build stage.\nSummary # Upgrading the template was straightforward and I will for sure prefer working with the HCL configuration. If you have already been working with terraform the HCL configuration constructs more logic for you. That’s if for this short blog post.\nDocumentation\nhttps://developer.hashicorp.com/packer/tutorials/configuration-language/hcl2-upgrade\nhttps://developer.hashicorp.com/packer/docs/templates/hcl_templates/variables#environment-variables\n","date":"25 December 2021","externalUrl":null,"permalink":"/upgrade-packer-json-template-to-hcl2-for-azure-virtual-desktop/","section":"Posts","summary":"Introduction # From my last blog post link /azure-image-builder-or-packer-for-wvd/ , I used a JSON packer template, and I promised a new blog post regarding how to upgrade to HCL2.\n","title":"Upgrade Packer JSON template to HCL2 for Azure Virtual Desktop","type":"posts"},{"content":"","date":"21 July 2021","externalUrl":null,"permalink":"/categories/azure-virtual-desktop/","section":"Categories","summary":"","title":"Azure Virtual Desktop","type":"categories"},{"content":" Introduction # To scale or not to scale, thats todays question with Azure Virtual Desktop\nLately, I have had a compelling problem with Azure Virtual Desktop where a customer had problems with scaling a Line of business application (LOB) as a published application. Text, icons, and fonts became blurry, especially for users who only used laptops as the primary screen, and changing back and forth between primary and secondary screens with different resolutions \u0026amp; screen scaling.\nWhen first came into the project, the workaround with the GPO \u0026amp; registry for IgnoreClientDesktopScaleFactor and LogPixel from the url below was already tested but did not have any effect.\nhttps://cloud.accigo.se/blog/windows-virtual-desktop-scaling-issues/ After this step, I started testing a GPO with GDI DPI as an option. GPI DPI information from Microsoft https://blogs.windows.com/windowsdeveloper/2017/05/19/improving-high-dpi-experience-gdi-based-desktop-apps/\nAnd Since GDI DPI GPO did not apply for the LOB. The next step was to look into the DPI Awareness of the application, so I l used Process explorer on the session host and added the DPI Awareness tab nr 1.\nComparing this with nr 3 explorer.exe and nr 4 msedge.exe (Per-Monitor Aware) that was also published as applications as well, I could see that our option nr 2 LOB.exe was not having any option for DPI Awareness, and that’s why GDI DPI did not apply either.\nOverview Client Scaling and RDP Properties # So without doing any big changes to the code in the application, I started playing with RDP Properties in AVD to see if we could make the scaling better. We did use both Windows desktop and Microsoft Store client apps.\nSummary Client features (win10) and Display settings in the table below:\nhttps://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-features\nhttps://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files#display-settings\n| Feature | Windows\nDesktop Microsoft Store RDP Display setting Description Remote Desktop sessions x x x Desktop of a remote computer presented in a full screen or windowed mode. Immersive RemoteApp sessions x x Individual remote apps presented in a window or maximized to a full screen. Dynamic resolution x x x Resolution and orientation of local monitors is dynamically reflected in the remote session. If the client is running in windowed mode, the remote desktop is resized dynamically to the size of the client window. Smart sizing x x x Remote Desktop in Windowed mode is dynamically scaled to the window’s size. To verify the client setting on the end-user client I used both Windows Desktop Client and the Microsoft Store Client.\nNB! To check that RDP custom settings have been applied, I checked the logs on the local client.\nC:\\Users%username%\\AppData\\Local\\rdclientwpf and the folder contain the RDP settings.\nI tested with Dynamic resolution and smart sizing. But non of the settings worked for the LOB Application. Using the Microsoft Store Application actually just made scaling even worse in the combination with RDP settings.\nSolution # Unfortunately, The RDP settings did not help, so the last step was to work with the application vendor to see if we could improve the DPI. After some days of tinkering with different settings like updating the .NET version of the application and changing back and forth with pixels, we could publish a new Remote Application with the new settings. And with new a week of testing, we finally ended up with some settings that were acceptable for the end-users!\nSummary # When doing application assessment for migration from Citrix to Windows 10 multi-session host in Azure Virtual Desktop you should consider DPI as part of your scope. DPI could have a huge impact on the end-users and their workflows. And if you are not as lucky as I was with the application vendor. This could end up being a very time-consuming problem.\n","date":"21 July 2021","externalUrl":null,"permalink":"/azure-virtual-desktop-published-application-and-scaling-issues-with-dpi/","section":"Posts","summary":"Introduction # To scale or not to scale, thats todays question with Azure Virtual Desktop\nLately, I have had a compelling problem with Azure Virtual Desktop where a customer had problems with scaling a Line of business application (LOB) as a published application. Text, icons, and fonts became blurry, especially for users who only used laptops as the primary screen, and changing back and forth between primary and secondary screens with different resolutions \u0026 screen scaling.\n","title":"Azure Virtual Desktop Published Application and Scaling issues with DPI","type":"posts"},{"content":"","date":"20 July 2021","externalUrl":null,"permalink":"/categories/azure-monitor/","section":"Categories","summary":"","title":"Azure Monitor","type":"categories"},{"content":" Introduction # I was recently involved in a project to troubleshoot some performance issues on Azure Virtual Desktop related to some users who reported connection error “The remote resource can’t be reached” Check your connection and try again” when connecting to Azure Virtual Desktop. When the user connected 2-3 times they could eventually connect.\nSo I naturally started the troubleshooting by looking into Azure Monitor Insights for Azure Virtual Desktop.\nBut when opening the Azure Monitor Dashboard I did not get access to the Utilization, Host Diagnostics, Host Performance, or Alerts. I could however query other tabs like connection diagnostics, connection performance, Users, Clients.\nWhen trying to query data from Host Diagnostics the tab would start looping with the spinning wheel before it timed out, and the workspace reported: “could not query this data”.\n)\nI first suspected we could have some wrong configured counters, so I started looking the azure documentation\nhttps://learn.microsoft.com/en-us/troubleshoot/azure/virtual-desktop/troubleshoot-insights I looked into the performance counters and event logs to verify that they were correct. The Log Analytics workspace also did report “no missing performance counters”. I also double-checked the Terraform code, and could verify all counters were correct. Apparently, the problem was related to something else.\nthe next step was to jump over to the session host and check the event logs. In the event log, I could see NOT Accessible URL’s with the Event ID 3702\nI did know that the session hosts was in a restricted network zone , so I got the network team to verify the firewall ruleset and we were missing only one URL suffix related to log analytics, but that was not relevant to the URLs from the Event ID above. Everything looked good in the firewall logs.\nSince we still had the same issues I went into the log analytics workspace to try to Query a simple test to see if the computers were listed. I did not get any results back.\nNext step was to verify that the Monitoring Agent had connection the C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\TestCloudConnection.exe.\nIn addition, I viewed the Monitoring agent that reported status:\nDNS name resolution of the Microsoft Operations Management Service Suite Failed. This Could be due to either the Workspace Id being configured incorrectly, or the agent not have internet access, please check that the system either has internet access….\nSolution # At this time It was definitely time to check DNS!\nI started checking ping request against some of the URL’s and could see that ping rdbroker.wvd.microsoft.com\nPing request could not find host rdbroker.wvd.microsoft.com. Please check the name and try again.\nAfter checking the DNS servers, I could see that the forwarders were pointing to some old DNS server that was due to be decommissioned and the firewall behind the old servers was terminating the traffic. We updated the forwarder to the Azure DNS server and our traffic started flowing correctly.\nI also did a quick test with the TestCloudConnection.exe, and the connectivity test passed as expected.\nSummary # This was not your everyday problem, but I just wanted to share some of the steps related to troubleshooting.\nWe have the Operational issue that reports status OK, but this option could be confusing because Log Analytics will report the agents as OK because is only checking the heartbeat connection between the workspace ID and the Key’s.\nWhat could have been great is that Azure Monitor could have functionality that reported that the agent was not OK directly from the Overview tab.\nUntil next time! It’s always DNS\n","date":"20 July 2021","externalUrl":null,"permalink":"/troubleshooting-azure-virtual-desktop-monitoring/","section":"Posts","summary":"Introduction # I was recently involved in a project to troubleshoot some performance issues on Azure Virtual Desktop related to some users who reported connection error “The remote resource can’t be reached” Check your connection and try again” when connecting to Azure Virtual Desktop. When the user connected 2-3 times they could eventually connect.\n","title":"Troubleshooting Azure Virtual Desktop Monitoring","type":"posts"},{"content":"","date":"28 May 2021","externalUrl":null,"permalink":"/categories/azure-devops/","section":"Categories","summary":"","title":"Azure DevOps","type":"categories"},{"content":"","date":"28 May 2021","externalUrl":null,"permalink":"/categories/azure-image-builder/","section":"Categories","summary":"","title":"Azure Image Builder","type":"categories"},{"content":" Introduction # So you’re in the situation seeking to automate Azure Virtual Desktop (AVD) image creation. You have discovered Packer and Azure Image Builder, but do not know which to use. Hopefully, I will as short as possible try to make sense of the differences, and why you fancy one of them depending on your scenario. Lucky for you it’s no wrong answer, the secret is that you use packer either way 🙂\nIn the table below I’ve listed some important key capabilities from both services.\nTo read the entire specification I will also recommend reading the documentation section below that I’ve added in this post.\nConcerning the initial table, I’ve additionally explained how you can automate AIB and packer (azure-arm) with Azure DevOps using the marketplace extensions. You do not need to use these, you could also just interact with Azure CLI, etc. My goal is just to show a quick proof of concept with Windows 10 multisession image. Both examples distribute images to SIG.\nDescription Packer (azure-arm) AIB (azure image builder) Managed by HashiCorp \u0026ldquo;Microsoft\u0026rdquo; ( with HasiCorp Packer under the hood) Azure RBAC role Service Principal Managed Identity Azure Resource Group Provision resources to the default resource group from packer or existing resource group Provision resources to the default resource group from packer or existing resource group Distribute Shared Image GalleryManagedImage,VHD Shared Image GalleryManagedImage,VHD Communicators (windows) - Packer create certificate only valid 24-hours from invocation time. Uploaded to KeyVault winrm winrm Provisioner Powershell, chef, ansible, puppet , DSC Powershell Region All Azure regions https://learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview?tabs=azure-powershell#regions Hyper-V Generation (images) https://docs.microsoft.com/en-us/azure/virtual-machines/generation-2 gen1 and gen 2 gen1 and gen 2 (roadmap) Azure DevOps / Infra as Code Packer task / Build Image task (1.3.4) / Azure CLI and Powershell (1.7.*) Azure VM Image Builder Task (preview), Azure CLI and Powershell (1.7.*) Security VNET (default or existing) , NSG (restricted ports) , KeyVault (certificate and secrets) VNET (default or existing) , NSG (restricted ports), KeyVault (certificate and secrets) Packer.exe Need to download the latest packer version or specify an older version Do not have any direct interaction with Packer. Everything goes through the azure image builder service that again uses packer under the hood Configuration syntax JSON or HCL (preferred from 1.7.0) JSON Logging Packer logs are stored in storageaccount Packer logs are stored in storageaccount 20.02.2021 the Azure Image builder Service was announced Generally available, but Microsoft suddenly apologized to the publication and pulled the GA status. I do not think it far away, and we could probably still expect it to hit GA Q2 or Q3 in 2021.