Microsoft 365 Backup

Microsoft 365 Backup KB ID 0001887

Problem : Microsoft 365 Backup

Originally released 2023, Microsoft 365 Backup is now general release. Microsoft 365 Backup is a comprehensive backup and recovery solution designed to protect your critical data stored in OneDrive, SharePoint, and Exchange*. This service ensures that your data is always recoverable, providing peace of mind in the face of potential data loss scenarios like ransomware attacks, accidental deletions, or data corruption.

*Note: As of now, it does not include native backup options for Microsoft Teams. The service primarily covers only OneDrive, SharePoint, and Exchange data. However, you can set retention policies and archive Teams, which helps maintain the retention of Teams data. For comprehensive Teams backup, you might need to look into third-party solutions like Veeam, (which offers backup and restore options for Teams, including Channels, Tabs, Posts, and Files.)

Microsoft 365 Backup Key Features

Ultra-Fast Recovery

One of the standout features is its fast recovery times. Microsoft claims that mass restores can be up to 20 times faster than traditional backup methods. This means you can get your business back up and running quickly minimising downtime and disruption.

Comprehensive Coverage

Microsoft 365 Backup covers the following data

  • OneDrive: Backup and restore entire accounts or specific files.
  • SharePoint: Full site backups with the ability to restore to specific points in time.
  • Exchange: Granular item restores, including emails, contacts, and calendar items.

Security and Compliance

Security is a top priority with Microsoft 365 Backup. The service keeps your backups within the Microsoft 365 trust boundary, reducing the risk of security breaches. Additionally, it complies with major regulations like GDPR, ensuring your data is handled with the utmost care.

Microsoft 365 Backup: How It Works

Microsoft 365 Backup operates through the Microsoft 365 admin centre and is available as a standalone pay-as-you-go (PAYGO) solution. There are no additional license requirements, making it accessible and straightforward to implement.

Backup Process

  • Initiate Backup: Use the admin centre to select the data you want to back up.
  • Automated Backups: The service automatically creates backups at frequent intervals, ensuring you always have recent recovery points.
  • Storage: Backups are stored securely within the Microsoft 365 infrastructure.

Recovery Process

  • Select Recovery Point: Choose the specific point in time you want to restore from.
  • Restore Data: Initiate the restore process, and your data will be recovered quickly and efficiently.

Microsoft 365 Backup: Partner Integrations

Microsoft 365 Backup also supports integrations with third-party backup solutions through the Microsoft 365 Backup Storage platform. This allows independent software vendors (ISVs) to build applications that leverage the same high-speed recovery and security features

Getting Started

  • PAYGO Ensure you have setup “Pay as you go billing”
  • Access the Admin Center: Log in to your Microsoft 365 admin centre. (Assuming you are a global administrator or SharePoint administrator)
  • Navigate to Backup: Find the backup section (within settings) and follow the prompts to set up your backups.

  • Monitor and Manage: Use the admin centre to monitor backup status and manage recovery points.

Points to Note

  • At time of writing this will cost $0.15 (Per Gb, Per Month) in backup storage.
  • When restoring SharePoint site(s) ensure sites are not locked in a read-only state.
  • Default retention period is 1 year (RPO  = Exchange every 10 mins for 1 Year, SharePoint/OneDrive = every 10 mins for last 14 days then Every week for weeks 2 to 52).
  • Exchange full mailbox or granular item restores are available.

Related Articles, References, Credits, or External Links

Microsoft Announces General Availability of Microsoft 365 Backup and Microsoft 365 Backup Storage

Migrate to Microsoft Entra Connect

 Migrate to Microsoft Entra Connect KB ID 0001857

Problem

You want to migrate from Microsoft Azure AD Connect to Microsoft Entra ID connect.

Let me let you into a secret, (at time of writing) Entra ID connect and Azure AD connect ARE THE SAME THING, if you go to download Entra ID connect, the file you will download is called AzureADConnect.msi. So what you want to do is, upgrade Azure AD Connect.

