How to administer AzureAD, O365 and Skype for Business using PowerShell and Multi-Factor Authentication

Azure Active DirectoryPreviously, support for MFA in O365/AzureAD/Skype/Sharepoint was limited to Office applications that supported it and browser-based administration of O365/Azure.

This changes with version 1.1 of the Azure AD PowerShell module released earlier this month which provides support for MFA.

 

The steps to enable it are as follows:

  1. Enable MFA on the various tenants ()
  2. Download the latest AzureAD PowerShell modules that provide support for MFA (v 1.1 released 15. August 2016)
  3. Make sure you have the correct mobile phone number, alternate email and/or authenticator app installed (you typically want to have more than one MFA option available)
  4. Enable MFA on the user you want to protect with MFA
  5. Instruct the user to go to https://account.activedirectory.windowsazure.com/profile/ to verify their MFA settings (and SSPR if applicable)

Note: There are still some aspects in the Windows OS that are still not really aware of MFA, particulartly the Domain Join functionality.  If have enabled MFA on the account you’re using for the domain join operation and you receive an erroneous “Incorrect Password” error (i.e. code 0x52e in the NetSetup.log debug log)  during a domain join (and assuming you are actually typing in the correct password) then you may need to revert back to using a separate non-MFA account – at least for the domain join operation.

Default MFA settings:

The Office 365 tenant/resource host (Exchange Online, SharePoint Online and Skype for Business Online) will need to be configured to accept a modern authentication connection.
Here is the per service state of modern authentication by default :

  • Exchange Online – OFF by default.
  • SharePoint Online – ON by default.
  • Skype for Business Online – OFF by default.

Once you have MFA enabled and the new version of the AAD PS module installed you should be able to go through the additional MFA verification steps after logon:MFA

Details:

Azure Active Directory PowerShell with Modern Authentication
http://connect.microsoft.com/site1164/content/content.aspx?ContentID=32016

Download Details: Azure Active Directory Connection
http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185

Azure AD PowerShell: Public Preview of support for Azure MFA + new Device Management Commands

Azure AD PowerShell: Public Preview of support for Azure MFA + new Device Management Commands

How to install and configure Azure PowerShell
https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/

Skype for Business Online: Enable your tenant for modern authentication
http://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx

Exchange Online: How to enable your tenant for modern authentication
http://social.technet.microsoft.com/wiki/contents/articles/32711.exchange-online-how-to-enable-your-tenant-for-modern-authentication.aspx

The sign in experience with Azure Multi-Factor Authentication
https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-end-user-signin/

Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS
https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-server-rdg/

What are App Passwords in Azure Multi-Factor Authentication?
https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-end-user-app-passwords/

 

Office 365: Using Lync or Skype on Linux

Ubuntu-LogoDebian logoRedHat-logoFreeBSD Logo

When you have a *nix crowd to cater for in your Office 365 or Lync deployment the following information will be useful:

– You can use the SIPE plugin to enable your *nix users to chat on O365 or Lync servers with several IM products, f.x. Pidgin

– There’s a client-side bug in pidgin-sipe v. 1.18.2 where it used the user’s SIP address entered as the login address being presented to the ADFS server regardless of what was entered into the console

– This was fixed upstream in v 1.18.4

– This bug is invisible when the user has the same UPN and SIP address

– On the AD FS server side a possible workaround would be to allow extended attribute lookup during logon (f.x. use the ‘mail’ attribute if it matches the SIP address)

Note: The Alternate Login ID feature is not compatible with Exchange Online Hybrid Deployments.
Customers that wish to configure Exchange Online Hybrid Deployments with Office 365 must not configure Alternate Login ID.

The Alternate Login ID feature may impact various other Azure AD and Office 365 scenarios including:

  • Office 365 ProPlus activation may require explicit sign-in
  • InTune customers using SCCM connectors may require additional configuration.

Further details:

Configuring Alternate Login ID [for AD FS 3.0]
https://technet.microsoft.com/en-us/library/dn659436.aspx?f=255&MSPPError=-2147217396

Pidgin IM
http://pidgin.im/

The SIPE project
http://sipe.sourceforge.net/

FIM Azure AD Management Agent returns error Stopped-Extension-DLL-Exception on Full Import or Delta Import

AzureAD

After enabling the new Intune Mobile Device Management features inside the O365 tenant and enrolling some new devices into Intune you now have device objects in your Azure AD tenant to deal with.

The next time you do a Full Import or Delta Import you will most likely encounter a DLL Exception error in the FIM console.

If you debug the Azure connector further using the ILSpy tool and trace what line it is failing on it will most likely be this:

SchemaType schemaType = this.targetDirectorySchema.get_Types()[text];

 


Errors logged in the Application log:

FIMSynchronizationService Event 6801

The extensible extension returned an unsupported error.