\nUpdate\n07.06.2021 Azure Image builder Service was announced Generally available.\nImage Creation Deployment High Level Design # If we look into the high-level design of how we can create and deploy WVD, it could look similar to this process. The building blocks for WVD image creation and image deployment will involve many phases before we have the end product. With help from packer, AIB ,SIG Azure DevOps we have tools to support automation of this process.\nuse marketplace SKU (add this to our code) choose the latest offer, windows version supported by your organization (add this to code) build pipeline with AIB or Packer with info from 1 \u0026amp; 2 provisioner – install windows features and custom applications from azure storage/azure files /package manager distribute the shared image gallery across regions trigger ARM or TF deployment with the latest release of the ID from SIG. start windows customization extensions phase domain join extension host pool join dsc extension custom PowerShell extension (example WVD optimization script ) VM added to host pool ready for testing or production. Getting started with Azure Image builder with Azure DevOps # Following that the AIB is not GA, we are required to register the preview service. Follow this guide from Microsoft to VirtualMachineTemplatePreview for the preview. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/image-builder-powershell#register-features . This step is not required when GA!\nI’ve already created Managed Identity with permissions and added permissions to allow SIG with the guide below.\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/image-builder-powershell#create-user-identity-and-set-role-permissions\nWhen all prerequisites are in place we can start adding the Azure VM Image Builder Test (Preview) in Azure DevOps. You can also use azure cli or powershell task´s.\nCreate Azure DevOps Project # The first task is to create a new project in Azure DevOps dev.azure.com. I will do it manually, but you can do this with Terraform if you need to automate this multiple times: https://techcommunity.microsoft.com/t5/itops-talk-blog/how-to-use-terraform-to-create-azure-devops-projects/ba-p/1555471. We can use the same project for both pipelines.\nAdd the marketplace task and install the Marketplace extension for AIB preview # The old Marketplace extension for AIB preview is no longer listed, so use the current Azure Image Builder documentation and Azure DevOps task guidance instead.\nAdd you github service connection # I’m using Github as source control.\nCreate your pipeline for Azure Image Builder # Choose pipelines – Classic editor and connect your github account and empty job\nI’m using the classic editor to create the pipeline.\ngo back to the release pipeline and add your Azure Image Builder tas\n)\nLet’s look into the required fields for the extension.\nIn the first step of the template, we need to Add your azure subscription, resource, and managed identity resource id.\nIn the Customize step set your custom script. It will copy the scirpt from my github workingdirectory and copy it over to the directory on the Virtual Machine. The default location for Inline customization script will runt from the VM in “C:\\BuildArticacts” in this step you can install apps or do any custom configuration that you need. I\nIt’s not any requirement to specify Sysprep. AIB will do the Sysprep for us!\nNB! I’ve specified only WestEurope as SIG region, If you choose more than 1, your build will fail because it exceeded the 1-hour limit.\n(One free job that can run for up to 60 minutes each time). It does help much to choose a bigger VM because SIG is the slowest part. Even though the job fails the SIG will succeed after checking the Azure portal.\nYou can buy and read more about parallel jobs :\nhttps://docs.microsoft.com/en-us/azure/devops/pipelines/licensing/concurrent-jobs?view=azure-devops\u0026tabs=ms-hosted\"\nhttps://docs.microsoft.com/en-us/azure/devops/pipelines/licensing/concurrent-jobs?view=azure-devops\u0026tabs=ms-hosted\nRunning the build will output this on successful task.\nYou can also check Shared Image Gallery to verify your newly added image from the AIB Pipeline.\nThe final YAML pipeline will look like these. You can use this to standardize your azure pipeline deployments for CI /CD\nGetting started with Packer azure-arm with Azure DevOps # Many other blogs use the Build machine image task to build an immutable image. My problem with the task is that it uses packer version 1.3.4, which is old. I want to use the latest packer version because I want to use the Shared Image Gallery with packer. So to solve this we use Azure CLI or Powershell that use our packer JSON or HCL file, which will be used by the pipeline as input. With Azure CLI or Powershell you should from my experiance always get the latest packer version installed. I will use the JSON template since I’ve not upgraded my templates to HCL. (upgrading to HCL will be another blog).\nFor authentication, I will use a service principle. NB! If you want to use a Managed Identity, you need to create an Azure Virtual Machine that has Managed Identity enabled, and then use this VM to run your build.\nVariable group # The first step is to add Variable Group. All variables that Packer needs are stored here.\nIn My KeyVault I’ve added all details from my Service Principal account that Packer will use for (azure-arm).\nI’ve added all secrets to Key Vault “wvd-kv” and all other variables to “wvd-packer-vars” as shown in the picture below.\nTo link the Variable group to the DevOps project choose variables group add key vault.\nRemember to link secrets as key vault variables.\nCreate your Azure DevOps Pipeline for Packer # Let’s configure the Pipeline. I’ve added 2 tasks. Packer validate and Packer build\nchoose pipelines – Classic editor and connect your github account and empty job as we did in the steps above earlier.\nIn the Inline Script I will add the validate shell script. To verify that there are no obvious parameters missing.\nIn the Inline Script I will add the build shell script. I’m adding the variables with export and generating timestamp for one of the variables (image_version) to set the semantic version that’s required by SIG.\nThe Packer template will in summary use variables we have defined. Create Image with windows 10, sysprep VM add it to SIG.\nTo fully understand user variables go to https://developer.hashicorp.com/packer/docs/templates/legacy_json_templates/user-variables\nLink Variable Groups to the Packer pipeline. This is important step. Without adding the Variables the build will fail!\nWhen running the build we can see that it’s started the azure-arm packer Build stage.\nIn Shared Image Gallery we can find the new image created by the Packer build template.\nThe YAML pipeline for Packer for setups looks like this.\nYou can use this to standardize your azure pipeline deployments for CI /CD\nTroubleshooting # Packer:\nif you see this error with Packer below. You have most likely not configured or linked the variable group or added the wrong variable for Client Secret, ClientID etc .\nazure-arm: Running builder\nazure-arm: Getting tokens using Managed Identity for Azure\nAIB:\nif you see this error with AIB below. You have not given correct access to your managed identity for either shared image gallery or storage account.\n[error]Error: put template call failed for template t_undefinedundefined_1622201565931 with error: Not authorized to access the resource: /subscriptions.\nIf your packer stops under the deployment all logs are stored in the storage account. Use CMTrace.exe to debug the log file.\nSummary # This post was not intended to create a battle between the two ways of using packer. As you can see it all gets down to current preferences.\nAIB could maybe be the solution if you seek a lighter way to rapidly adapt and develop image creation without understanding all the packer details. This could also benefit the DevOps teams because I think simplicity is relevant to the DevOps team that needs to maintain and support further image development for the customer. To be subjective the only thing that could hold me back from using AIB, is the need for GA or Region Availability. Most WVD deployments I’m involved in requires other regions. With Managed Identity as default, this is my most preferred way to scope access control, so I like this option.\nThe first time I used packer was related automation images to my home lab with VMware ESXi. Packer has multiple Builders for all the big players – https://developer.hashicorp.com/packer/docs/builders. Using the Azure provider is generally different than using the VMware provider. But If you are familiar with packer, the adaption to the Builder for Azure (azure-arm) is pretty seamless. However, as listed in the table above there are also many motives why you may want to go the packer route. With the table above you can see that Packer provides the best granular and flexible control over the azure environment, you are managing. You can control “everything”. But looking back to AIB we do not need to think about specifying the packer version. I’ve encountered different errors if I’ve used an older version of packer. Some of my experience with Packer is that if you forget to validate your template or have some wrong variables this can set you back some hours of troubleshooting.\nThat’s it for this time! Good luck with automating your AVD images in whatever way you prefer 🙂 I had a talk about this blog at AVDTechfest 2021 https://youtu.be/G2g8CVVzZP4?t=15251 and powerpoint deck https://github.com/alventech/talks/tree/main/2021/avdtechfest\nDocumentation # https://learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview\nhttps://developer.hashicorp.com/packer/integrations/hashicorp/azure/latest/components/builder/arm\nhttps://github.com/azure/azvmimagebuilder/tree/main/solutions/1_Azure_DevOps\nhttps://github.com/azure/azvmimagebuilder/tree/main/solutions/1_Azure_DevOps\n","date":"28 May 2021","externalUrl":null,"permalink":"/azure-image-builder-or-packer-for-wvd/","section":"Posts","summary":"Introduction # So you’re in the situation seeking to automate Azure Virtual Desktop (AVD) image creation. You have discovered Packer and Azure Image Builder, but do not know which to use. Hopefully, I will as short as possible try to make sense of the differences, and why you fancy one of them depending on your scenario. Lucky for you it’s no wrong answer, the secret is that you use packer either way 🙂\n","title":"Azure Image Builder or Packer for Azure Virtual Desktop","type":"posts"},{"content":"","date":"28 May 2021","externalUrl":null,"permalink":"/categories/wvd/","section":"Categories","summary":"","title":"WVD","type":"categories"},{"content":" Introduction # I was recently involved in troubleshooting shared computer activation with Office on a WVD hostpool image using the latest 20h2-evd-o365pp-g2 image sku and Microsoft 365 Business Premium for Office.\nTo start with the Troubleshooting this was the only error that occurred for end user trying to activate.\naccount issue\nerror code 0x80004005\nThe Image was using “20h2-evd-o365pp-g2″ from the Azure gallery image. So all the settings should be correct regarding Shared activation. And I could confirm this by looking into the Registry was applied with the correct settings:\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration\nSharedComputerLicensing was set to 1.\nThe Host pools Virtual Machines was also also behind strict firewall rule set, so I also verified that it could talk to the Microsoft Activation URL activation.sls.microsoft.com on 443.\nMy last assumption was check the licenses. I was informed that the users were assigned correct license with Microsoft 365 Business Premium that should support Multi-session WVD office version and Office Shared Computer Activation.\nHowever, I was just curious to check what features were enabled on the license SKU. And without a doubt the most obvious was not checked. The Microsoft 365 Business Premium feature to enabled “Office Shared Computer Activation” was set to off / disabled.\nSummary # Changing the License to “on” / “enabled” in the Group based license Enabled Services, solved the issue immediately!\nThe last step was to verify that the Licenses was “activated” in the user profile Appdata folder in the following location:\n%localappdata%\\Microsoft\\Office\\16.0\\Licensing\n","date":"12 April 2021","externalUrl":null,"permalink":"/0x80004005-office-shared-computer-activation-with-windows-virtual-desktop/","section":"Posts","summary":"Introduction # I was recently involved in troubleshooting shared computer activation with Office on a WVD hostpool image using the latest 20h2-evd-o365pp-g2 image sku and Microsoft 365 Business Premium for Office.