If your existing Azure AD connect is running on Window Server 2016 (or newer) you can simply ‘in place upgrade‘ the existing Azure AD connect to version 2 and there’s no need to migrate anything.

If you MUST Migrate, because you are deploying on a new server for example, the process is straight forward.

  • Install on New Server and put into Staging Mode.
  • Put Old Server into Staging Mode.
  • Take New Server out of  Staging Mode, (ensure there are no errors/problems).
  • Uninstall from Old Server.

Solution: Migrate to Microsoft Entra Connect

So if you simply want to perform an in place upgrade because your OS is Windows Server 2016 (or newer), use the following article.

Upgrade Azure AD Connect

If you’ve made it this far then you are WANTING to Migrate to Microsoft Entra ID Connect, or as previously mentioned migrate to Azure AD connect on another server!

Migrate to Microsoft Entra Connect Step One: Export Settings

On the Old Server, launch the Azure AD connect shortcut > Configure.

Select  ‘View or export current configuration’ > Next.

Export Settings > Save them (by default in C:\ProgramData\AADConnect) > Save > Exit.

Migrate to Microsoft Entra Connect Step Two: Import Settings

Assuming you’ve done nothing other than download the install package on the new server  > Run the installer package > Agree to the EULA > Continue.

Customise.

Select ‘Import synchronisation settings > In the Location section enter \\old-server-name\c$\ProgramData\AADConnect\filename.json >  Install.

From this point forward I will assume you want everything set the same, so other than usernames and passwords accept the defaults > Next.

Enter the password to authenticate to M365/Azure AD.

This next screen can be confusing because you can’t click Next, and it’s not apparent why! Next to your domain there should be a green tick, if there’s a red cross you need to select ‘change password’ > Then enter the (local AD account) account you use for synchronisation > Next.

Next.

Both options should be ticked by default > Install.

Exit.

Migrate to Microsoft Entra Connect Step Three: Put Old Server Into Staging Mode

I find this much easier to do with PowerShell, but I’ll put the graphical procedure below if you prefer. Issue the following two commands.

[box]

$aadSyncSettings=Get-ADSyncGlobalSettings
$aadSyncSettings.parameters

[/box]

Locate the ‘Microsoft.synchronize.StagingMode‘ section and you will see its value is set to ‘False‘ i.e. staging mode is NOT enabled (or it’s in production mode).

To change the value to ‘True‘ i.e. enable staging mode use the following command.

[box]

($aadSyncSettings.parameters | ?{$_.name -eq "Microsoft.Synchronize.StagingMode"}).value="True"
Set-ADSyncGlobalSettings $aadSyncSettings

[/box]

You can then  confirm that the staging mode value is set to ‘True’ with the following command.

[box]

$aadSyncSettings.parameters

[/box]

Migrate to Microsoft Entra Connect Step Four: Take the New Server Out of Staging Mode

On the New Server, use the following two commands.

[box]

$aadSyncSettings=Get-ADSyncGlobalSettings
($aadSyncSettings.parameters | ?{$_.name -eq "Microsoft.Synchronize.StagingMode"}).value="False"
Set-ADSyncGlobalSettings $aadSyncSettings

[/box]

You can then  confirm that the staging mode value is set to ‘False’ with the following command.

[box]

$aadSyncSettings.parameters

[/box]

Migrate to Microsoft Entra Connect Step Five: Check for Errors

On Premises: You can look in ‘Azure AD Connect Synchronisation Service.’

Microsoft 365: The main Admin console will tell you (in the user management pane).

Microsoft Entra Admin Panel: Look under identity > Provision from Active Directory.

Alternate Steps to Enable Staging Mode (From GUI)

On the Old Server, launch the Azure AD connect shortcut > Configure.

Configure Staging Mode > Next.

Enter your admin password > Next.

Tick to select ‘Enable Staging Mode‘ > Next.

Configure.

Exit

Alternate Steps to Disable Staging Mode (From GUI)

On the New Server, launch the Azure AD connect shortcut > Configure.

