Category / Tech

by Jamston

MFA not working in Outlook 2019 – Exchange Online

Scenario:-

Microsoft 365 tenant, mainly using Exchange Online (Plan 1) licenses. I enabled MFA for a couple of users which works fine logging in to https://office.com

Users can access Outlook on the web without any problems and get notifications sent to the “Microsoft Authenticator” app to approve or SMS if they choose one of the other authentication options.

When it comes to Outlook 2019 they just repeatedly get asked for their email credentials in a standard type popup box as opposed to the newer MFA style popup that you see like when you login to https://office.com where it asks for email, then password, then MFA option.

I know this type of problems exists with older versions of Outlook 2013 and lower and there are workarounds for it but this is Office 2019!

Solution:-

After raising a support ticket with Microsoft and getting a call back pretty much straight away from a very knowledgeable “Support Ambassador” we managed to sort the problem. Turns out that if your tenant was created before 2017 (ours was 2014) then the default policies in place for the basic Azure type licenses that come with the lower tiered licenses like Exchange Online might not work very well when enabling MFA on a user account! Tenants created later than 2017 tend to work just fine.

Here’s what we did…

  1. Run PowerShell as admin
  2. Connect to Exchange Online (If user has MFA enabled) using the following steps:- 
    $MFA = New-Object -ComObject InternetExplorer.Application -Property @{Navigate2="https://cmdletpswmodule.blob.core.windows.net/exopsmodule/Microsoft.Online.CSE.PSModule.Client.application"}

    The command above installs a module which then launches another PowerShell window.

  3. In the newly opened window enter the following:- 
    Connect-EXOPSSession

    Enter your tenant administrator login information.

  4. Enter the following command:- 
    Set-OrganizationConfig -OAuth2ClientProfileEnabled $true 

This pretty much enables the use of MFA now for your Exchange Online tenant. It can take a few hours for things to propagate and for Outlook 2019 to make use of this. If you need to speed this process up you can add the following registry key to the users computer. Make sure to close Outlook first.

  • HKEY_CURRENT_USER\Software\Microsoft\Exchange
  • On the Edit menu, point to New, and then click DWORD Value.
  • Type AlwaysUseMSOAuthForAutoDiscover, and then press Enter.
  • Right-click AlwaysUseMSOAuthForAutoDiscover, and then click Modify.
  • In the Value data box, type 1, and then click OK.
  • Exit Registry Editor.

Open Outlook and you should now get the MFA type prompt as you would expect. I think if you continue to have problems then it’s worth deleting the Outlook profile on the computer and starting again.

The following article may also be of use as it goes into a lot more detail about how to enable or disable modern authentication for Outlook in Exchange Online https://docs.microsoft.com/en-us/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online

One last thing… enabling modern authentication for Outlook in Exchange Online wont affect any of your other users who may not have MFA setup.

Hopefully this may help someone somewhere one day!

by Jamston

Enable or Disable write protection to a USB drive

PROBLEM: I need to stop users saving data to a bitlocker usb flash drive that they use to unlock their laptop.

SOLUTION: Use the DiskPart command line utility to enable read only access to the USB flash drive in question.

STEPS:-

  1. Press the Windows key + R to open the run box.
  2. Type diskpart and press enter.
  3. If you receive a UAC prompt asking for permission click Yes.
  4. At the DISKPART > prompt type list disk and press enter.
  5. Figure out which is your USB disk based on the size (mine was disk 1) so I typed select disk 1 and pressed enter.
  6. You can check the attributes for the disk by typing attributes disk.
  7. To enable disk write protection (making it not possible to save files to the disk) use the command attributes disk set readonly and press enter.
  8. You’re done! Type exit to quit.
  9. If you ever wanted to revert back and disable write protection then use the command attributes disk clear readonly and press enter.

DiskPart

Please note that the above method will only enable write protection for that particular usb flash drive on that specific windows machine. If you were to put the same usb flash drive in a different machine you can still write files to it.

by Jamston

How to add Azure Active Directory user to local administrator group

Windows 10 allows you to join your computer to the Azure Active Directory and login with your cloud credentials. The first account that joins the AAD becomes a local administrator. Subsequent users are not.

To add additional azure accounts as local admins you need to do the following…

  1. Open a command prompt with Administrator proviledges
  2. Enter the following command…
net localgroup administrators /add "AzureAD\<users office 365 email address>"

You should see “The command completed successfully”, now go check it worked by going into computer management > Local Users and Groups > Groups > Administrators and check to see if the user is listed.

by Jamston

Outlook keeps asking for password… Using Office 365 but on-premise exchange?

Starting in Outlook 2016 version 16.0.6741.2017, Microsoft has enabled a new feature called Direct Connect to Office 365. What this feature does is connect Outlook directly to Office 365 if Autodiscover is not working. This is great feature but a network hiccup may cause your mailbox to connect to Office 365 rather than your on premise Exchange, even with a valid autodiscover record.