\n","title":"0x80004005 office shared computer activation with Windows Virtual Desktop","type":"posts"},{"content":"","date":"12 April 2021","externalUrl":null,"permalink":"/categories/office/","section":"Categories","summary":"","title":"Office","type":"categories"},{"content":"","date":"21 December 2020","externalUrl":null,"permalink":"/categories/feitian/","section":"Categories","summary":"","title":"Feitian","type":"categories"},{"content":" Introduction # I had some fun with the FEITIAN Contactless Reader Demo with FIDO2.\nhttps://www.ftsafe.com/Products/Card_Reader/Contactless Created a short demo to showcase how it can be used with the FIDO2 in Azure AD using an NFC security key.\nThis looks like a good use case for shared devices or multi-user device. Use Coupon CODE Stein-20 when you buy it. This will support my channel and give you some discount! 🙂 You can buy FEITIAN products:\nhttps://www.ftsafe.com/store/ ","date":"21 December 2020","externalUrl":null,"permalink":"/feitian-contactless-reader-with-fido2/","section":"Posts","summary":"Introduction # I had some fun with the FEITIAN Contactless Reader Demo with FIDO2.\nhttps://www.ftsafe.com/Products/Card_Reader/Contactless Created a short demo to showcase how it can be used with the FIDO2 in Azure AD using an NFC security key.\n","title":"FEITIAN Contactless reader with FIDO2","type":"posts"},{"content":"","date":"21 December 2020","externalUrl":null,"permalink":"/categories/passwordless/","section":"Categories","summary":"","title":"Passwordless","type":"categories"},{"content":" Introduction # In November 2020, the annual internal Techon was held at my employer. This was my first live stream using workplace by Facebook which was also the first session I have had in a conference style. It was a really nice experience learning more about the streaming opportunities with OBS and my stream deck.\nDuring the presentation, I had 45 to talk about my experience with the Passwordless Journey.\nSince I recorded the session, I´ve uploaded it to my youtube channel. Feel free to watch if you want to get started\nPasswordless Journey - youtube # ","date":"22 November 2020","externalUrl":null,"permalink":"/passwordless-journey/","section":"Posts","summary":"Introduction # In November 2020, the annual internal Techon was held at my employer. This was my first live stream using workplace by Facebook which was also the first session I have had in a conference style. It was a really nice experience learning more about the streaming opportunities with OBS and my stream deck.\n","title":"Passwordless Journey","type":"posts"},{"content":"","date":"20 October 2020","externalUrl":null,"permalink":"/categories/azure/","section":"Categories","summary":"","title":"Azure","type":"categories"},{"content":" Introduction # In this post we will cover how to setup Windows Virtual Desktop ARM template with Azure DevOps. We walkthrough 2 different ARM templates. I’m using the ARM WVD templates from Microsoft: https://github.com/Azure/RDS-Templates/tree/master/ARM-wvd-templates that came earlier in 2020.\nCreateAndProvisionHostPool AddVirtualMachinesToHostPool Figure 1: Visualized DevOps Workflow ARM pipelines\nIn Figure 1, we can see that the Azure DevOps build pipeline is integrated with Azure Key Vault for secrets management. We are using Service Connection with Azure, so that the ARM templates and PowerShell scripts can run in the context of the service principal. No Password are exposed in clear text to the pipeline!\nAs part of the automation pipeline, one of my goals is to use Windows 10 image built using a Shared Image Gallery (SIG) built with Azure Image builder (AIB). Pointing to SIG is just part of the parameters file. I recommend using this guide to configure AIB and SIG:\nhttps://techcommunity.microsoft.com/t5/windows-virtual-desktop/building-a-windows-10-enterprise-multi-session-master-image-with/m-p/1503913\nIf you don’t have SIG ready, you can optionally just use the Windows 10 SKU from Gallery if you just need a quick POC. Just change the parameters\nI’ve added the “arm-wvd-CreateAndProvisionHostPool.json” and arm-wvd- to my GitHub repo, this will be used by the pipeline. ****\nNB! You will need update the parameters in the “CreateAndProvisionHostPool.parameters.json” yourself. The parameters must be equal to your own environment! I will go deeper into some of the parameters used by the arm template. There are also some PowerShell scripts that the pipelines will use.\nI’m by no means any expert in ARM or PowerShell, but I will cover the basics of getting these pipelines working.\nThe Templates and code used is available from my GitHub repo. Clone the repo, so that you can use the files from https://github.com/alventech/wvd-arm-devops\nCreateAndProvisionHostPool\nAddVirtualMachinesToHostPool\nPrerequisites # Azure Subscription VNET and Subnet Azure Key Vault Azure DevOps Project Active Directory Domain or Azure Domain Services to join Shared Image Gallery (Windows 10 Image) GitHub or any other source control that you prefer. Create And ProvisionHostPool # Azure DevOps Project\nLet’ start by getting our Azure DevOps Project ready for the CreateAndProvisionHostPool.\nGo to https://dev.azure.com/ and create your first project\nChoose Project Settings to the bottom left.\nService Connections # Add service connection for your GitHub account and Azure Subscription.\nGo back to the Pipeline tab on the left Side and choose New release pipeline.\nCreate an Empty Job\nName your Release pipeline, example “wvd.arm.create.hostpool“, and hit save.\nArtifact # From the artifacts, add your GitHub account, or the source control of your choice. Click save When You’re Done.\nVariable Groups # Go to the Pipelines Tab – Library and choose the Variable Groups below.\nCreate a New Variable Group\nAuthorize the Key vault to your subscription and key vault name.\nWhen Authorized to the key Vault, remember to add your secret name Variable. This used by the ARM template parameters.\nParamters-CreateAndProvisionHostPool # The ARM parameters values in arm-wvd-CreateAndProvisionHostPool.paramters.json match your environment. Below I’ve just listed all the parameters that simply got from the Azure Portal, so that I could see what parameters are generated the parameter.\n)\nI Downloaded the Template and used the parameter file generated to see how the syntax for each parameter needed to be.\nI will cover the parameters that is not obvious. So that I could more seamlessly see what parameters needs to be added. You can also “get-AzGalleryImageDefinition”. If we Look more into the Azure Share Image Gallery (SIG) parameters, All the values, was then added to the values in “vmTemplate” parameter.\nThe “customImageId” SIG can be found in the azure portal as well.\nWith the Parameter “vmCustomImageSourceId“, we also need to add SIG resoruce ID to this value\nPowerShell Task ExpirationTime # When we have all the parameter’s updated, we ready to add the PowerShell task. The Task is used to generate the parameter value for “tokenExpirationTime“. The PowerShell task will store the variable to the next DevOps ARM Task. The Script will run “get-date” with correct format. The write-host will bring the variable to the next task.\nSearch for PowerShell, and add the task.\nChoose File Path – Create the Display Name and choose Script Path to the “createtokenExpirationTime.ps1” script.\nIt’s located in the https://github.com/alventech/wvd-arm-devops/tree/main/arm-wvd-CreateAndProvisionHostPool\nGo to Tasks – add tasks – search for ARM, add the ARM template deployment as a task.\nResource group and location must be equal to your environment.\nIn the screenshot below you can see more of the ARM settings.\nTemplate – Change the location to our GitHub artifact for “arm-wvd-CreateAndProvisionHostPool.json” template location.\nTemplate parameters – Change the location to GitHub artifact for “arm-wvd-CreateAndProvisionHostPool.parameters.json” Parameters.\nThe templates are located in https://github.com/alventech/wvd-arm-devops/tree/main/arm-wvd-CreateAndProvisionHostPool\nIn the Override template parameters, we will set\n“administratorAccountPassword” variable and the “tokenExperationTime” is the variable from the PowerShell task we created earlier.\n-administratorAccountPassword “$(wvd-ad-join)” -tokenExpirationTime “$(ExpirationTime)”\n)\nPipeline Variables - override \u0026ldquo;more\u0026rdquo; parameters # if you don’t like working with the “CreateAndProvisionHostPool.paramters.json“, you can just override even more parameters for example “ouPath” and “administratorAccountUsername” that you down want to be coded in the parameter json. I will recommend choosing Variables – Pipeline Variables and variables to match your needs.\nyou must remember to override it the arm template as well!\nCreate a new release and Deploy # If you’re done with updating all the parameters, we should be ready for a release. Create release and deploy.\nIn the logs you can see that the Agent has finalized the job. Go to the troubleshooting guide at the end if you get any problems.\nPipeline Add Virtual Machines To HostPool # When the ARM template deployment is finished, we can go to the next Pipeline – AddVirtualMachinesToHostPool. This’s probably the one, we’ll use more often for your Maintenace. To get started we must create a new release pipeline, example “wvd.arm.AddVMToHostPool“. Add you Artifact and Stage and click save.\nPowerShell Task RdsRegistration Info token # In this Task we will configure a PowerShell task with Azure Powershell.\nWe will use the https://github.com/alventech/wvd-arm-devops/blob/main/arm-wvd-AddVirtualMachinesToHostPool/RdsRegistrationInfotoken.ps1 scirpt. I’ve borrowed the script from https://twitter.com/fberson, and added some small modifications. The main goal for the scirpt is to obtain the **RdsRegistrationInfotoken **and send the variable to the next task for the ARM parameter hostpoolToken.\nThis will ensure that we have a valid token, or generate a new if token has expired. A Token is required from the Host Pool to allow, new VM’s to a Host Pool. The write-host will bring the variable to the next task.\nTo get stated I will add the “Azure PowerShell”\nBefore running the pipeline and the script, you will need to update the variables to your own environment. Optionally, you could just use an Inline script a Copy Past scirpt, if you prefer that.\n$azureSubscriptionID = “your-wvd-sub-id”\n$resourceGroupName = “rg-wvd-Pooled-desktop”\n$existingWVDHostPoolName = “HostPool-Test”\nNext go to the Authenticate to your Subscription to allow the task to use Service Connection and Service Principal, that will authenticate to PowerShell during the task.\nAdd your Template and Template parameters, and Override template parameters\n-administratorAccountPassword “$(wvd-ad-join)” -hostpoolToken “$(RdsRegistrationInfotoken)”\nARM Template Deployment Task - AddVmsToHoostPool # Link Variable group to pipeline # The last part of the pipeline is to link the variable group, so that pipeline can use the Key Vault credentials authorized to the DevOps Project earlier.\nCreate a new release and Deploy # You could also automate the drain Mode for your sessions host.\nLike example https://www.nielskok.tech/windows-virtual-desktop/wvd-set-drain-mode-powershell/ in the pipeline. I prefer to schedule, this at a later stage since, I like to know that everything is working as it should with the new image.\nTroubleshooting # During this project I’ve failed multiple times because of parameter or value that was in the wrong context. Your DevOps pipeline will give you some details about the error, but it’s not always easy to see what failed for ARM, so I prefer looking into the RAW Error from the Resource Group and Deployments tab. I really recommend investing some time in this ARM video series from https://www.youtube.com/c/SamCogan/ if you need some advice regarding test and validation in arm templates. It’s for sure helped me a lot. In the picture below the task failed because I was using the wrong prefix. Looking into the json file I see that the variable was using rdshPrefix to the vmNamePrefix.\nAnother example the passsword that did not work. A closer look to the varaible group for the pipeline, and I could see that the correct variable group was not linked.\nUpdate 02.06.2021 (thnx to one of my readers Ben! We found that I had a bug with spaces in the Gist Github file!) this file has been updated so that the variable with ExpirationTime will be correct ). If you copied the code prior to 02.06.2021 the variable would cause a space to be generated which could cause some issues with the parameter input.\nI’ve also updated the task.setvariable that was wrong in github and gist github.\n\u0026ldquo;Spaces\u0026rdquo; in DevOps task Varaible with createtokenExpirationTime.ps1\nhttps://gist.github.com/alventech/a80d1c5be5cabfef30e46cef27f6754c Summary # It was a nice learning curve to configure WVD ARM templates with DevOps. What I like about Azure DevOps with the ARM templates, is that it gives additional security, and flexibility and scalability when you need to do deploy across multiple environments. You can export your templates, so it’s more repeatable in your CI/CD environments. With the override parameters is quick and easy to change parameters at your needs.