Configure Staging Mode > Next

Enter your admin password > Next.

Untick to deselect ‘Enable Staging Mode‘ > Next.

Configure.

Exit

Migrate to Microsoft Entra Connect Step Five: Uninstall Microsoft Azure AD Connect

On the Old Server, search for appwiz.cpl > run it > Select Microsoft Azure AD Connect > Uninstall > Yes > Remove.

Exit.

Related Articles, References, Credits, or External Links

Locate Your Azure AD Connect Server

Azure AD Connect: Correct Or Remove Duplicate Values

Cannot Recreate Azure AD ‘Local’ AD Connector

Forcing Azure AD Connect Sync

Excel: Calculate Cost, Margin, Sell Price

KB ID 0001835

Problem

Occasionally at work I need to work out what the sale price / retail price will be for something would be (given that I know the cost and the % margin). That’s easy to work out. But sometimes I get given the sell / retail price and I know the margin used, and I then must work out what the cost will be.

Ordinarily if it’s a quick question I’ll just use and online margin calculator. But if I have a LOT of items to price – then Excel is the way to go.

Solution: Working out the Sell Price

If you know the cost and the margin to be applied, this is how to work out the retail price.

Solution: Working out the Cost Price

If you know the retail (Sell) price and the that was applied, this is how to work out the cost price.

Related Articles, References, Credits, or External Links

Special thanks to Mr Andrew Dorrian, who worked out the formula for the ‘cost price’ while I swore a lot!

Excel – IP Address Formula for ‘Auto fill’

Excel – Creating a Dropdown Box ‘From data on another sheet’

 

Upgrade Azure AD Connect

Upgrade Azure AD Connect KB ID 0001813

Problem

On 15th March 2023 support for the following Azure AD Connect sync versions will be removed;

  • 2.0.91.0
  • 2.0.89.
  • 2.0.88.0
  • 2.0.28.0
  • 2.0.25.1
  • 2.0.10.0
  • 2.0.9.0
  • 2.0.8.0
  • 2.0.3.0

So plan in some maintenence and upgrade yours, at time of writing the current version is 2.1.20.0, so you can still upgrade if you running an older version.

Upgrade Azure AD Connect: Solution

Before you start it’s worth taking a few minutes to see how your current connector is configured, by simply running the shortcut it will stop replication and give you the option to look at how its currently configured.

Find Azure AD Connect Version

To check what version you are actually running;

[box]

Import-Module ADSync
(Get-ADSyncGlobalSettings).Parameters | select Name,Value

[/box]

Note: Above you can see I’m running 2.1.16.0 so I would still be OK, but let’s upgrade it anyway.

Test Azure AD Connector Health

Open the Syncronisation Service Manager, and have a look in your 365 portal, to make sure everything is running healthily.

Upgrade Azure AD Connect

This could not be simpler, download the new software, run it and supply an administrative account for your subscription, the upgrade will take about 10 – 15  minutes, go grab a coffee.

Once complete, rerun the same command you used above, to ensure the version number is now updated.

Then force a sync with the following command, and watch the service manager while it runs though each stage (it may take a few minutes, and look like it’s doing nothing, be patient!)

[box]

Start-ADSyncSyncCycle -PolicyType Delta

[/box]

Note: You can use PolicyType Initial that will take a LOT longer, (and sync everything). Usually a delta sync will be absolutely fine.

Related Articles, References, Credits, or External Links

NA

Windows: Join Azure AD (AAD)

KB ID 0001596

Problem

With more people looking at Microsoft 365 (as opposed to Office 365), then the amount of people who want to Join Azure AD with their Windows machines is only going to go up. This is how to join your Windows and BYOD client devices to Azure AD.

There are essentially 3 WAYS to Join Azure AD.

