Showing posts with label AzureAD. Show all posts
Showing posts with label AzureAD. Show all posts

02 June 2021

We couldn't sign you in. Please try again

 We couldn't sign you in. Please try again.

And then your in a loop. Clearing the browser cache helps sometimes, but that's not the real reason why you are seeing this error.
Have you been reducing the number of global admins recently?
Or perhaps you have been messing around with PIM (Privilidged Access Management)?

Chances are you assigned yourself a load of Roles, because you are important and you need all the different roles.
But when adding to many roles to your account that's when you will see the error above.
So simple solution, lose some roles on your account.


Posted by at No comments:
Labels:
Location:Utrecht Utrecht, Netherlands

08 April 2021

Add guest users to AzureAD in bulk and update the manager with PowerShell

 Bulk invite guest users:

<#  
.NOTES
    Name      : Add-BulkGuests.ps1
    Author    : Edwin van Brenk
    Version   : 1.0
    Date      : 08-04-2021
    Requires  : PowerShell v2 or higher
                AzureAD module
.SYNOPSIS
    -
.DESCRIPTION
    Bulk invite guest users in your AzureAD tenant
.PARAMETER
    -
.EXAMPLE
    -
.CSV FILE
    The csv need to look like this:
    DisplayName,EmailAddress
    firstname lastname,firstname.lastname@domain.com

#>            
            
# Connect to your tenant            
Connect-AzureAD            
            
# Import the csv file            
$guests = Import-Csv C:\temp\BulkGuests2.csv            
            
# Invite all users in the imported csv file            
foreach ($guest in $guests)            
{            
# Function Variables            
$emailaddress = $guest.EmailAddress            
$displayname = $guest.DisplayName            
            
   New-AzureADMSInvitation -InvitedUserEmailAddress $guest.emailaddress -InvitedUserDisplayName $guest.displayName -InviteRedirectUrl https://myapplications.microsoft.com -SendInvitationMessage $True            
   Write-Host "Invite sent to $emailaddress" -ForegroundColor Green            
}            
            
Write-Host Finished

Update the managers for the newly invited guests:

<#  
.NOTES
    Name      : Update-GuestManager.ps1
    Author    : Edwin van Brenk
    Version   : 1.0
    Date      : 08-04-2021
    Requires  : PowerShell v2 or higher
                AzureAD module
                Az.Accounts
.SYNOPSIS
    -
.DESCRIPTION
    Update guest users in your AzureAD tenant with the correct manager
.PARAMETER
    -
.EXAMPLE
    -
.CSV FILE
    The csv needs to look like this:
    User,Manager
    firstname lastname,manageremailaddress@domain.com
    
#>            
            
            
# Connecting to AzureAD            
Connect-AzureAD            
Connect-AzAccount            
            
# Importing the CSV source which has the changes             
$data = Import-Csv C:\Temp\Bulk\Manager.csv            
            
# Iterating through each row in the CSV            
foreach ($row in $data)            
{            
# Find the user and the manager            
$user = Get-AzureADUser -SearchString $row.User | select objectid            
$manager = Get-AzADUser -UserPrincipalName $row.Manager | Select Id            
            
# Updating the manager             
Set-AzureADUserManager -ObjectId $user.objectid -RefObjectId $manager.id            
            
# Completion info in the console for the specified row            
Write-Host "Updated "$row.user"" -ForegroundColor Green            
            
# Clear the variable for the next row            
$user = $null            
$manager = $null            
            
}            
Write-Host "Finished" -ForegroundColor Green
Posted by at No comments:
Labels: ,
Location:Utrecht Utrecht, Netherlands

06 March 2020

Roll Over Kerberos Decryption Key - Untill the uservoice feature gets implemented

Every 30 days your are required by Microsoft to "rollover" the Pass-throug Authentication Kerberos key for your tenant.
In the near future you don’t need to perform any Powershell or scripting referring to Microsoft user voice “We are currently working on an approach that will allow Tenant Admins to do key rollover from the Azure AD portal; without the need for PowerShell or scripting”

But until then we do this:

On your AzureADConnect machine go to:
PS C:\> cd '.\Program Files\Microsoft Azure Active Directory Connect'
Then import:
PS C:\Program Files\Microsoft Azure Active Directory Connect> Import-Module .\AzureADSSO.psd1

Run the commandlet New-AzureADSSOAuthenticationContext:


PS C:\Program Files\Microsoft Azure Active Directory Connect> New-AzureADSSOAuthenticationContext

Check the current status:


PS C:\Program Files\Microsoft Azure Active Directory Connect> Get-AzureADSSOStatus