\nDocumentation # https://docs.microsoft.com/en-us/powershell/module/az.desktopvirtualization/new-azwvdhostpool?view=azps-4.8.0\nhttps://www.christiaanbrinkhoff.com/2020/05/01/windows-virtual-desktop-technical-2020-spring-update-arm-based-model-deployment-walkthrough/\nhttps://github.com/Azure/RDS-Templates/tree/master/ARM-wvd-templates\n","date":"20 October 2020","externalUrl":null,"permalink":"/windows-virtual-desktop-with-arm-and-azure-devops/","section":"Posts","summary":"Introduction # In this post we will cover how to setup Windows Virtual Desktop ARM template with Azure DevOps. We walkthrough 2 different ARM templates. I’m using the ARM WVD templates from Microsoft: https://github.com/Azure/RDS-Templates/tree/master/ARM-wvd-templates that came earlier in 2020.\n","title":"Windows Virtual Desktop with ARM and Azure DevOps","type":"posts"},{"content":"","date":"22 July 2020","externalUrl":null,"permalink":"/tags/bitwarden/","section":"Tags","summary":"","title":"Bitwarden","type":"tags"},{"content":" Introduction # Password Managers is still a necessity in 2020, and will be for a long time. I’ve been using Bitwarden with YubiKeys for a while now, so it was about time to share some experience, and how easy it’s to get started.\nBitwarden https://bitwarden.com/ is an Open Source Password Manager that is hosted on GitHub https://github.com/bitwarden. This means that you have full control over source code, and you also could contribute to the project. With Bitwarden you can simply self-host it, or run their Organization Plans that is hosted on Azure https://bitwarden.com/help/security/. Bitwarden offers different Organization Plans. To see what fits your demand go to https://bitwarden.com/#organizations. The Enteprises Plan supports Azure AD integration. I will cover this in another blog post.\nConfigure Bitwarden with your Favorite FIDO key # Bitwarden supports a whole range of Providers. When enabling 2FA you will also be prompted to download recover Code. Download these first, before proceeding to the 2FA setup! And Keep the Recovery codes safe, in case things went south!\nTo configure your FIDO key with YubiKey.\nGo to:\nSettings Two-step Login Manage Just add your YubiKey with the Touch/Tap were it will populate the OTP or U2F, I recommend at least two YubiKeys, in case you lose your primary key. With the second backup key you can access your account if you ever lost your key! Yes, that will eventually happen 🙂 You could also configure Bitwarden with another supported OTP/U2F key if you have another brand in your possession. If you do not have one, Authenticator Apps like Authy, Google, Duo is supported as well.\nThe list of supported Yubico keys that will works with Bitwarden\nhttps://www.yubico.com/works-with-yubikey/catalog/bitwarden-premium/ If you need to support an NFC compatible key, use the NFC support. I have NFC supported key, so I can access the Bitwarden on go with my Phone.\nTest Login # After you have saved the settings, it’s time to test the login from your browser of preference. The login site [https://vault.bitwarden.com][1]\nLet’s also test a login with iOS with an NFC compatible YubiKey\nSummary # It’s without doubt that configuring 2FA with Bitwarden is straightforward with some simple steps. Just remember! Do not only configure one single YubiKey, that is not good practice.\nBitwarden is feature-packed and should tick all your boxed if you have strong requirements for a password manager. With the wide range of supported OTP/U2F, I think this password manger will make you delighted for a long time. And yes, it’s Open Source that is a big bonus!\nDocumentation # https://bitwarden.com/help/article/setup-two-step-login-u2f/\nhttps://www.yubico.com/works-with-yubikey/catalog/bitwarden-business/\nhttps://vault.bitwarden.com/\n","date":"22 July 2020","externalUrl":null,"permalink":"/bitwarden-and-yubikey/","section":"Posts","summary":"Introduction # Password Managers is still a necessity in 2020, and will be for a long time. I’ve been using Bitwarden with YubiKeys for a while now, so it was about time to share some experience, and how easy it’s to get started.\n","title":"Bitwarden and Yubikey","type":"posts"},{"content":"","date":"22 July 2020","externalUrl":null,"permalink":"/categories/bitwarden-password-manager/","section":"Categories","summary":"","title":"Bitwarden Password Manager","type":"categories"},{"content":"","date":"22 July 2020","externalUrl":null,"permalink":"/tags/nfc-yubikey/","section":"Tags","summary":"","title":"NFC Yubikey","type":"tags"},{"content":"","date":"22 July 2020","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"22 July 2020","externalUrl":null,"permalink":"/categories/yubikey/","section":"Categories","summary":"","title":"Yubikey","type":"categories"},{"content":"","date":"22 July 2020","externalUrl":null,"permalink":"/tags/yubikey/","section":"Tags","summary":"","title":"Yubikey","type":"tags"},{"content":"","date":"23 February 2020","externalUrl":null,"permalink":"/categories/android/","section":"Categories","summary":"","title":"Android","type":"categories"},{"content":"","date":"23 February 2020","externalUrl":null,"permalink":"/categories/edge/","section":"Categories","summary":"","title":"EDGE","type":"categories"},{"content":"","date":"23 February 2020","externalUrl":null,"permalink":"/categories/intune/","section":"Categories","summary":"","title":"Intune","type":"categories"},{"content":" Introduction # It\u0026rsquo;s Time to Move to EDGE Mobile!\nStep 1 App Protection Policies Target Edge for iOS and Android\nStep 2 App configuration polices – Target Edge for iOS and Android\nStep 3 Check out new Browser experience with EDGE\nDocumentation\nIts_Time_to_Move_to_EDGE_Mobile # Back in November 2019 the Managed browser was announced to be retired March 31 2020. Already from February 1, 2020, the Intune Managed Application was going to removed from Google Play Store and iOS App Store. Since March is right around the corner, it’s about time to get prepared to do the switch.\nRegarding a smooth transition, Microsoft let us use all the same Browser Config settings like “com.microsoft.intune.mam.managedbrowser”, so basically we just need to target the Edge for iOS and Android with the existing MAM Policies (app protection and app configuration settings).\nWith this blog post, I will cover the steps to get started and deep into the browser experience. And In my particular case, I’m going to use EDGE iOS as a corporate browser with some specific settings, just to show the user browser experience. We are also checking the custom settings like “Single sign-on”, Bookmarks and Blocking some specific sites from both end-user and MEM side.\nSettings:\n[Specify allowed or blocked sites list for Microsoft Edge][1] [Configure managed bookmarks for Microsoft Edge][2] [Transition users to their personal context when trying to access a blocked site][3] Step 1 ) App Protection Policies – Target Edge for iOS and Android # To get started we need to look into the existing App protection Policy.\nAdd EDGE to your Policy under Apps –\u0026gt; Edit and choose EDGE as a Public App (I’m Adding both iOS and Android).\nStep 2) App configuration polices – Target Edge for iOS and Android # Change the App configuration polices for your particular configuration.\nAdd EDGE to your Policy under Basics –\u0026gt; Edit and choose EDGE as a Public App (I’m Adding both iOS and Android).\nStep 3 ) Check out new Browser experience with EDGE # After adding the EDGE Application to the Policy, we can see that we now have a new layout. All settings have been merged to the “EDGE Configuration Settings” where the “com.microsoft.intune.mam.managedbrowser” is in the new view. You can see that is much easier to change settings without knowing all the “com.microsoft.intune.mam.managedbrowser” settings. We also have new settings like Import and Export either Blocked URLs which is a welcome addition. In the video below you can see how the MAM policy is applied and how the browser experience looks when MAM configurations are applied.\nHow does “Single sign-on” work on EDGE with iOS? # I have not found any documentation regarding how the “Single Sign-on” Flow works. So to find how “SSO” was working with iOS, I had to dig into the EDGE browser [logs][4]. In the logs, I could find that EDGE is using Cross-app/ keychain sharing with Company Portal, and the SSO” flow is using ADAL – Azure AD v1.0 endpoint. So regarding the authorization flow, the Company Portal already has a valid Authorization Token, and the next request against Azure AD v1.0 endpoint will use the same Application ID. The EDGE Application has another redirect URI than the Company Portal application, but keychain sharing is part of the SDK, so it will use ADAL token. The figure below illustrates the Authentication Flow from 1 to 4. I’m guessing this will change over time since Microsoft will probably migrate to using MSAL – Azure AD v2.0 endpoint eventually.\nSummary # The technical changes regarding adding EDGE as the new shiny browser is lucky for us not much work. The needed work will be to create new guides and information to the End-Users. During the pilot, I found one handy key feature when running both browsers for a period of time is that we can [Direct users to Microsoft Edge instead of the Intune Managed Browser][5] with custom settings.\nIn terms of new MAM Configuration settings, I hope that we will get some more control like changing the start page, so it automatically starts the browser like it did in the Managed Browser. I could also like that we have more control over the SSO settings so it Automatically starts the Sign-On view right after MAM Policy is applied.\nDocumentation # https://learn.microsoft.com/en-us/mem/intune/apps/manage-microsoft-edge\nhttps://techcommunity.microsoft.com/t5/intune-customer-success/use-microsoft-edge-for-your-protected-intune-browser-experience/ba-p/1004269\nhttps://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/howto-v1-enable-sso-ios\nhttps://learn.microsoft.com/en-us/mem/intune/apps/manage-microsoft-edge#specify-allowed-or-blocked-sites-list-for-microsoft-edge\nhttps://learn.microsoft.com/en-us/mem/intune/apps/manage-microsoft-edge#configure-a-homepage-shortcut-for-microsoft-edge\nhttps://learn.microsoft.com/en-us/mem/intune/apps/manage-microsoft-edge#transition-users-to-their-personal-context-when-trying-to-access-a-blocked-site\nhttps://learn.microsoft.com/en-us/mem/intune/apps/manage-microsoft-edge#use-microsoft-edge-on-ios-to-access-managed-app-logs\nhttps://learn.microsoft.com/en-us/mem/intune/apps/manage-microsoft-edge#direct-users-to-microsoft-edge-instead-of-the-intune-managed-browser\n","date":"23 February 2020","externalUrl":null,"permalink":"/intune-mem-configure-edge-browser-for-ios-and-android/","section":"Posts","summary":"Introduction # It’s Time to Move to EDGE Mobile!\nStep 1 App Protection Policies Target Edge for iOS and Android\n","title":"Intune – MEM – Configure Edge browser for iOS and Android","type":"posts"},{"content":"","date":"23 February 2020","externalUrl":null,"permalink":"/categories/ios/","section":"Categories","summary":"","title":"IOS","type":"categories"},{"content":"","date":"23 February 2020","externalUrl":null,"permalink":"/categories/mem/","section":"Categories","summary":"","title":"MEM","type":"categories"},{"content":"","date":"7 January 2020","externalUrl":null,"permalink":"/categories/aad/","section":"Categories","summary":"","title":"AAD","type":"categories"},{"content":"","date":"7 January 2020","externalUrl":null,"permalink":"/categories/ad-connect/","section":"Categories","summary":"","title":"AD Connect","type":"categories"},{"content":" Introduction # In this post, we will cover the Azure AD Connect cloud provisioning (preview) released in November 2019. The Cloud provisioning is an Agent that can bridge between on-prem and Azure AD to sync users. I don’t see cloud provisioning as a replacement for AD Connect, but more like simplifying the way to configure user provisioning, across more complex setups with multiple or disconnected forests. Trying to achieve this earlier with AD Connect, requires a complex setup dependent on AD Trust. The Azure AD Connect cloud provisioning is much similar functionality Okta has had for some time, so my best guess is that Microsoft move is to gap the missing functionality. The tool will most likely get more features throughout 2020 🙂\nMy goal with this post is, to cover the use case of the Azure AD Connect cloud provisioning with an existing forest and a new forest with a Single Azure AD Tenant. Below is a high-level design, this shows my current setup. To the left, we have my domain that uses AD Connect and the disconnected forests to the right, which uses Azure AD Connect cloud provisioning. Both will sync to the single Azure AD Tenant. There is no site-to-site VPN or any Active Directory Trust between these Forests.