  • Azure AD Join: Used for corporate assets. Windows Only! (Can be managed by Intune) Users log in with their Azure AD account only.
  • Azure AD Registration: Used for BYOD devices Windows/macOS/Android etc. (Can be managed by Intune). Users log in with their local credentials.
  • Hybrid Azure AD Join: Used for corporate assets you want to manage with GPO (or SCCM). Windows Only. These assets will be in a local (traditional on-premises domain).-WARNING: These devices require periodic sight of your on-premises AD, (or they become unusable). The Local domain needs to be connected to Azure AD with an Azure AD Connector.

Solution

 

Join Azure AD: Azure AD Join

Start > Settings > Accounts..

Access Work or School > Connect.

STOP! If you put your credentials in here you will Not join the machine to Azure AD you will perform an Azure Workplace Join (or be Azure Registered) that’s NOT WAHT WE WANT > Select “Join This Device to Azure Active Directory‘.

Enter your Azure AD/Office 365 Credentials > Next.

Join.

Done.

The machine will now show that it’s connected to.Azure AD

Note: The login screen now changes to ‘Sign in to: Your Work or School account‘.

Join Azure AD: Azure AD Register

Start > Settings > Accounts..

Access Work or School > Connect.

Enter your O365/M365/Azure credentials

Then after authenticating you ‘should’ see this.

How To Leave / Disconnect From Azure AD

Same place as above, select the connection and simply click ‘Disconnect‘.

Join Azure AD: How To Hybrid Join Azure AD

To Hybrid Azure AD join your machines to Azure AD, (this means they will already be in you local (traditional on-premises) domain, and then ‘additionally’ joined to Azure AD also. So your local domain needs to be syncing to Azure AD with Azure AD Connect. And you machines need to be Windows 10 (or Windows 8 with some additional requirements!)

You configure Hybrid Azure AD Join on the Azure AD Connector, like so;

Locate Your Azure AD Connect Server

Launching Azure AD from the Azure AD connect icon, will pause replication and allow you to make changes, locate ‘Configure Device Options’

 

Next >authenticate to Azure > Next.

Device Options > Configure Hybrid Azure AD Join > Next.

Next > Select Windows 10 (unless you have Windows 8 then theres some other hoops you have to jump though for that though) > Next

Tick you local domain > Edit  >Authenticate to AD (with an Enterprise Admin account) > Next.

Exit.

Now, be patient and wait it can take a while for your devices to start appearing in Azure, when they do that will look like this;

Related Articles, References, Credits, or External Links

Find The Azure AD Join Type

Use Azure MFA With Microsoft NPS (RADIUS) Server

 

KB ID 0001759

Problem

I was in a forum last week and someone asked, “Can I enable Azure MFA, on my RADIUS server, to secure access to my switches and routers etc”. It turns out if you want to enable Azure MFA with Microsoft NPS it’s actually quite  simple.

So, I’m using RADIUS auth (above) on my NPS server, and it’s simply checking the authenticating user is a member of a domain security group. Once it has satisfied that requirement, it will authenticate against my Azure AD, which will trigger an MFA event, (in my case send a request to the Microsoft Authenticator Application on my Android Phone).

Azure MFA With Microsoft NPS Pre-Requisites

The remote user needs EITHER an Azure P1 License, or a Microsoft 365 license. 

“But I can use the Authenticator App with my Office 365 subscription?”

Well yes you can, but we are not authenticating to office 365 are we?

Below you can prove the licence is allocated in Office 365

And the same in Azure AD.

Now your user needs to have MFA enabled, (this should be pretty obvious), to use the Microsoft authenticator application the USER chooses that method of authentication, when you enable MFA for them (the first time they login). You can re-force that, from the following screen if you wish.

Azure MFA With Microsoft NPS: Deploying NPS

So I’ve pretty much covered this half a dozen times before, but for completeness I’ll quickly run though setting up NPS / NPAS. The quickest simplest method is to use PowerShell.

