Azure

Configure Autopilot Hybrid Azure-AD and ADDS Domain Join

Configure Autopilot Hybrid Azure-AD and ADDS Domain Join

Comments 3 comments

Prerequisites

Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your organization’s network. These addresses must be accessed using the SYSTEM context. If you are using Auto Pilot this will be accessed during the enrollment status part:

  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com
  • https://device.login.microsoftonline.com
  • https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)

To verify if the device is able to access the above Microsoft resources under the system account, you can use Test Device Registration Connectivity script.

Review AD DS UPN support for Hybrid Azure AD join

The table below provides details on support for on-premises AD UPNs in Windows 10 Hybrid Azure AD join

Type of on-premises AD UPN Domain type Windows 10 version Description
Routable Federated From 1703 release Generally available
Non-routable Federated From 1803 release Generally available
Routable Managed From 1803 release Generally available, Azure AD SSPR on Windows lockscreen is not
Continue...
Backup and Restore your Intune Configuration using PowerShell

Backup and Restore your Intune Configuration using PowerShell

Comments 10 comments

I found this fantastic PowerShell module from jseerden that queries Microsoft Graph, and allows for cross-tenant Backup & Restore of your Intune Configuration. The Intune Configuration is backed up as JSON files in a given directory. The module allows an administrator to backup, restore and even compare different Intune backup sets.

Pre-Requisites

The module requires a total of 3 modules to be present, you can install them by running the following commands in an administrative PowerShell prompt:

AzureAD Module

  1. AzureAD (Install-Module -Name AzureAD)

MSGraphFunction Module

  1. MSGraphFunction (Install-Module -Name MSGraphFunctions)

IntuneBackupandRestore Module

The IntuneBackupandRestore PowerShell module is hosted on the PowerShell Gallery. You can install it by running the following command in an administrative PowerShell prompt:

Install-Module -Name IntuneBackupAndRestore

Connect to Microsoft Graph

Next, we will connect to Microsoft Graph using the “Microsoft Intune PowerShell” application in AzureAD, so you don’t need to create your own … Continue...

Office 365 Email Address Policies with Azure Automation

Office 365 Email Address Policies with Azure Automation

Comments 3 comments

Email address policies (EAP) define the rules that create email addresses for recipients. By setting up policies you can guarantee your users will have certain email address that follow the rules you have set in place. Unfortunately, in Office 365 Exchange Online there are no email address policies you can set for your users. In a larger organization where multiple people may be creating and editing users in Exchange Online, it’s possible that not all your users are following the address scheme you or your company has implemented. In this article I will leverage PowerShell and Azure RunBooks to make sure all of my users adhere to my companies EAP.

Setting up the Azure Automation Resources

In the next section I will go over what Azure resources we will be creating and what each one is responsible for. You can skip ahead to the configuration script below which will create … Continue...

Post Notifications About Unused Office 365 Licenses to Teams using Azure Runbooks

Post Notifications About Unused Office 365 Licenses to Teams using Azure Runbooks

Comments 0 Comment

I have written several articles on using PowerShell to send alerts and notifications to Microsoft Teams, but up until now they were set up using only the task scheduler. As more and more companies move to the cloud I wanted to see how I could do cloud infrastructure alerting as well. In this article I am using an Azure RunBook to connect to my Office 365 tenant, parse my licenses, and return any that need reconciliation. If you get your Office 365 licenses from a CSP or any other kind of reseller, you may get charged for all of your licenses, applied or not. So it’s a good thing to make sure you don’t have any extra ones lying around.

Set Up the Azure Environment

Resource Group, Runbook and Automation Account Creation

I created a script that you can just change the variables for and it will create the following … Continue...

ChatOps: Setting up PoshBot for Microsoft Teams

ChatOps: Setting up PoshBot for Microsoft Teams

Comments 6 comments

PoshBot is a chat bot written in PowerShell and created by DevBlackOps. ‘It makes extensive use of classes introduced in PowerShell 5.0. PowerShell modules are loaded into PoshBot and instantly become available as bot commands.’1 PoshBot can do pretty much anything you configure it to do. You can have it create Azure servers, reset Active Directory passwords, create and modify help desk tickets, license Office 365 users, etc. ‘If you can write it in PowerShell, PoshBot can execute it.’

Important: PoshBot has some great documentation, make sure you bookmark and review it.