\nStep 1 – Enable Azure AD Connect cloud provisioning # The first step to enable Azure AD Connect cloud provisioning is getting the agent from Azure AD\nChoose “Manage provisioning” in the Azure AD Connect cloud provisioning.\nGo to Download Agents, to download\n“AADConnectProvisioningAgentSetup.exe “agent.\nIn terms of HA with cloud provisioning, just install more agents split on other servers per forest.\nRun the “AADConnectProvisioningAgentSetup.exe” to complete the setup. The agent requires authentication against Azure AD.\nWhen adding privileges to the Domain, use a service account that does not have password change requirement, because changing the password will break the agent. This will require the agent to be reconfigured for the Add the Active Directory, with domain admin privileges.\nAfter the installation, the service will run 2 services Microsoft Azure AD Connect Agent Updater and Microsoft Azure AD Connect Provisioning Agent. There nothing much we can change after the agent has been installed.\nWe can go back to Azure AD and configure the agent.\n[https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect][1] – Choose Manage Provisioning.\nIt has automaticly popluated the domain field from the Agent I installed.\nThe Scope Users give us 3 opportunities. All Users, Selected Security Group and Selected Organizational Units. I’m using the OU based on this demo environment. you can add multiple OU’s, but not combine with example OU and Security groups form my testing. The last part at step 4 Deploy, can choose the enable switch.\nThe provisioning configuration to users and groups.\nAfter saving we should see our configuration in the console.\nThe test users synced pretty instant.\nLooking into the user attributes with Powershell, we see the details about on-prem AD details.\nGet-AzureADUser -ObjectId $UserId | Select -ExpandProperty ExtensionProperty\nVerifying Azure AD signing with PHS works as expected.\nSummary # The Azure AD Connect cloud provisioning feature is a step in the right direction for Microsoft to fill the missing gap against their competitors, and the use case is absolutely something I will consider for disconnected on-premises Environments. But this will depend highly on what functionality is required and if the environment is not to complex.\nThe table from Microsoft documentation\nhttps://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync is great to compare features between Azure Active Directory Connect sync vs Azure Active Directory Connect cloud provisioning.\nThe comparison will help to determine which use case you could fit. I will try to update this post as these features go away from the preview.\nRecommended Links for further documentation from Microsoft :\nhttps://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/tutorial-single-forest\nhttps://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/tutorial-existing-forest\n","date":"7 January 2020","externalUrl":null,"permalink":"/gearing-up-for-azure-ad-connect-cloud-provisioning/","section":"Posts","summary":"Introduction # In this post, we will cover the Azure AD Connect cloud provisioning (preview) released in November 2019. The Cloud provisioning is an Agent that can bridge between on-prem and Azure AD to sync users. I don’t see cloud provisioning as a replacement for AD Connect, but more like simplifying the way to configure user provisioning, across more complex setups with multiple or disconnected forests. Trying to achieve this earlier with AD Connect, requires a complex setup dependent on AD Trust. The Azure AD Connect cloud provisioning is much similar functionality Okta has had for some time, so my best guess is that Microsoft move is to gap the missing functionality. The tool will most likely get more features throughout 2020 🙂\n","title":"Gearing up for Azure AD Connect cloud provisioning","type":"posts"},{"content":"","date":"2 January 2020","externalUrl":null,"permalink":"/categories/adfs/","section":"Categories","summary":"","title":"Adfs","type":"categories"},{"content":" Introduction # Microsoft introduced AD FS application activity report (preview) and Azure AD staged rollout (preview) back in November 2019. These announcements are great opportunities to start the planning year 2020, to get rid of your AD FS environments. I will throughout this post see if these tools can speed up the migration processes.\nWhy start this project when my ADFS environment is working “perfectly” and our organization has spent so much time configuring setting up the 3.party integrations. Well, there are some really big benefits of moving to Azure AD. Let’s start with some low hanging fruits related to the AD FS infrastructure that we can get rid of;\nPatching AD FS farms Capacity planning High-cost on-prem services like ADFS/WAP Farms, SQL AG, Load balancers 3.party MFA extensions Maintenance of certs Public SSL and AD FS Token Signing Skilled resources to troubleshoot complex issues. Monitoring all Infrastructure components above. When it comes to cost, the cost is being moved over to the license plans in the AzureAD subscription Model, requiring either P1/P2. But with better security functionality I think it is absolutely worth looking into the switch.\nAs most organizations have quickly moved to Office 365 and Azure AD the last years, still many customers use on-prem federations services like AD FS, however, now that Azure AD has matured a lot the last 4 years, we should use the benefits of Azure AD-like;\nPassword hash synchronization Conditional Access Block legacy Auth Identity Protection Passwordless Leaked Credential detection B2B Entitle Managment Azure AD MFA Better Control over Governance plus so much more good stuff! Stage 1 – Plan AD FS Application activity report # So to plan an assessment of our exiting environment, we can start to get data into the AD FS Application activity report.\nAzure AD Usage and insights reporting is the console showing us ADFS Application Activity. To get Data from the AD FS environment we need to install health Agents. With the agent, we are able to discover the ADFS Applications that can be migrated.\nDownload the AdHealthAdfsAgentSetup.exe and install the agent on your AD FS servers. Login with Azure AD credentials to configure the agent.\nTo verify that our setup is ok, I like to verify that our network traffic is running smoothly. So to test this we run Health Agent Powershell module with the command below:\nTest-AzureADConnectHealthConnectivity -Role I also recommend verifying that the agents and the ADFS auditing are enabled correctly. Go the Status Page In Azure Console:\nhttps://portal.azure.com/#blade/Microsoft_Azure_ADHybridHealth/AadHealthMenuBlade/AdfsServicesList Since I was missing AD FS Auditing I got a warning from the Status Page. It’s a prerequisite to enable Auditing on the ADFS server.\nThe Agent will report back when this is enabled. Be patience at this step, because it can take some time before the status changes to Solved.\nWhen the requirements above are in place, we will get data into ADFS Application Activity – Usage and insights\nhttps://portal.azure.com/#blade/Microsoft/AAD/IAM/EnterpriseApplicationsInsightsMenuBlade/AppMigration We can see that the list is just a summary of the applications that can be found in the AD FS Relying Party Trust list. But with Usage and insight, we now get additional details related to the Application Identifier, Unique User Count and Migration Status. The Migration status part will look into the Claims and if the Application is Ready for Azure AD.\nLet us start with a Migration ready Application like “Workplace by Facebook”. Here we see that the status has an application ready, however, the “Create a new application” is not ready in the preview yet. There is an open issue regarding this on the GitHub documentation Library:\nhttps://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-adfs-application-activity In this particular application, I know that it’s better to use the Workplace by Facebook Application from Azure AD Gallery, so it will be interesting to see how this functionality will work eventually.\nNow we can look into the application Amazon Web Services that has the Warning with Additional Steps Required. This is where I think the most value of the AD FS Application activity report comes.\nLooking more into the Potential Details we could see that we have some issues with 3 claim rules, and if I go into the Rule Name I can see my claim rule and information on why the claim is not supported in Azure AD. For this particular application, I also know that is better to use the AWS application from the Azure AD gallery, but it’s just an example to showcase the functionality.\nStage 2 – Staged rollout (preview) # The next step is to look into the magic of Staged rollout (preview). This feature allows us to test Azure AD Authentication using Groups so that we can stepwise safely move users. We can choose from Password Hash Sync or Pass-through Authentication. For the purpose of this post, I will only use PHS.\nFirst, we need to Go to our AD connect server and configure PHS. This can be found under the Optional Features.\nThe next step is to go back to the Staged Rollout feature to enable the functionality.\nIn this post, I will choose only Password Hash Sync. You will get a prompt “Are you sure want to enable staged rollout for ‘Password Hash Sync\nNB: The maximum number of users in the initial configuration is 200 users. You can add additional users afterwards. For best results, validate in batches of 1,000 users. Dynamic and nested groups are not supported for staged rollout\nI’m adding a Pilot group for my PHS users. Now it’s time to test the user Authentication Flow from a browser. I’m using Fiddler to verify flow is working properly. The screenshots below shows that the flow is correct.\nLooking into Azure AD Audit Logs, we can see our object has status under Target and Modified Properties for User management and Hybrid Authentication that we have some new information. Our Object has to changed New Value PasswordHashSync. So with Audit logs, it’s easy to see which users has changed status. Summary # Tools are of course not enough by itself to complete migration away from AD FS. However, the Application Insights and Staged Rollout are nice features when working with lager environments with multiple integrations, and need to verify that everything is working perfectly! I am pretty sure the Application Insight will improve more in Q1 2020, and it will be interesting to see features being improved. Using Staged Rollout to verify that our switch to PHS is working correctly is a welcome addition that I have been missing for years. Much better than big bang migrations!\nMy earlier experience related to migration AD FS integrations has been in many cases just checking if the Application exists in the Azure AD gallery. Many Application also supports Automatic SCIM provisioning which is really great for governance control.\nIf your application is not out-of-the-box try to schedule a workshop with the 3.party vendor and Developers, to setup a test environment to verify that you are able to integrate using Azure AD. In all my experiences this has not been any showstopper at all! In most cases, people just don’t know all the capabilities of Azure AD, and having a short meeting showing possibilities is enough to convince the organization for the switch.\nI will try to update this article as these features go away from the preview.\nHopefully, this post can bring you some motivation to look into migration away from AD FS with Style 🙂\nRecommended Links for further documentation Microsoft\nhttps://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-adfs-application-activity\nhttps://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout\nhttps://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-adfs-apps-to-azure\nhttps://portal.azure.com/#blade/Microsoft_Azure_ADHybridHealth/AadHealthMenuBlade/AdfsServicesList\nhttps://portal.azure.com/#blade/Microsoft_AAD_IAM/EnterpriseApplicationsInsightsMenuBlade/AppMigration\n","date":"2 January 2020","externalUrl":null,"permalink":"/hasta-la-vista-adfs-migrate-from-ad-fs-to-azure-ad-with-style/","section":"Posts","summary":"Introduction # Microsoft introduced AD FS application activity report (preview) and Azure AD staged rollout (preview) back in November 2019. These announcements are great opportunities to start the planning year 2020, to get rid of your AD FS environments. I will throughout this post see if these tools can speed up the migration processes.\n","title":"Hasta La Vista ADFS – Migrate from AD FS to Azure AD with style","type":"posts"},{"content":"","date":"15 September 2019","externalUrl":null,"permalink":"/tags/aad/","section":"Tags","summary":"","title":"AAD","type":"tags"},{"content":"","date":"15 September 2019","externalUrl":null,"permalink":"/categories/blog/","section":"Categories","summary":"","title":"Blog","type":"categories"},{"content":"","date":"15 September 2019","externalUrl":null,"permalink":"/tags/saml/","section":"Tags","summary":"","title":"SAML","type":"tags"},{"content":" introduction # I had some trouble with an Azure AD integration with a 3.party SAML application. The users got Azure AD prompt, with the error below:\nRelated to the failed login screen below, most logins were successful and looking into the user getting failure, the problem could first seem like it was related to pilot users (including myself of course 🙂 ) with passwordless, since the application had not been changed the last 13 months. I started digging more into the SAML request and did see Password,ProtectedTransport like the error above.