[box]

Install-WindowsFeature NPAS -IncludeManagmentTools

[/box]

From administrative tools open > Network Policy Server >Right click (Top Level) > Register Server in Active Directory  > OK > OK

Execute the following PowerShell command to create a registry key

[box]

New-Item 'HKLM:\SOFTWARE\Microsoft\AzureMfa' -Force | New-ItemProperty -Name REQUIRE_USER_MATCH -Value TRUE -Force | Out-Null

[/box]

Enable NPS RADIUS on Windows Firewall

Now for some reason installing NPS does not open the correct ports on the Windows Firewall? So issue the following command;

[box]

Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any

[/box]

Azure MFA With Microsoft NPS: Domain (on Premises and Azure AD)

You will need to know what your Azure Tenant ID is, keep a copy of this handy either in notepad or on the clipboard because you will need it in a minute.

Below you can see I’ve got my domain user, their remote access (Dial In Tab) is set to control access though policy, and I’ve placed them in a security group called SG-Azure-MFA.

Configure NPS for RADIUS Access

Note: You may already have this configured, if so please skip to the next section.

The first task is to define the RADIUS CLIENT, in my case it will be a Cisco firewall, yours could be any device that requires RADIUS authentication. Locate REDIUS Clients  > New > Provide a ‘Friendly Name’ (REMEMBER WHAT IT IS) > Enter its IP address > Then provide and confirm a shared secret (think of it like a password, you will need to add this to the radius clients config) > OK

Policies > Network Policies > New > Give it a sensible name > Next.

Add in a ‘Condition‘ for User Group, then add in the user group you created/used above.

Add in another ‘Condition‘ > Set the friendly name to the one you used when you created your RADIUS client.

Accepts all the defaults until you get to Configure Authentication Methods > Tick ‘Unencrypted Authentication (PAP, SPAP)’> Click yes if you want to read the warning > Next > Accept all the defaults from this point forward.

Enable Azure MFA With Microsoft NPS

Download the ‘NPS Extension For Azure MFA‘ software form Microsoft, and install it on your NPS server.

To actually enable it against your Azure AD, Execute the following PowerShell commands;

[box]

cd "c:\Program Files\Microsoft\AzureMfa\Config"
.\AzureMfaNpsExtnConfigSetup.ps1

[/box]

Eventually you will be asked to authenticate to Azure, do so with an administrative account.

You will be asked to provide your Azure Tennant ID.

When complete REBOOT THE NPS SERVER!

Testing Azure MFA With NPS

Again for Cisco ASA I’ve already blogged about this, but for completeness here’s me making sure it works;

Remember to RAISE the RADIUS timeout, by default its 10 seconds, I raised it to 30 seconds.

And on my phone I get prompted to allow

 

Authentication successful!

Troubleshooting (NPS Azure MFA Not Working)

Event ID 6274: The Request Was Discarded by a third-party extension DLL file. 

This happens when the user you are authenticating does not have the correct license in Azure (or you have just allocated the license and have not waited for a while).

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 16:42:58
Event ID:      6274
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			PNL\tanya.long
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	pnl.com/PNL/Users/Tanya Long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			6

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		NP-Azure-MFA
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		PAP
	EAP Type:			-
	Account Session Identifier:		-
	Reason Code:			9
	Reason:				The request was discarded by a third-party extension DLL file.

[/box]

Event ID 6273: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection

In my case I had re-install the NPS Azure extension.

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 17:24:39
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	PNL\tanya.long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			10

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		Extension
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			21
	Reason:				An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

[/box]

 

Related Articles, References, Credits, or External Links

NA

macOS: Microsoft Outlook Search Broken

KB ID 0001754

Problem

I’ve had to contend with Outlook Search Broken on Windows clients many times, but not being able to search my ‘sent‘ and ‘deleted‘ items has a detrimental effect on my productivity. 

Outlook Search Broken Fix

This can happen if the folder/drive that your Outlook profile is in is Blocked/Prevented access by ‘Spotlight’ but in my case that wasn’t the problem.

Close Outlook > Open ‘Finder’ > Go > Go to folder > Paste in the following;

~/Library/Group Containers/UBF8T346G9.Office/Outlook/Outlook 15 Profiles/Main Profile/Data

 

Locate the file called Outlook.sqlite and MOVE it somewhere safe (like your desktop).