{"Enable":true,"Exists":true,"Domains":["domain.lan"],"IsSuccessful":true,"ErrorMessage":""}


Then enter your on-premises domain administrator credentials:


PS C:\Program Files\Microsoft Azure Active Directory Connect> $creds = Get-Credential





Then run the command to rollover the key's Update-AzureADSSOForest -OnPremCredentials $creds:
PS C:\Program Files\Microsoft Azure Active Directory Connect> Update-AzureADSSOForest -OnPremCredentials $creds

The output should look like this:
[12:10:32.685] [  5] [INFORMATIONAL] UpdateComputerAccount: Locating SSO computer account in DOMAIN...
[12:10:32.701] [  5] [INFORMATIONAL] GetDesktopSsoComputerAccount: Searching in global catalog(forest) and DOMAIN for co
mputer account AZUREADSSOACC
[12:10:33.232] [  5] [INFORMATIONAL] TrySearchAccountUnderGlobalCatalog: Object was found in global catalog(forest), hen
ce skipping DOMAIN search
[12:10:33.232] [  5] [INFORMATIONAL] UpdateComputerAccount: Found SSO computer account at CN=AZUREADSSOACC,CN=Computers,
DC=domain,DC=lan. Updating its properties...
[12:10:33.232] [  5] [INFORMATIONAL] UpdateComputerAccount: Granting full control to account admins and enterprise admin
s for computer account CN=AZUREADSSOACC,CN=Computers,DC=domain,DC=lan...
[12:10:33.907] [  5] [INFORMATIONAL] UpdateComputerAccount: Successfully updated SSO computer account properties.
The operation completed successfully
PS C:\Program Files\Microsoft Azure Active Directory Connect>










Posted by



at





No comments:
  


















Labels:
,
,







Location:Utrecht
Utrecht, Netherlands










          

        

          

        

14 June 2019


          

        










Prevent account discovery - AzureAD read access and how to block it










This is some serious stuff from Mauricio Velazco.



Account discovery is the technique that allows an adversary to enumerate domain accounts in order to obtain situational awareness on a target network.










    
















This can easily be prevented:







(Assuming you installed the MSOnline module)




Connect-MsolService

Then Sign in with an account in Azure Active Directory that has the Global administrator role assigned.

Perform multi-factor authentication, when prompted.

Execute the following line of PowerShell to configure the Azure AD tenant:




Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

Check to see the setting is active:


Get-MsolCompanyInformation | select UsersPermissionToReadOtherUsersEnabled            
            
UsersPermissionToReadOtherUsersEnabled            
            
                                 False












Posted by



at





No comments:
  


















Labels:
,
,







Location:Utrecht
Utrecht, Netherlands










          

        

          

        

04 March 2019


          

        









Connect to all Azure & Office 365 services in one PowerShell window










We've all been there, when running some commandlets from Exchange online suddenly you need to switch to Sharepoint, AzureAD or Skype Online.



With this handy script you can connect to all services at once.

I personally always use the Exchange Online PowerShell module for this, as it will be updated when starting it so you always have the latest commandlets for Exchange Online.



There are some requirements that have to be met before hand:


    

  • .Net 4.5
    • 

  • Windows Management Framework 3.0 or 4.0
    • 

  • 64-bit version of Windows OS
    • 




Installed modules:




    

  • Azure Active Directory V2 module
    • 

  • SharePoint Online module
    • 

  • Skype for Business Online module
    • 




Execution policy needs to be at least "Remote Signed"









In the past I have created a script that installs all these requirements at once:




I try to keep this updated, so if anything fails leave me a comment.



Then you can run the lines below and connect to all the services in one PowerShell window.

Mind you, this is all for MFA enabled accounts.




# Azure Active Directory            
Connect-MsolService            
# SharePoint Online            
Connect-SPOService -Url https://domain-admin.sharepoint.com            
# Skype for Business Online            
Import-Module SkypeOnlineConnector            
$sfboSession = New-CsOnlineSession -UserName "username@domain.com" -OverrideAdminDomain domain.onmicrosoft.com            
Import-PSSession $sfboSession            
# Exchange Online            
Connect-Exopssession -UserPrincipalName username@domain.com            
# Microsoft Teams            
Connect-MicrosoftTeams            
# AzureAD            
Connect-AzureAD            
# Intune            
Connect-MSGraph










Posted by



at





No comments:
  


















Labels:
,
,
,
,
,







Location:Utrecht
Utrecht, Netherlands










        

      









Subscribe to:
Posts (Atom)