\nI checked out the AADSTS75011 at the https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes , to see if there were more details about the error\n\u0026#x1f535; Blue color = Success logins\n\u0026#x1f534; Pink color = Failure\nI also had dialog with the 3.party application vendor. We verified that there were not any changes done with the SAML library or Claims, before I started sending the SAML logs.\nIn parallel, I also created a support ticket to Microsoft , and for my first time tested to use the Enable advanced diagnostics\nThis functionality is basically pretty genius since you have a Request and Correlation ID, so that Microsoft can look into the authentication request with details about the authentication request.\nAfter they looked into the ticket, I got the answer that with some additional details that I was unfamiliar with, even though I have been working with multiple SAMl setups for some years\nSummary\nA tip banner PasswordProtectedTransport is not a supported value in Azure AD and also optional for the SAML Request. If there is no specific need for it, the application vendor can remove the value from the SAML Request._\nMore details at the link:\nhttps://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#authnrequest\nThe 3.party vendor changed the SAML request, and as expected the SAML SSO worked like a charm again! Thats it for this short post\n","date":"15 September 2019","externalUrl":null,"permalink":"/saml-azure-ad-aadsts75011-authentication-method-x509multifactor/","section":"Posts","summary":"introduction # I had some trouble with an Azure AD integration with a 3.party SAML application. The users got Azure AD prompt, with the error below:\n","title":"SAML – Azure AD AADSTS75011: authentication method x509 Multifactor","type":"posts"},{"content":" Introduction # I have gotten some new FIDO keys from FEITIAN, and have done some testing to see how they work with Azure AD and Passwordless.\nSo this Blogpost is more like the following up series, from the last post\nHeard about Feitan ? # I certainly never heard about them before, and first came across FEITIAN, when Microsoft announced the partners for FIDO support.\nhttps://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Microsoft-passwordless-partnership-leads-to-innovation-and-great/ba-p/566493 Looking more into FEITIAN FIDO support, it sure looked interesting since they have the possibility for Biometrics like Fingerprint. I ordered the FIDO2 Bundle (K33 + K27 + K26) from\nhttp://www.ftsafe.com/AzurePublicPreview Shipping from China to Norway with FedEx was about 1-week.\nThe full FIDO specification is available:\nhttps://www.ftsafe.com/Products/FIDO/Bio Unboxing the FEITIAN FIDO2 Bundle (K33 + K27 + K26), First impressions are premium, the build quality feels good.\nConfigure K33 with Windows 10 # The K33 from the right above supports Bluetooth, however since Bluetooth is basically broken when comes to security, I would absolutely think twice before using this at scale!\nI used guide below for configuring the K33.\nhttps://www.ftsafe.com/Support/Resources The first-time setup requires to hold K33 Bluetooth pairing key for about 5 seconds. The device also supports USB-C (cable not included)\nAfter pairing, go to Windows 10 – Sign-in Options. Security Key. Manage and ADD your Fingerprint.\nNow go to https://myprofile.microsoft.com and add your FIDO Security Key.\nI captured a video to showcase the FEITIAN K33 work with Windows 10 version 1903\nAzure AD Key Restriction Policy # Given the fact that there are other FIDO providers, it’s important to consider your trust, and think about what keys your organization will support.\nAzure AD will support this feature using the KEY Restriction Policy. This is done with Authenticator Attestation GUID (AAGUID).\nRead more about AAGUID, that’s well-done documented\nhttps://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-statement-v2.0-rd-20180702.html Use Coupon CODE Stein-20 when you buy, this will support my channel and give you some discount! 🙂 You can buy FEITIAN products at\nhttps://www.ftsafe.com/store/\nThat’s all for this short blog post\nHave a passwordless day 🙂\nhttps://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-statement-v2.0-rd-20180702.html ","date":"28 August 2019","externalUrl":null,"permalink":"/feitian-fido-keys-for-passwordless/","section":"Posts","summary":"Introduction # I have gotten some new FIDO keys from FEITIAN, and have done some testing to see how they work with Azure AD and Passwordless.\nSo this Blogpost is more like the following up series, from the last post\n","title":"FEITIAN FIDO Keys for Passwordless","type":"posts"},{"content":" About # Stein-Erik is a Sr Cloud Solution Architect @Microsoft in Norway. He is a true believer in Cloud-first and Cloud Cadence and loves helping customers Succeed with the Cloud Journey. His professional background in operations and delivery of applications, servers, and client infrastructure has been important in data center transformation to Cloud. Stein-Erik uses the Cloud Readiness and Microsoft Cloud Adaption Framework to map workloads, and find the correct balance between hybrid, rehost, refactor to IaaS, PaaS, and SaaS. He has comprehensive proficiency in Identity and Security projects using Microsoft Enterprise Mobility + Security enabling customers for Azure AD, Conditional Access, zero trust, Azure AD Privileged Identity, Entitlement management, ATP, MFA, MCAS, Microsoft Endpoint Manager, and Passwordless.\nStein-Erik Alvestad blogs on alven.tech, where his focus is Identity Governance, Azure AD, ADFS, Security, Passwordless, Microsoft Endpoint Manager, M365, and Azure Virtual Desktop\nDisclaimer # All Content from this blog is provided ‘AS IS’ with no warranties. This Blog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my own opinions\nContact # Ping me on LinkedIn or X/Twitter.\n","date":"2 August 2019","externalUrl":null,"permalink":"/about/","section":"AlvenTech","summary":"About # Stein-Erik is a Sr Cloud Solution Architect @Microsoft in Norway. He is a true believer in Cloud-first and Cloud Cadence and loves helping customers Succeed with the Cloud Journey. His professional background in operations and delivery of applications, servers, and client infrastructure has been important in data center transformation to Cloud. Stein-Erik uses the Cloud Readiness and Microsoft Cloud Adaption Framework to map workloads, and find the correct balance between hybrid, rehost, refactor to IaaS, PaaS, and SaaS. He has comprehensive proficiency in Identity and Security projects using Microsoft Enterprise Mobility + Security enabling customers for Azure AD, Conditional Access, zero trust, Azure AD Privileged Identity, Entitlement management, ATP, MFA, MCAS, Microsoft Endpoint Manager, and Passwordless.\n","title":"About","type":"page"},{"content":"Look at these guys! They are so happy, they have gotten their Yubikey’s and are ready for some Passwordless Authentication with Windows 10.\nIntroduction # In March I posted a blog post about using Yubikey with Azure AD, So this post is a follow-up since Microsoft now has support for passwordless and Fido2 with Windows 10 (still only preview).\nIn his post, I will go through the steps regarding configuring passwordless in Intune, Azure AD and Windows 10 with Yubico.\nFor the purpose of this guide, I will use Windows 10 version 1903 since it has more capabilities in the Policies like users can change their PIN, update biometrics, or reset their security key, and does not require tool from Yubico.\nQuick FAQs Passwordless with Windows 10\nStep 1) Enable Windows Hello for Business Step 2) Intune OMA-URI for Security Key Step 3) Enable combined registration experience Step 4 Enable new passwordless authentication methods Step 5) Add the FIDO key to the user profile Step 6) Testing Passwordless with yubikey’s on Windows\nQuick FAQs Passwordless with Windows 10\nStill Only Public Preview Working from Windows 10 1809, however, 1903 is recommended for testing. Azure AD (MFA) must be configured Combined registration required FIDO2 key like Yubikeys or other from MS documentation. Supports WebAuthN in Edge Only The FIDO2 “Key restriction policies” do not work yet. FIDO2 support for AAD Hybrid Joined is not supported yet. MS working on support for Hybrid ( Hopefully supported beginning of Q1 2020) Step 1) Enable Windows Hello for Business # Go to[ https://devicemanagement.microsoft.com][1]\nChoose the Windows Hello for Business settings in Intune. Change the Use Security keys for sign-in to “Enabled“\nIf you haven’t configured Windows Hello for Business. You will need to enable this setting as well.\nWindows Hello is a topic by itself, so I recommend reading the documentation from Microsoft, if you need to look into the different settings and scenarios like Hybrid, Cloud only or on-premise https://docs.microsoft.com/nb-no/windows/security/identity-protection/hello-for-business/hello-planning-guide\nStep 2) Intune OMA-URI for Security Key # Create the OMA-URI settings in Intune – Device Configuration – Profiles – Create Profile and Add Custom OMA-URI for Windows 10.\nName\nName it whatever you want Description\nName it whatever you like OMA-URI\n./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin Data type\nInteger Value\n1 If you think is strange this OMA-URI setting is called Passport for Work, it’s just the old name before it was named Windows Hello for Business. I will now add the Profile to my Pilot target group.\nStep 3) Enable combined registration experience # Now let’s go back to Azure AD – https://aad.portal.azure.com\nAzure AD Manage section – User settings and choose the Manage user feature preview settings\nChange it to, Users can use preview settings to select the group for your Pilot users\nStep 4) Enable new passwordless authentication methods # Back to Azure AD Security section – \u0026lt;https://aad.portal.azure.com AAD\u0026gt; – Auth methods. Authentication method Policy (preview) blade.\nChoose the ” Click here to Enable users for the enhanced registration preview”. If its not already enabled.\nAdd your user target group and save.\nNext, go to Methods and Enable FIDO2 Security Key.\nThe Enforce key restriction is not supported by Microsoft yet . Will be before GA. Step 5) Add the FIDO key to the user profile # Go to the https://myprofile.microsoft.com\nAdd FIDO key to user account with the user account in the Security Info tab on the left side.\nIf you this message. You will have to wait or verify your user’s group permissions.\nIt took some time for me before the feature was enabled for the user in Azure AD.\n)\nStep 6) Testing Passwordless with yubikey on Windows 10 # We are now ready to test on a Windows 10 Version 1903 Computer.\nI can see that the OMA-URI has pushed the policy with login option.\nJust need to add my Yubikey, Add my Yubikey PIN and Tap the Yubikey to login like the screenshot below.\n)\nSummary # Version 1903 gives a better user experience since 1809, however, from an end-user perspective I don’t think the dongle is for everyone. But this improves security and there are multiple use cases for this in the filed, so it’s not strange that Microsoft is pushing to improves Passwordless Experience throughout 2019. When the big players like Apple and Google adding Fido into the Android and iOS devices, the journey to test Passwordless this is even more exciting. WebAuthn also has a lot of potentials and this will expand with browsers capabilities.\nIn my lab, the next step is still to have a device with NFC so that I could test this functionality.\nFurther reading # https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless\nhttps://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Announcing-the-public-preview-of-Azure-AD-support-for-FIDO2/ba-p/746362\nhttps://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-enable\nhttps://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Expanding-Azure-Active-Directory-support-for-FIDO2-preview-to/ba-p/981894\nTo get the latest news and updates on Passwordless with Windows 10 and Azure AD follow @swaroop_kmurthy @AlexSimonson Twitter\nhttps://devicemanagement.microsoft.com https:/twitter.com/swaroop_kmurthy https://twitter.com/Alex_A_Simons ","date":"25 July 2019","externalUrl":null,"permalink":"/passwordless-with-windows-10-and-yubikey/","section":"Posts","summary":"Look at these guys! They are so happy, they have gotten their Yubikey’s and are ready for some Passwordless Authentication with Windows 10.