Open Outlook and you should see this > Click ‘Repair’.

This can take a while (mine took about an hour, be patient). Eventually Outlook will open and your folders should all ‘resend’ then you can search again.

Alternative Outlook Search Broken Fix

You may also need to ‘bounce‘ the spotlight service, issue the following commands’

[box]

sudo mdutil -a -i off
sudo mdutil -a -i on

[/box]

Related Articles, References, Credits, or External Links

Microsoft Outlook ‘Search’ Not Working

O365 with Duo MFA (Without a P1 License?)

KB ID 0001737

Problem

Working for a cloud service provider, (and a Duo partner). I get a lot of queries about Duo MFA for Office 365. Typically (I think) the best solution is to enable Azure Conditional Access and couple that with Trusted sites, so clients get challenged when out on the road, but not in the office. The drawback of this is Azure Conditional Access requires a P1 License, at time of writing that’s about $6 a month on top of you normal 365 licence. So it can work out expensive.

A couple of weeks ago, I was on a call with a client who wanted to use Duo Access Gateway to provide Duo MFA to their 365 tenancy. I’ve done the same thing for other clients with ADFS before, Basically you are just Federating a DAG into your Azure AD, rather than Federating an ADFS Server

This is what it looks like;

Duo MFA: DAG & Office 365 Pre-Requisites

  • Azure AD Sync needs to be setup, and a registered domain setup in your office 365 tenancy. (NOT the onmicrosoft domain!)
  • You need (at least) Duo MFA licensing to deploy. One level above free ($30 for a year).
  • DAG Server 2 x CPU, 4GB RAM, 60Gb HDD (Windows Server 2012 or newer (2019 supported) Note: You can also deploy DAG on Linux.
  • DAG Server should be in a DMZ, (not domain joined).
  • DAG Server needs IIS role installing.
  • DAG Server needs TCP Port 443 open (outbound) to Duo.
  • DAG Server needs TCP Port 443 open (Inbound) to Duo on the public IP address that your public DNS record is pointing to.
  • Download PHP (in Zip file format) Keep the Zip file handy.
  • Install a publicly signed SSL certificate (Common name or SAN must match the public DNS name). 

Note: Duo have great walkthroughs and videos on their site, this article is just to tie the various steps together.

Installing Duo MFA DAG

To setup IIS just use the following Powershell commands

[box]

import-module servermanager
add-windowsfeature Web-Server, Web-Mgmt-Tools, Web-CGI, NET-Framework-Core, Web-Asp-Net45, Web-Scripting-Tools

[/box]

Install and Bind a Publicly Signed Certificate: Let’s do this for free with Let’s Encrypt! See the following article.

Free Certificate for IIS with Let’s Encrypt

Download the newest version of PHP in zip format. and drop it on your desktop, then run the Duo Windows installer. You may be prompted to install the C++Runtime software (which may require a reboot). Post reboot the installer will launch.

Browse to and select the PHP Zip file > Next > Select the correct server hostname (if it’s not listed, then you need to enter it in the ‘hostname’ section of the https binding in IIS manager > Next > If you want to manage the DAG from any other IP addresses enter them > Next > Install.

When done  launch the ‘Configure’ page > Create an access password > Submit.

Configure Duo DAG Active Directory LDAPS Access

In the next step we need a copy of your CA Certificate (the CA that issued your domain controller(s) kerberos certificates). If you have just glazed over have a read of the following article;

Get Ready for LDAPS Channel Binding

From the DAG console > Authentication Source > Configure Sources > Select Active Directory* > Enter the FQDN of a domain controller, (the DMZ server needs to be able to resolve this I suggest putting it in the server hosts file).  > Port will be 636 (LDAPS) > Select LDAPS > Scroll down.

*You cant use Azure as a authentication source for Office365 MFA, (counter intuitively!)