For Direct Connect to take effect the user must have an active mailbox on Office 365 with a valid license. Typically Direct Connect would be a neat feature unles you are in the middle of a migration to 365, but a network hiccup could incorrectly connect you to 365 even though you havent completed your migration yet.

During 365 migrations deom Hosted Exchange or On-Premise, we recommend disabling this option from the user computer registry:

You can stop Outlook from checking Office 365 for settings by setting a registry key.

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover
DWORD: ExcludeExplicitO365Endpoint
Value = 1

Then restart your computer and it should stop trying to connect to Office 365. When you are ready to flip the switch on your migration, remove this registry key.

Heres a great article describing the whole thing in more detail…
https://www.enowsoftware.com/solutions-engine/autodiscover-dilemma

by Jamston

Move a SSL certificate from Microsoft IIS 8 to Apache

To move a SSL certificate from Microsoft IIS 8 to Apache, the certificate must be converted from a PKCS#12 (.p12 or .pfx) to two separate files (private and public key). This guide will show you how to create those files.

Step 1: Export certificate in IIS 8

  1. From the web server, click Start
  2. In the Search programs and files field, type manage computer certificates
  3. From the search suggestions list, click Manage computer certificates
  4. At the permission prompt, click Yes
  5. Double click on the Personal folder, and then on Certificates.
  6. Right Click on the Certificate you would like to backup and choose > All Tasks > Export
  7. Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
  8. Choose to ‘Yes, export the private key
  9. Choose to “Include all certificates in certificate path if possible.” (do NOT select the delete Private Key option)
  10. Enter a password you will remember
  11. Choose to save file on a set location
  12. Click Finish
  13. You will receive a message > “The export was successful.” > Click OK
  14. The .pfx file backup is now saved in the location you selected.

Step 2:  Convert PFX file to compatible files for Apache

If you are a windows user you will need the OpenSSL program / binaries to run these commands in PowerShell. You can find a guide on how to do this here

To extract the private key, run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx  -nocerts -out key.pem

EXAMPLE:-
openssl pkcs12 -in c:\ssl\myexportedcert.pfx  -nocerts -out c:\ssl\key.pem

To extract the certificate (public key), run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx -clcerts -nokeys -out cert.pem

EXAMPLE:-
-openssl pkcs12 -in <filename>.pfx -clcerts -nokeys -out c:\ssl\cert.pem

After running the commands above you will end up with 2 files, key.pem and cert.pem ready to be imported into your Apache server.

by Jamston

Usefull Powershell Commands

A collection of random PowerShell commands I wanted to save…

List all active variables, not just ones you have created

Get-Variable

List a particular variable that you have created

Get-Variable -name replacethiswiththenameofyourvariablewithout$

Clear the value of a variable that you have created

Clear-Variable -name replacethiswiththenameofyourvariablewithout$

Delete / Remove the variable that you have created

Remove-Variable -name replacethiswiththenameofyourvariablewithout

How to Check the Active Directory Schema Version

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
by Jamston

How to change network names on Windows 10

Firstly I take no credit for this, the original article can be found here.

When you connect to a network for the first time in Windows, Windows saves the network profile and assigns a name to it.

Connections using Ethernet (wired) use a generic name such as Network 7 usually while wireless networks the SSID of the Wi-Fi network the device connected to.

Some users and administrators may dislike the non-descriptive nature of wired network connections on Windows.

Good news is that it is possible to rename network profile names to make them more descriptive on the operating system.

The following guide was written for Microsoft’s Windows 10 operating system but the process should work in previous versions of Windows as well.

Changing the network name on Windows

You can check the current name in the Network and Sharing Center on Windows or in the Settings application on Windows 10.

  1. Tap on Windows-I to open the Settings application.
  2. Go to Network & Internet > Ethernet or Wi-Fi depending on the connection type.

The name of the network is displayed at the very top of the page.

To display the name in the Control Panel instead, do this:

  1. Tap on the Windows-key to activate the Start menu.
  2. Type Control Panel and select the result.
  3. Go to Network and Sharing Center

The name is listed under “view your active networks”.

Windows administrators and users have two main options to change a network name. The first involves editing the Windows Registry using Local Security Policy. Note that Local Security Policy is only available in professional versions of Windows, e.g. Windows 10 Pro.

Using the Windows Registry

I recommend that you back up the Windows Registry before you make any changes to it. Check out ghacks.net Windows Registry backup guide to find out how to do that.

  1. Open the Start Menu.
  2. Type regedit.exe and select the result to open the Registry Editor.
  3. Confirm the UAC prompt that is displayed.
  4. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
  5. The next step requires some trial and error. Windows lists all network connections with a unique ID and you need to click on each to check the ProfileName variable of it until you find the network name that you want to change.
  6. Double-click on ProfileName once you have found the right entry and type the new name of the network that you want used on the device. The change is only active on the device.

The change takes affect immediately. You can verify that by opening the Settings app or the Network and Sharing Center to verify that the name change was successful.

Repeat the process for any other network name that you want to change.