\nIntroduction # In March I posted a blog post about using Yubikey with Azure AD, ","title":"Passwordless with Windows 10 and Yubikey","type":"posts"},{"content":"","date":"25 July 2019","externalUrl":null,"permalink":"/tags/passwordless-with-windows-10-and-yubikey-passwordless-windows-10/","section":"Tags","summary":"","title":"Passwordless With Windows 10 and Yubikey; Passwordless Windows 10","type":"tags"},{"content":" KEEP CALM AND COMPANY PORTAL WILL COME\nquote Introduction # In 2019, I have been working on an MDM iOS migration project from Jamf to Intune. In this project, we got some problems regarding Intune and Company Portal (VPP) not being downloaded with User affinity Enrollment profiles for iOS. Trough this post I want to give some more insight/details regarding this issue, and how we “Solved” (workaround) it.\nOne of the technical requirements for Intune was to improve security and end-user experience, with automatically installing Company portal (CP) with Volume Purchase Program (VPP) during enrollment, and not requiring any Apple ID for all Business Application. To solve this we configure the correct Enrollment profile for iOS.\nWhen configuring user enrollment profile for iOS with Intune we have some options to consider. With User affinity or without User affinity.\nEnroll with User Affinity with CP VPP will use the synced token from Apple DEP and for security, we use Company Portal as an authentication method\nAt the first step, the user gets the Apple MDM profile given with the Setup Assistant. In my example, I just set the location services to minimize the clutter. It was important to not add any restore options because this could be a problem since Apple backup MDM profiles as part of the standard iOS backup. Enrollment is a mess with two MDM profiles if end-user enrolls the same iOS device.\nSince the devices are synced with Intune as supervised devices, they should get the CP automatically. So everything now looking good with our enrollment profile, and we are ready for enrollment at scale with all supervised iOS devices that are synced to Intune. We move the devices from the Apple DEP portal to Intune, and verify all devices are synced and have the correct status “last contacted – never”\nAt this stage we are now ready for End-users starts to factory reset iOS device so that it can get a fresh MDM profile from Intune. The End-users start the enrollment starts and the user gets the MDM profile, however, Company portal is missing. Huh, strange!\nTroubleshooting # Time to start troubleshooting. The device is registered in Intune with status “Not Evaluated”, the device has also got the last sync status in the Devices status. We verify that we have enough CP VPP licenses. However, the license count in the available licenses does not decrease. We also sync the VPP token once more and verify that the Intune status page looks good.\nChecking the Monitor logs, we cannot see any good error codes that we could troubleshoot further. But the Enrollment Page failures are increasing with devices.\nAs some users start to factory reset the devices for the second time, suddenly Company Portal is downloading to the device. Without seeing any errors in Intune we create a ticket with Microsoft providing them with details.\nMeanwhile waiting for Microsoft to respond I’m looking further into the documentation from Microsoft. Looking further into CP VPP, we see that the app license is given to the users that enroll. Since it’s not any requirement from MS to assign the CP VPP to any Dynamic group it’s displayed as information “Assign application to at least one group. Click ‘Assignments’ “, you automatically think something is wrong configured. But looking into the docs, I can see more details about how Intune creates a shadow dynamic group that we never seen in Azure Ad groups. This happens in Intune / Azure AD backend.\nThis is not easy to find in the Intune documentation, but can be found same can be found with Windows 10 and Autopilot documentation:\ndocs.microsoft.com/en-us/intune/enrollment-autopilot#windows-autopilot-for-existing-devices where they also mention DEP in the same documentation.\nMicrosoft documentation below:\nBecause the correlator ID is not pre-listed in Intune, the device may report any correlator ID they want. If the user creates a correlator ID matching an Autopilot or Apple DEP profile name, the device will be added to any dynamic Azure AD device group based off the enrollmentProfileName attribute. To avoid this conflict:\n— Always create dynamic group rules matching against the entire enrollmentProfileName value\n— Never name Autopilot or Apple DEP profiles beginning with “OfflineAutopilotprofile-“.\nThe part about DEP did not reflect our environment, but the process gives some information about the logical part of the assignment.\nAs we did not have much choice to wait for any solution we just had to continue our workaround enroll the iOS device for the second time so that the Device could get the CP. However 4 times during 1 month we had to sync the VPP token manually with intune because Intune never downloaded the CP VPP even after multiple factory resets.\nAfter getting the Microsoft ticket to the product team, they were able to identify the behavior, and we got some more detail about the recommended solution. Most of our devices were already enrolled at that time, so the problem was not that big anymore, however during the period this was PITA from End-user perspective.\nSummary # So back to the solution, Just wait 🙂 The patch from MS fixing CP will be in production hopefully at the end of July or start of August 2019. Will try to update the post when we confirm the problem is finally solved.\nUpdate\nIntune tenant was updated in July and fixed our problem.\nHowever, we also got another strange CP problem in July, since Apple VPP token became invalid after the VPP account changed password.\nThe logic if this cannot be explained with any of the documentation I have read. It’s ok that you will have to use a VPP account when adding the token, however, any password changes should not conflict with the token. I also created MS ticket for this problem, however, the root cause was never found. Useful links: # https://learn.microsoft.com/en-us/autopilot/tutorial/existing-devices/existing-devices-workflow ","date":"16 July 2019","externalUrl":null,"permalink":"/intune-ios-company-portal-not-downloading-user-affinity/","section":"Posts","summary":" KEEP CALM AND COMPANY PORTAL WILL COME\nquote Introduction # In 2019, I have been working on an MDM iOS migration project from Jamf to Intune. In this project, we got some problems regarding Intune and Company Portal (VPP) not being downloaded with User affinity Enrollment profiles for iOS. Trough this post I want to give some more insight/details regarding this issue, and how we “Solved” (workaround) it.\n","title":"Intune – iOS Company Portal not downloading (user affinity)","type":"posts"},{"content":" Introduction # Yubikey 5C and Yubikey NFC\nI recently bought the Yubikey 5C and Yubikey NFC from yubico.com.\nYubico is in short summary a company behind Yubikey hardware auth device supporting (OTP / FIDO2) protocols. You can read much more information and details at yubico.com.\nSince I’m Interested In Security and Identity authentication, I wanted to do more testing with Azure MFA for OATH hardware tokens (public preview) and Windows 10 Passwordless (private preview). I’m also looking into the use of NFC, so that’s why Yubikey NFC for iOS device. LastPass is the only App I have found that leverages this functionality. Hopefully, there will be more apps will get this as developers make use of the SDK. In this guide I will go trough the steps of Azure MFA for OATH hardware tokens (public preview)\nQuick FAQs Yubikeys with Azure MFA\nConfigure Azure MFA for OATH hardware tokens (public preview)\nQuick FAQs - Yubikeys with Azure MFA # Only public preview for AAD Works with Azure cloud MFA even though it’s in Azure MFA settings of the AAD portal. AAD Supports OATH-TOTP SHA-1 Tokens (30 or 60 sec) AAD Only supports 3 Yubikeys, one MS Authenticator app, phone for each user account. Configure Azure MFA for OATH hardware tokens (public preview) # Prerequisites # Azure tenant with AAD Premium\nMFA already enabled Have at Least 1 Yubikey. For the purpose of this guide, I’m using a Yubikey 5C Yubico Manager Command (to extract Yubikey Serial number) Yubico Authenticator Step 1 - Configure Yubikey # Download and install ( Windows 10, MacOs or Linux)\n[Yubico Manager Command [Yubico Authenticator Start the Yubico Manager Command from terminal/powershell.\nTo get the Serial Number of YubiKeys. Use command\n.\\**ykman**.exe List To link TOTP key for Yubikey. Use command\n.\\**ykman**.exe **oath** **add** UPN@\u0026lt;**tenant** name\u0026gt;onmicrosoft.com Next step requires you to add a Base32 Key.\nUse OpenSSL to create a Base32 key.\nUse to generate Base32 key if you have OpenSSL on your pc.\nCopy your Base32 Key to after you have run the command below\n\\**ykman**.exe command Step 2 - Configure Azure MFA # Go to the AAD portal and go to MFA server. In settings go to OATH Tokens. Choose Upload CSV to Azure.\nThe CSV has to be in a specific format like the example below\nupn,serial number,secret key,timeinterval,manufacturer,model UPN@.omicrosoft.com,1234567, 1234567890abcdef1234567890abcdef,30,YubiKey,HardwareKey After the Upload has successfully completed, go to the refresh button.\nChoose Activate.\nVerify that the YubiKey is Activiated in the dashboard.\nStep 3 - Configure MFA settings on the User # Go to https://aka.ms/mfasetup with the user who has been assigned the YubiKey. In the settings, change the preferred auth Options to Use verification code from\nYou can see that the user has already been assigned the Yubikey token. Enter the token from the Yubico\nAutenticator on your pc.\nLogout from MFA portal. Start a new login to portal.office.com\nyou will now see that you will get prompted with autenticator (Yubikey must be plugged in to get OTP) and verify that is works.\nSummary # As stated this is only a public preview, and currently only works with\nOATH-TOTP SHA-1 and you need the Yubico authenticator app. So it would have been nice to see if these can go next step using the HTOP and Password-less. In comparison with other Hardware tokens, Yubico has some competition from token2.com and deepnetsecurity.com, and I will look into these later:)\nAs part of the deployment process, I could have used Self Service Hardware token setup, but this limit the administrator part to track all the Hardware keys.\nIt’s still a lot of potentials in this space, so it will be exciting to see how this develops 🙂\nUseful links:\nhttps://www.yubico.com/product/yubikey-5c/#yubikey-5c https://developers.yubico.com/yubikey-manager-qt/ https://www.yubico.com/products/services-software/download/yubico-authenticator/ ","date":"14 March 2019","externalUrl":null,"permalink":"/yubico-with-azure-ad-mfa/","section":"Posts","summary":"Introduction # Yubikey 5C and Yubikey NFC\nI recently bought the Yubikey 5C and Yubikey NFC from yubico.com.\nYubico is in short summary a company behind Yubikey hardware auth device supporting (OTP / FIDO2) protocols. You can read much more information and details at yubico.com.\n","title":"Yubico with Azure AD MFA","type":"posts"},{"content":"I have been following the development of Azure Migrate since my first trip to Ignite in 2017, and have been looking forward to getting this to EU regions, but I have been waiting with patience 🙂\nThe first time I thought Microsoft was to release Azure Migrate for EU Regions, was back in TechSummit in Paris, March 2018. The release would have been a perfect fit since Microsoft was going to release new Azure data center France regions.\nThe TechSummit session started with a French guest speaker and I did not understand much off. This reminded me that I should have definitely spent some more time back at my French class at High School 😯\nAfter a while, Ananthanarayan Sundaram from Microsoft continued the show in English, and I waited excited for the news. Waited and waited, but still no news about release date… However almost 1 year later 16.01.2019 Azure Migrate became available in Europe, and this was a welcome addition.\nI have been looking into Azure Migrate for Assesment for rehost, replat form and refactor strategy. I think Azure Migrate has is place in the market for SMBs running vCenter on-prem and are looking for a Lift and Shift for IaaS,\u0026lt;/ before they can go Cloud-Native with their applications. I’m still a true believer of rearchitecting and rebuilding for Cloud-Native however there is just use cases where of moving away from the on-prem is needed.\nIn this article, I will try to explain how Azure Migrate and Azure Recovery Service Vault could work together.