Configuring Sync Alerts from Azure AD Connect Health portal .Some companies uses Global Admins without mailboxes. In this case additional alerts are helpful when sync goes down for some reason.
Moving WordPress Mail Integration using Microsoft Graph
Lets move WordPress Mail Authentication from Basic to Microsoft Graph , Choosing one of an available plugin which supports Microsoft Graph . Search , Install and Activate , Search for “Mail Integration for Office 365”
Login to Azure Portal and register an Application
From Plugin Settings get the redirect URI and apply above
Create a Secret valid for 3 years from Certificates and Secrets
Emails are sent out using Microsoft OAuth / Microsoft Graph. You should feel proud every time you kill basic authentication .
Pulse Secure VPN Single Sign on with Azure AD
Pulse Secure is using RSA Authentication Server. Moving to Microsoft MFA so that users can use seamless single sign on like any other Office 365 Application , when you have multiple groups , its seamless to use azure ad object ids to associate different vpn profile for different set of users.
Create an Enterprise Application in Azure AD , Choose Pulse Secure VPN
Configure SAML Single Sign On
Entity ID – https://connect.azure365pro.com/dana-na/auth/saml-endpoint.cgi?p=sp1
Reply URL – https://connect.azure365pro.com/dana-na/auth/saml-consumer.cgi
Sign on URL – https://connect.azure365pro.com/vpn
As we will be passing multiple groups via SAML , Adding Group Claim in Attributes and Claims
Assigned Appropriate Groups in Users and Groups
Now we need to configure three things from Pulse Secure Side.
- Auth Server
- Realm
- Sign in Page with the realm we are using
Adding Auth Server –
https://connect.azure365pro.com/dana-na/auth/saml-endpoint.cgi?p=sp1
Uploading Metadata xml should populate this information
If you are planning to use Passwordless – It’s recommended to keep AuthRequest Empty. (Remove Password from AuthRequest)
Otherwise, Passwordless users may see this error
AADSTS75011: Authentication method ‘X509, MultiFactor’ by which the user authenticated with the service doesn’t match the requested authentication method ‘Password’ Contact the VPN application owner.
As per Microsoft “RequestedAuthnContext is an optional value. Then, if possible, ask the application if it could be removed.”
Added Different expressions for different roles
samlMultiValAttr@AZURE-MS.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/groups} = ('419f62ec-3c45-43b0-a95c-3819cad32b00')
Create a new sign in page with new realm created
Now the new sign page will directly re direct to Microsoft Azure AD Page , You can place conditional Access policy to have multi factor and decrease session frequency to 24 hours if you wish users to re authenticate.
To use conditional Access you will need Azure AD Premium P1 or P2 to stay compliant.
Switching to Teams only Mode unsaved sections error
You need powershell module
After running below , Islands mode switched to Teams Only
Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Global
if the error complains about any SIP domain
Disable-CsOnlineSipDomain -Domain domain.com
This organization cannot be upgraded to TeamsOnly at the tenant level because there is an on-premise deployment of
Skype for Business detected in 1 or more of it sip domains, azure365pro.com. Users can be individually upgraded to
TeamsOnly using either Move-CsUser (if the user has an on-premises Skype for Business account) or
Grant-CsTeamsUpgradePolicy (if the user is homed in Skype for Business online).
   + CategoryInfo         : NotSpecified: (:) [Grant-CsTeamsUpgradePolicy], ArgumentException
   + FullyQualifiedErrorId : System.ArgumentException,Microsoft.Rtc.Management.AD.Cmdlets.CopyOcsTeamsUpgradePolicyCm
  dlet
Renewing ADFS Token Signing Certificate
Token signing certificates are standard X509 certificates that are used to securely sign all tokens that the federation server issues. Token decryption certificates are standard X509 certificates that are used to decrypt any incoming tokens. They are also published in federation metadata. Single Sign-on breaks if it expires. In my case, it’s used for several single sign-on Apps like Zscaler / Cisco Jabber. Let’s see how to Extend them to 1 year to 3 years and renew the same and update in zscaler.
ADFS Signing Certificate – Certificates
Let’s Extend the duration from 365 to 1095 days which is 3 years
Get-AdfsProperties | fl *cer*
Set-AdfsProperties -CertificateDuration 1095
Update-AdfsCertificate -CertificateType Token-Decrypting -urgent
Update-AdfsCertificate -CertificateType Token-Decrypting -urgent
Certificates are renewed now.
- Token-Decrypting Certificate
- Token-Signing Certificate
If you wish to disable auto certificate rollover (let’s not do it. Just FYI )
Set-ADFSProperties -AutoCertificateRollover $false
Replacing SSL Certificate – Set Service Communication Certificate to new one.
Open MMC and Open Certificate Console of Local Machine and go to new certificate and managed private keys. Copy the same permission the old certificate had the service account in my case it was adfs admin and ran
Set-AdfsSslCertificate -Thumbprint "xxxxx"
it added drs and adfssrv permission on private keys
Renewing ADFS Proxy Certificate –
Get-WebApplicationProxyApplication | Fl *cer*,*id*
Get-Pfxcertificate c:\cert.pfx
Use above command to gain thumbprint value
Set-WebApplicationProxyApplication -ExternalCertificateThumbprint "xxx" -ID "xxx"
In my case, I need to use this in my Zscaler Forward proxy. Let’s see how to convert to PEM and use it.
Right Click on ADFS Signing Certificate
Copy to File
Choose Base-64 encoded X.509 (.CER)
Use a test Linux server or anything that has open SSL.
Took the file out via WinSCP
Update on Authentication Settings – Administrator Management –
Administration – Authentication Settings.
Block Mulitple Azure DevOps Organization in Same Tenant
Add yourself to the member of DevOps Administrator
Login to Azure DevOps Organizations Settings – Azure Active Directory
Enable Restricting Organization Creation
Allow List – Add a Group or Azure AD User
