Azure

Resources for Windows Autopilot

Posted on Updated on

Similar to last month’s post on resources for Windows Analytics, I’m often also asked for a collection of useful resources on Windows Autopilot.  With that said, most of these are just cumulatively pulled from my monthly Windows 10 “news you can use”.

Other resources related to Windows Autopilot when using Microsoft Intune.

Advertisements

Auto MDM Enroll: Failed (The system tried to delete the JOIN of a drive that is not joined.)

Posted on Updated on

When setting up hybrid Azure AD join with on-premises Windows 10 environments, if you encounter the an error that “The system tried to delete the JOIN of a drive that is not joined.“, then there is a good chance that the device has not yet synchronized into Azure AD.

Event76

A few tips to help you isolate the cause and get past this issue:

  1. First, confirm the device exists in Azure Active Directory (or not).  In the Azure portal, navigate to Azure Active Directory > Devices > All devices.
    AzureDevicesList
  2. Review the steps in Troubleshooting hybrid Azure Active Directory joined Windows 10 and Windows Server 2016 devices.  Note that this article points back to another article on How to configure hybrid Azure Active Directory joined devices, which presently contains way more helpful information to help you troubleshoot.
  3. In the most current Azure AD Connect releases, use the built-in Troubleshooter.  Then in the PowerShell windows which launches, use both options to troubleshooting options for Object Sync and Password Hash Sync.
    AADC_troubleshooter

In my case, the troubleshooting guides were useful to confirm that I had configured everything correctly.  Then the Azure AD Connect troubleshooter reported an error that “Password Hash Synchronization cloud configuration is disabled”.  Searching that issue on the Internet led me to discover that the cause was likely due to mismatched passwords between the Azure AD account “On-Premises Directory Synchronization Service Account” with the password currently set in the local synchronization service.

To fix that, first set a new password for the “On-Premises Directory Synchronization Service Account”.  To do that, try setting it in Azure directly.  However, given that it’s a special account, it may be necessary to reset the password through PowerShell with the MSOL cmdlets.  While I’m not getting into the full end-to-end setup and use of those add-on Azure PowerShell cmdlets, the command could be as simple as:

Connect-AzureAD
Set-AzureADUserPassword -ObjectId abc123def456xyz980 -Password MyP@ssw0rd! -ForceChangePasswordNextLogin $false

Next, start program Synchronization Service Manager, then click on Connectors.  Locate the Windows Azure Active Directory Account and click Properties.

syncservice

Finally, set the password.  Voila, devices will now sync to Azure AD on the next synchronization!

AADsyncProperties

Getting Started with Azure AD Join in Win10

Posted on

One of the many new capabilities of Windows 10 is the ability to join a device to Azure AD Premium (AADP).  There are many good posts, such as this one from Microsoft, that show how to join an existing Win10 system, but nothing that shows the out-of-box experience or some of the newer AADP for “AADJ”, which is what this post aims to highlight as a quick start guide.

First, configure your AADP tenant to allow connections.
AADJ00

Next, this is a possible out-of-box setup experience for a new Win10 device.

AADJ01

AADJ02

Note that the account below will be automatically added to the local admins group.
AADJ03

AADJ04

AADJ05

AADJ06

AADJ07

AADJ08

Once we’re within Windows, the system properties shows that we are joined to the AAD domain.

AADJ10

Additionally, the user in AADP shows that the system is AAD Joined.

AADJ09

 

Azure AD Proxy: BadGateway, Possible Loop

Posted on

When using Azure AD Premium’s Application Proxy feature, if you should receive an error that states “Status code: BadGateway” along with the line “The service detected a possible loop. Make sure that the internal URL doesn’t point to the external URL of any application.”

Example web page error:

BadGatewayLoop

The cause – when making a change to the internal URL, I had incidentally set the internal URL to use the external URL.  The surprising thing is that App Proxy actually allowed me to save the changes!