In this guide I will walk you through setting up PoshBot for Microsoft Teams. It’s a little more tedious than Slack (which is a few commands) but once you get it going it works flawless. Keep an eye out as I will be publishing more articles on different PoshBot plugins that I create which … Continue...

Set Corporate Wallpaper with Intune for Non Windows 10 Enterprise or Windows 10 Education Machines

Set Corporate Wallpaper with Intune for Non Windows 10 Enterprise or Windows 10 Education Machines

Comments 4 comments

By default, there is an Intune device configuration property that can set a devices wallpaper (Profile Type: Device Restrictions > Personalization) BUT this is only applicable on devices running Windows 10 Enterprise and Windows 10 Education. Luckily, using PowerShell we can download a image from the web, save it locally, and set it as our users wallpapers.

First we need to create our PowerShell script. In PowerShell ISE I created the following script and saved it to my local machine

$RegKeyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP"


$DesktopPath = "DesktopImagePath"
$DesktopStatus = "DesktopImageStatus"
$DesktopUrl = "DesktopImageUrl"

$StatusValue = "1"


$url = "https://www.thelazyadministrator.com/wp-content/uploads/2019/07/nicewall.jpg"
$DesktopImageValue = "C:\MDM\wallpaper_LazyAdmin.jpg"
$directory = "C:\MDM\"


If ((Test-Path -Path $directory) -eq $false)
{
	New-Item -Path $directory -ItemType directory
}

$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $DesktopImageValue)



if (!(Test-Path $RegKeyPath))
{
	Write-Host "Creating registry path $($RegKeyPath)."
	New-Item -Path $RegKeyPath -Force | Out-Null
}


New-ItemProperty -Path $RegKeyPath -Name $DesktopStatus -Value $StatusValue -PropertyType DWORD -Force |
Continue...
Connect and Navigate the Microsoft Graph API with PowerShell

Connect and Navigate the Microsoft Graph API with PowerShell

Comments 23 comments

Graph is Microsoft’s RESTful API that allows you to interface directly with Azure AD, Office 365, Intune, SharePoint, Teams, OneNote, and a whole lot more. By using the Invoke-RestMethod PowerShell cmdlet we can connect and interact directly with the Graph API. The Invoke-RestMethod cmdlet sends HTTP and HTTPS requests to Representational State Transfer (REST) web services that returns richly structured data. PowerShell formats the response based on the data type. For an RSS or ATOM feed, PowerShell returns the Item or Entry XML nodes. For JavaScript Object Notation (JSON) or XML, PowerShell converts (or deserializes) the content into objects.1 In this article, I will walk you through setting up the Azure Application, assigning proper  permissions, Authentication and finally running queries against the Graph API. Once you understand how to properly authenticate and format queries you will see how powerful Graph can be for you and your organization.

1. Application

Continue...
Sync Office 365 / AzureAD down to ADDS

Sync Office 365 / AzureAD down to ADDS

Comments 9 comments

I recently found myself needing to build out an on premise Active Directory environment and populate it from objects found in Office 365 (AzureAD). The local Active Directory would then be configured as the identity source and would sync up to AzureAD using Azure AD Connect. Unfortunately, Azure AD Connect is currently a one way sync from your on premise Active Directory Domain Services environment to AzureAD and wont sync objects down. AADConnect does have the ability to match our AzureAD objects to their corresponding Active Directory objects but, if an attribute like City, Phone Number, Department, Title, etc. is present in your existing AzureAD and not in ADDS, the attribute may remain in AzureAD but not replicate down to ADDS. So we will want to copy over as many attributes from AzureAD to our local Active Directory as possible in preparation for the Azure AD Connect sync. We will … Continue...

Customize your Office 365 Encrypted Messages with your Organizations Brand in Office 365

Customize your Office 365 Encrypted Messages with your Organizations Brand in Office 365

Comments 12 comments

As an Office 365 administrator, you can apply your company branding to customize the look of your organization’s Office 365 Message Encryption email messages as well as the contents of the encryption portal. You can customize the following aspects of the viewing experience for recipients of encrypted email messages:

  • Introductory text of the email that contains the encrypted message
  • Disclaimer text of the email that contains the encrypted message
  • Text that appears in the OME portal
  • Logo that appears in the email message and OME portal
  • Background color in the email message and OME portal

You can also revert back to the default look and feel at any time.

Below is the default message your recipient will see when they receive an encrypted email message.

Customize the Message

To customize the OME message you will first need to connect to Exchange Online using Remote PowerShell. You then want to get … Continue...