The stack trace is:

“System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.

at System.Collections.Generic.Dictionary`2.get_Item(TKey key)

at System.Collections.ObjectModel.KeyedCollection`2.get_Item(TKey key)

at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetConnectorSpaceEntryChange(SyncObject syncObject)

at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()

at System.Collections.Generic.List`1.InsertRange(Int32 index, IEnumerable`1 collection)

at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntriesCore()

at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntries(GetImportEntriesRunStep getImportEntriesRunStep)

Forefront Identity Manager 4.1.3634.0″

 

DirectorySynchronization Event 109:

Failure while importing entries from Windows Azure Active Directory. Exception: System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.

at System.Collections.Generic.Dictionary`2.get_Item(TKey key)

at System.Collections.ObjectModel.KeyedCollection`2.get_Item(TKey key)

at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetConnectorSpaceEntryChange(SyncObject syncObject)

at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()

at System.Collections.Generic.List`1.InsertRange(Int32 index, IEnumerable`1 collection)

at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntriesCore()

at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntries(GetImportEntriesRunStep getImportEntriesRunStep).

 

 

Updating the Schema for the Management Agent for the Azure AD tenant in the FIM Synch console and adding the missing object type (Device) to the Azure AD Management Agent resolved the issue in my case.

FIMError

 

Other scenarios known to return Stopped-Extension-DLL-Exception error in the FIM Synch console:

  • The password of your Azure AD Synch service account has expired
  • You have outdated binaries of the MSOL Sign-in Assistant installed
  • You have removed the default objects from the WAAD Synch configuration (Contact or Group when a Contact or Group is present in WAAD)
  • The Azure AD Subscription is inactive or expired

 

Further details:

Windows Azure Active Directory Connector for FIM 2010 R2 Technical Reference
https://msdn.microsoft.com/en-us/library/dn511001(v=ws.10).aspx

ILSpy Visual Studio extension
https://visualstudiogallery.msdn.microsoft.com/8ef1d688-f80c-4380-8004-2ec7f814e7de

Using the ILSpy extension
https://channel9.msdn.com/coding4fun/blog/ILSpy-the-Visual-Studio-Extension

Decompiler tools for the .NET framework
http://blogs.msdn.com/b/amb/archive/2011/05/24/decompiling-tools-for-net-framework.aspx

[Troubleshooting] Connectors: Azure Active Directory Connector: stopped-extension-dll-exception
http://blogs.msdn.com/b/ms-identity-support/archive/2014/01/28/troubleshooting-connectors-azure-active-directory-connector-stopped-extension-dll-exception.aspx

The version of the AAD connector has a dependency on the Azure Active Directory Sign-in Assistant, a.k.a. Microsoft Online Services Sign-in Assistant, version 7.250.4551.0 or later
http://blog.msresource.net/2014/01/21/microsoft-online-coexistence-security-dynamicpinvokeexception-failed-to-get-address-for-method-createidentityhandle2-from-library/

Azure AD Sync failing
http://exchangeserverpro.com/azure-active-directory-synchronization-failing-stopped-extension-dll-exception-error/

Troubleshooting synchronization with Windows Azure Active Directory (WAAD) Parts 1-3
http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/troubleshooting-synchronization-windows-azure-active-directory-waad-part1.html

 

 

 

AD attributes the Azure AD FIM Connector rules extension requires in order to synch users to Office 365

logo_office_365CoffeeFilter

 

The O365 connector for FIM 2010 comes with a C# rules extension that contains the checks below, most likely the same code is present in both DirSync and AADSync (I mean why break stuff that works).

If any of the checks fail the user being checked won’t be added to the Azure AD Management Agent and will not synch to the cloud.

From \AADConnectorMFSample\AADRulesExtensions on http://www.microsoft.com/en-us/download/details.aspx?id=41165:

// Only provision to Office365 if:
// all the REQUIRED attributes are present,
// even though we flow them out on EAF rules
// we should block here so we do not create
// a new connector if the ingredients are missing
//

trace.TraceWarning(“Object Filtered because AccountEnabled != True”);

trace.TraceWarning(“Object Filtered because msExchHideFromAddressLists == TRUE and a connected object’s RDN contains ‘MSOL'”);

trace.TraceWarning(“Object Filtered because MailNickname or SamAccountName Starts With ‘CAS_'”);

trace.TraceWarning(“Object Filtered because iscriticalSystemObject == TRUE”);

trace.TraceWarning(“Object Filtered because MV Object is NOT a Mail Enabled Group AND SamAccountName is NULL.”);

trace.TraceWarning(“Object Filtered because MailNickname contains ‘{‘ OR SamAccountName contains ‘}'”);

trace.TraceWarning(“Object Filtered because MV.SamAccountName is not present”);

trace.TraceWarning(“Object Filtered because mailNickname starts with ‘SystemMailbox{‘”);

trace.TraceWarning(“Object Filtered because samAccountName equals ‘SUPPORT_388945a0′”);

trace.TraceWarning(“Object Filtered because samAccountName equals ‘MSOL_AD_Sync'”);

trace.TraceWarning(“Object Filtered because displayname is not present on mail enabled group”);

trace.TraceWarning(“Object filtered because its source object is CNF mangled. DN”, mvEntry.ObjectID.ToS tring());

 

See also http://blogs.technet.com/b/juanand/archive/2011/07/06/office-365-directory-synchronization-tidbits-part-1.aspx