BadGatewayLoop2

 

Azure AD Connect – User Name or Password Is Incorrect

Posted on Updated on

Recently when setting up a new tenant for Azure / Enterprise Mobility Suite, the Azure AD Connect software gave me error “the user name or password is incorrect”.  This was caused by using the .onmicrosoft.com account that was set as the Subscription administrator.

aadc1

To resolve this, create a new Co-Administrator account in the Azure AD Premium console. Under Settings > Administrators, create/add a new user that will be a co-administrator.

aadc2

Next, go to All Items, click the domain, select Users, then select the new co-administrator.  Change the Organization Role to Global Admin.

aadc3

After completing these quick steps, then Azure AD Connect will allow the wizard to continue and complete the setup!

aadc4

 

 

References that AADP will not impact O365

Posted on Updated on

I was recently asked by a customer to provide proof that registering for Azure Active Directory Premium would not cause a production change to their existing O365 implementation. Unfortunately, this is not specifically stated anywhere in Microsoft documentation.  But the references below are what I found which imply that there would not be an impact to the business.

  1. https://msdn.microsoft.com/en-us/library/azure/dn629581.aspx?f=255&MSPPError=-2147217396#BKMK_SubRelationToDir
    1. “Every Azure subscription has a trust relationship with an Azure AD instance. This means that it trusts that directory to authenticate users, services, and devices. Multiple subscriptions can trust the same directory, but a subscription trusts only one directory. You can see which directory is trusted by your subscription under the Settings tab. You can edit the subscription settings to change which directory it trusts.”
    2. “This trust relationship that a subscription has with a directory is unlike the relationship that a subscription has with all other resources in Azure (websites, databases, and so on), which are more like child resources of a subscription. If a subscription expires, then access to those other resources associated with the subscription also stops. But the directory remains in Azure, and you can associate another subscription with that directory and continue to manage the directory users.”
    3. The key evidence is that the directory remains in Azure and will work with other subscriptions (e.g. O365)
  2. https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx?f=255&MSPPError=-2147217396#BKMK_ManageDefaultDir
    1. “There are no costs for using Azure AD. The directory is a free resource. There is an additional Azure Active Directory Premium tier that is licensed separately and provides additional features such as company branding and self-service password reset.”
    2. The key evidence is that AADP is an additional “tier” to Azure AD
  3. http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/03/11/what-happens-to-the-data-when-my-trial-expires.aspx
    1. “Trials live in the following phases: 30 days active, 30 days in grace period, 30 days disabled.  Subscription is then deprovisioned”
    2. “Once the final subscription (of any service like Office365 or Intune) is deprovisioned from a tenant, then the countdown starts to where that tenant is then deleted from Windows Azure Active Directory (WAAD).”
    3. The key evidence is that AADP is a subscription (though not directly named in this article dated in 2013)
  4. https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx
    1. Azure AD Premium can be considered as the paid add-ons for Azure AD free edition
    2. Based on article Azure Active Directory Editions, any common features provided by Azure AD free edition will not be changed even if we upgrade free edition to premium edition:
      1. Directory as a service,
      2. User and group,
      3. management using UI or Windows PowerShell cmdlets,
      4. Access Panel portal for SSO-based user access to SaaS and custom applications
      5. User-based application access management and provisioning
      6. Self-service password change for cloud users
      7. Directory synchronization tool – For syncing between on-premises Active Directory and Azure Active Directory
      8. Standard security reports

Azure AD DS Sync Account Permissions – Replicating Directory Changes

Posted on Updated on

Microsoft has a decent outline for getting started with setup of the Azure AD Sync tool.  One of the prerequisites is to prepare the AD account used for the synchronization of passwords is to grant it permissions for “Replicating Directory Changes” and “Replicating Directory Changes All”.  This blog post serves as a quick guide on how to configure that.

1.  Within ADUC, right-click on the domain and select Delegate Control

azuresync1

2.  Click Next

azuresync2

3.  Add the AD service account that will be used

azuresync3

4.  Select to create a custom task delegation

azuresync4

5.  Select to delegate to This folder…

azuresync5

6.  Scroll through the list and find both “Replicating Directory Changes” and “Replicating Directory Changes All”

azuresync6

7.  Finally, complete the wizard

azuresync7