Browse to and select the CA certificate you downloaded above > Set the attributes to “mail,sAMAccountName,userPrincipalName,objectGUID” > Search Base (I’m setting it to the top of my active directory e.g. ‘DC=pnl,DC=com’ > Search Attributes (I’ve set the same as the attributes above) > Search Username, set to a normal domain user account, (I’ve set-up a service account that’s just a member of ‘domain  users’ > Scroll down  > Type in the users password > Save Settings.

What should happen is, it should say LDAP Bind Successful, if it does not;

  • Make sure TCP Port 636 is open from the DMZ server to the Domain Controller(s)
  • Make sure you used the domain controller FQDN NOT its IP address, (the IP address is NOT on the Kerberos certificate).
  • Install the Remote Server Admin tools for ADDS – this will give you access to LDP exe which you can test LDAPS connectivity with (I’ve written about LDP before, use the search box above).

When happy, ensure Active Directory is set as the Active Source.

Federate Duo DAG With Azure Active Directory

Within the Duo DAG management console > Applications > Metadata > Download the Certificate  > Copy all the URLS to a notepad file.

 Copy the notepad file, and the certificate, to a domain joined server/PC that has the the Azure Active Directory Module for Powershell installed.

Execute the following commands, (change the values in RED to match your own);

[box]

Connect-MsolService
Log into your Tenancy, when prompted

get-msoldomain -domain your-domain-name.com

Make sure it says 'Managed' and NOT 'Federated'!
$dom = "your-domain-name.com"
$url = "https://portal.petenetlive.co.uk/dag/saml2/idp/SSOService.php"
$uri = "https://portal.petenetlive.co.uk/dag/saml2/idp/metadata.php"
$logoutUrl = "https://portal.petenetlive.co.uk/dag/saml2/idp/SingleLogoutService.php?ReturnTo=https://portal.petenetlive.co.uk/dag/module.php/duosecurity/logout.php"
$cert=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\dag.crt")
$certData = [system.convert]::tobase64string($cert.rawdata)
Set-MsolDomainAuthentication –DomainName $dom -Authentication Federated -PassiveLogOnUri $url -ActiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $certData

get-msoldomain -domain your-domain-name.com
NOW it should say 'Federated'!

[/box]

Duo MFA Protect Office 365

Log into your Duo online admin console > Protect an application > Locate Office 365 (2FA with SSO self hosted) > Protect.

Unless ALL your mail clients* support modern authentication then tick “Allow legacy mail clients that only support basic auth to bypass 2FA” 

*Modern Authentication Supported on: Outlook 2013 (or newer), older Android mail clients don’t, though on modern versions of Android that you can install MS Outlook on does. Modern Apple IOS devices support modern authentication.

Click ‘Save Configuration‘.

Click “Download your Configuration File” this will download a JSON configuration file, put it somewhere your Duo DAG server can get to.

Add Office 365 MFS to Duo DAG

Back on the DAG server > Applications > Browse > Select the JSON file you downloaded above.

Open a web page, and try to log into office 365, after  you’ve entered your username, you should be forwarded to your DAG for 2FA

Related Articles, References, Credits, or External Links

NA

Microsoft Outlook ‘Search’ Not Working

KB ID 0001676

Problem

When attempting to perform a ‘Search’ whilst in Microsoft Outlook, you encounter a problem (it’s not working).

Something went wrong and your search couldn’t be completed.

Solution

Let’s be clear here, I’m dealing a problem on the ‘client side‘ either with Outlook itself, or with Windows indexing. If you have multiple clients with their mailboxes in an ‘on-premise Exchange Server’ then the problem is probably indexing on their mailbox database, (as long as it’s not Exchange 2019 (or newer) as indexing in new versions of Exchange is done at mailbox level). If that is your problem and you are running Exchange 2016 (or earlier), then see the following article first.

Exchange ContentIndexState ‘Failed’

Each of the following may work, or you may need to work though the list, but BE AWARE once indexing is fixed it can take some time (depending on how much email you have) to index it all, be patient.

Incomplete Missing Outlook Search Results

Before we start ‘fixing’ search, are you sure you are not just missing emails because modern Outlook will only cache 3 months of email locally, so emails older than that, simply cannot be seen by the index? If so you may need to change the following setting.