\nAzure Migrate Quick FAQs\nDiscovery of Host/Cluster/Folder in vCenter Appliance-based or Agent-based discovery Collects metadata like ( IP,MAC,OS,CPU,Memory, Disk,NICs) Assessment (Shows total cost of ownership and show Azure readiness of VM’s) Groups (logical grouping of servers that have dependencies) Topology Viewer ( requires Agent for Agent-based discovery ) Azure Site Recovery Quick FAQs\nBackup Service for VMs ( Protects all configurations of Azure VMs) Replicate Service for VMs from on-prem (hyper-v, physical or VMware to Azure Recovery Service ( Restore, Replicate of IaaS VMs) Azure Migrate and Azure Site Recovery steps # Create Azure Migrate Project Create Recovery Service Vault Step 1 ) Create Azure Migrate Project\nSearch for Azure Migrate in the Azure Portal and Create your first project.\nCopy your Project credentials like the ID and KEY, because we need these for Connecting VM to the correct Azure Migrate Project.\nDownload the .Ova File and Upload the OVA to your vCenter host and Deploy OVF Template\nStart the Wizard and add your vCenter and migration project\ndetails.\nIn the Azure Migrate Project Machines will appear one by one (takes about 15 min to 60 min). In Machine view, you have tabs that show you how you easily can create Assessment Reports and Group Machines to logical groups.\nIf you need more details for Dependencies, you must install the Microsoft Monitoring Agent (MMA) and dependency agent on your On-Prem VMs and Connect them to an OMS Workspace.\nStep 2 ) Create the Site Recovery Vault\nSearch for Recovery Service Vaults and create your Vault.\nGo Trough the steps to prepare Infrastructure.\nIn the Wizard Download and Deploy the OVA file for site recovery Configuration Server on your Vcenter server. Follow much of the same steps above regarding deploying the OVA.\nConfigure a Replication Policy to associate it with ASR\nTest the Migration to Azure\nGo to the Azure Site Recovery (ASR) and replicate your first Test VM.\nWrap up\nHowever, the lack of EU regions has been a showstopper for a while, mostly because of GDPR and EU customers don’t want to send valuable/sensitive metadata (even though is encrypted at rest \u0026amp; transit). I think the Azure Migrate EU regions, and a combination of Migrate and Azure Site Recovery, can be great tools enabling this type of Cloud Migration Phase.\nAzure Migrate has its limitations, and If this could not be solved you could look into Cloudamize or Turbonomic. Cloudamize and Turbonomic have been the best contenders, and is probably one of the best tools if you need to have more advanced reporting and have a clear Multi-cloud strategy.\n","date":"10 March 2019","externalUrl":null,"permalink":"/azure-migrate/","section":"Posts","summary":"I have been following the development of Azure Migrate since my first trip to Ignite in 2017, and have been looking forward to getting this to EU regions, but I have been waiting with patience 🙂\n","title":"Azure Migrate \u003c3 GDPR","type":"posts"},{"content":"","date":"6 January 2019","externalUrl":null,"permalink":"/categories/kerberos/","section":"Categories","summary":"","title":"Kerberos","type":"categories"},{"content":" Introduction # The last 4 years I have worked with developers to use modern Identity protocols like (SAML, OAuth, OIDC) on ADFS, Azure AD Enterprise Applications, Azure Application Proxy or G Suite for their applications.\nBut from time to time I come over applications that cannot use ADFS or Azure AD etc, and the last time happened just before Christmas when I was working with a customer who had problems with SSO. As usual, I was lacking documentation from the vendor on how the application worked. I got some information about LDAP binding service being used in the application and that the application did not prompt any errors. I was informed that the users were migrated from old AD to new AD and the application \u0026ldquo;App1\u0026rdquo; was re-established on new servers, but config was \u0026ldquo;identical\u0026rdquo;.\nI fired up Fiddler from a Windows pc and started tracing the request.\nI could see a trace of HTTP 400 error. This error Is related to the user Kerberos token size request header https://support.microsoft.com/be-by/help/2020943/http-400-bad-request-request-header-too-long-response-to-http-request\nI could see Kerberos authentication being used indicated by the YIIe negotiate and the Auth pane in Fiddler verified this as well from the screenshot below.\nI started checking the test users and could confirm that the Token Seize had increased during migration to about 13k. I was looking for application logs on \u0026ldquo;App1\u0026rdquo; however, I could not find any Kerberos event log errors and there were not any errors on the domain controllers either. The domain controllers, Application servers and even the client had set max 64k as token seize.\nI started thinking that It could be related to the application having a limit on the http header, so I created a simple flow chart to confirm how the application worked before I asked the developer to change the HTTP header size in the Web config.\nSummary # We started testing SSO after the web config HTTP was changed from 8k to 32k and Kerberos authentication was working like a charm again.\nKerberos authentication can be quite interesting to troubleshoot, especially when the problem is related to multiple sources and you have to go down the chain to find the solution 🙂\n","date":"6 January 2019","externalUrl":null,"permalink":"/kerberos-authentication-and-http-header-size/","section":"Posts","summary":"Introduction # The last 4 years I have worked with developers to use modern Identity protocols like (SAML, OAuth, OIDC) on ADFS, Azure AD Enterprise Applications, Azure Application Proxy or G Suite for their applications.\n","title":"Kerberos authentication and HTTP header size","type":"posts"},{"content":"","date":"6 January 2019","externalUrl":null,"permalink":"/categories/on-prem-ad/","section":"Categories","summary":"","title":"On-Prem AD","type":"categories"},{"content":" Introduction # I was working with a use case on adding multi-value attributes for dynamic groups in Azure AD. I started off looking for on-prem AD attributes we could use for the multi-value string. To find these attributes I start PowerShell to get the AD Schema loaded.\n$schema =[DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema Next step was to add which optional attributes (muli-value) that I could use for testing. To filter the attributes I use the Powershell command below.\n$schema.FindClass(\u0026#34;user\u0026#34;).optionalproperties | Out-GridView I set filter is, IsSingleValued (multi-value) to False. Just as part of the demo I selected URL as the attribute.\nI added values to the URL attribute and changed AD Connect Directory extensions attributes and on AD Connect I start deltasync with\nStart-ADSyncSyncCycle -PolicyType Delta When looking into the AD Connect Metaverse Connectors I could see that the changed was applied and attribute was added, but AAD did not show any changes. I first verified that the AzureADApplicationExtensionProperty actually had synced to AAD and I could confirm this was added with the AAD Powershell command below.\nGet-AzureADApplication | Get-AzureADApplicationExtensionProperty To verify the values on the User object I checked the AAD extension property with the AAD PowerShell command below.\nGet-AzureADUser -ObjectId $UserId | Select -ExpandProperty ExtensionProperty Summary # However, I could not find any values as marked in yellow question mark above. Since I could not find any values I started testing some other Multi-value Attributes and synched them to AAD. But still, I could not get this scenario to work.\nSo after some troubleshooting, I found this article\nhttps://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32622497-support-for-multi-valued-attributes-synchronized-f in the feedback section at Azure.\nAs my gut feeling expected, I could see that the Azure AD team confirms that Multi-Value is not supported yet.\n","date":"25 December 2018","externalUrl":null,"permalink":"/multi-valued-attributes-with-ad-connect-and-azure-ad/","section":"Posts","summary":"Introduction # I was working with a use case on adding multi-value attributes for dynamic groups in Azure AD. I started off looking for on-prem AD attributes we could use for the multi-value string. To find these attributes I start PowerShell to get the AD Schema loaded.\n","title":"Multi-valued attributes with AD Connect and Azure AD","type":"posts"},{"content":"","date":"30 September 2018","externalUrl":null,"permalink":"/tags/azure/","section":"Tags","summary":"","title":"AZURE","type":"tags"},{"content":" Introduction # When running VM’s in the cloud you need to consider cost as part of your lab.\nAnd since running compute in Azure and AWS could be costly when you need to run your ADFS, AD Connect, AD and SQL etc 24/7, it’s still practical to have a lab on-prem. This article will go through the steps on how you can get your hybrid lab up and running with site-2-site VPN tunnel to Azure using pfSense.\nFirst, we need to plan our Azure site-to-site VPN requirements for Azure.\nThe table below shows that the Azure basic sku which cover most needs for a test/dev lab.\nCheck the latest documentation on Azure vpn gateways if you would like to go into the details.\nhttps://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways\nSKU S2S/VNet-to-VNet Tunnels P2S Connections Aggregate Throughput Benchmark VpnGw1 Max. 30 Max. 128 650 Mbps VpnGw2 Max. 30 Max. 128 1 Gbps VpnGw3 Max. 30 Max. 128 1.25 Gbps Basic Max. 10 Max. 128 100 Mbps In regards to having only dynamic IP at my Homelab, we can automate this task using Azure Automation I’m using the script from DeployAzure script reference (original link is no longer online)\nin the picture below, I have created a generic design to show the connection from on-prem to Azure or AWS. For the purpose of this specific guide, I will only show how to connect to Azure. Will cover AWS in another guide 🙂\nSteps # Create Resource group – Azure Create virtual network – Azure Create virtual network gateway – Azure Create local network gateway – Azure Add VPN tunnel – pfSense Iperf VPN speed test Step 1 – Create Resource group – Azure # To keep things tidy we are going to have a dedicated resource group for all the vpn resources.\nStep 2 – Create a virtual network – Azure # Add your Address space, Subnet and Address IP range to create the virtual network\nStep 3 – Create virtual network gateway – Azure # We will use Route-based, Basic SKU, Virtual Network and create the new public address of our virtual network gateway.\nWhen we choose to create the virtual network gateway which will kick off our deployment. This takes exactly 30 min. Yes, exactly spot on 30 min.\nStep 4 – Create local network gateway – Azure # When you create local network gateway you must add your WAN/ISP public IP. Add the Address space of your local address space from the pfSense lab network.\nTo link things together we must Add the Connections from virtual network gateway and local network gateway.\nTo find the Public IP of your Virtual network gateway go to the overview.\nStep 5 – Add VPN tunnel – pfSense # Go to VPN to add the Tunnel and Add P1 to kick of the wizard.\nAdd the public IP of your Azure virtual network gateway and give it a proper description.\nAdd your VPN Pre-shared key.\nSet the required Encryption settings and change the Lifetime.\nNext, we need to add SA/Key Exchange and Add P2, to add the required settings.\nChange the required Encryption and hash Algorithms and save your settings.\nNext we need to create the IPsec firewalls in pfSense. Go to Firewall – Rules – IPsec and ADD. I recommend allowing all traffic first, and then locking down the firewall ruleset when you are finished with the setup.\nWe can monitor the IPsec overview to verify that we have Established our connections from both pfSense and Azure.\nIn azure we can get a Overview from Data in/out.\nStep 6 – Iperf VPN speed test # Now you can test RDP connection to the Azure VM. If you RDP isn’t working, check your NSG in Azure to see that your ruleset allows RDP.\nWhen connected we want to verify that we are getting the expected speed. Install iperf on the Azure VM and run command.\niperf3.exe -s -p 5001 On the on-prem server install iperf run the command\niperf3.exe -c \u0026#34;Azure VM IP\u0026#34; -t 30 -p 5001 -P 32 summary # I can now conclude that I get the performance as expected from the basic SKU, and my fiber connection is limited to 100 anyway 🙂\n","date":"30 September 2018","externalUrl":null,"permalink":"/on-prem-lab-azure-vpn/","section":"Posts","summary":"Introduction # When running VM’s in the cloud you need to consider cost as part of your lab.\nAnd since running compute in Azure and AWS could be costly when you need to run your ADFS, AD Connect, AD and SQL etc 24/7, it’s still practical to have a lab on-prem. This article will go through the steps on how you can get your hybrid lab up and running with site-2-site VPN tunnel to Azure using pfSense.\n","title":"Connecting your on-premises lab to Azure with Azure Site-to-Site VPN","type":"posts"},{"content":"","date":"30 September 2018","externalUrl":null,"permalink":"/tags/pfsense/","section":"Tags","summary":"","title":"Pfsense","type":"tags"},{"content":"","externalUrl":null,"permalink":"/categories/documentation/","section":"Categories","summary":"","title":"Documentation","type":"categories"}]