Microsoft Outlook: Check Indexing, and Rebuild Index

Within Outlook > File > Options > Search > Indexing Options.

Make sure Microsoft Outlook is listed.

Note: You can get to the same options in ‘Control Panel’ > Indexing options.

If Microsoft Outlook is NOT listed: Modify > Select it > OK.

If Microsoft Outlook is IS listed: Advanced > Rebuild > OK.

While in this window, go to the ‘File Types‘ tab, and ensure .msg files are selected.

This might take a while! You can see progress, by clicking in the search box > Search Options > Indexing Status.

 

Windows Search Service

Outlook indexing relies on the Windows Search Service, Run services.msc > Locate the Windows Search Service, ensure it’s running, and it should be set to Automatic (Delayed Start).

Repairing Windows Search Service

Sometimes it wont start, or you simply want to flush its contents and start again. Occasionally you may need to set the service to ‘disabled’ and reboot before it will let you manipulate it, but I simply opened an administrative Powershell window, and ran the following Powershell commands;

[box]

Set-Service WSearch -StartupType Disabled
Stop-Service WSearch
Get-ChildItem -Path C:\ProgramData\Microsoft\Search\Data\Applications\Windows -Include *.* -File -Recurse | foreach { $_.Delete()}
Get-ChildItem -Path C:\ProgramData\Microsoft\Search\Data\Temp -Include *.* -File -Recurse | foreach { $_.Delete()}
sc.exe config WSearch start= delayed-auto
Start-Service WSearch

[/box]

Note, Before I’m Asked: I used sc.exe and not set-service, because you need Powershell v6 to set a service as ‘Automatic Delayed Start’, and all the visitors may not have Powershell version 6.

Don’t Panic if the service takes a long time to start, (it’s recreating a lot of files!)

Make Sure Outlook Indexing Has NOT Been Disabled In the Registry

To save you poking about in the Regisry just run the following TWO Powershell commands;

[box]

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\" -Name "Windows Search" –Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "PreventIndexingOutlook" -Value 0 -PropertyType "DWord"

[/box]

Microsoft Outlook Repairing PST Files

I detest PST files with a passion! Please stop using them, there’s far more efficient ways of storing old emails for those of you that simply need to keep ‘every‘ email you’ve ever received, sent, or deleted. A broken or corrupt PST file can also break search/indexing.

If you are using PST file(s) then firstly you need to know where it/they are. You can get that from their properties > Advanced > Filename.

Secondly you need to run the scanpst.exe program to scan and fix them. Each version of Office puts this in a different place annoyingly, but here I’ll tech you some old-school search ninja skills to find it on your PC, (this also saves me listing all the versions and locations, and having to keep updating them!)

Open an administrative Command Window > Execute the following two commands;

[box]

cd c:\
dir scanpst.exe /s

[/box]

After while it should show you where scanpst.exe is, (this is still how I search for files, it’s a lot quicker);

You can now run scanpst.exe and point it at your PST files.

Check Indexing has NOT been disabled by Group Policy

You can get a group policy enforced on you remotely by your IT admins, or on your local PC with local group policy (unless you run a ‘Home’ version of windows where there is no group policy. You can run winver from command line or Powershell and that will tell you, if you’re unsure).

Here I’m going to use Resultant  Set Of Policy, to show me the sum total of ALL policies being applied to make sure some doofus hasn’t disabled indexing for the drive/location. My outlook Index should be in (C:\ProrgamData\Microsoft by default, Note: That’s a hidden folder so you may not see it if you try and browse to it).

Run > mmc.exe > File > Add/Remove Snap-in > Resultant Set of Policy > Add > OK.

Right click Resultant Set of Policy > Generate RSoPData > Next.

Accept all the defaults (keep clicking next) > Finish.

Below, someone has disabled Indexing, (on the C drive!) You should NOT be able to see this. In fact you may not even see administrative templates.

Note: Above it’s been set in ‘Local‘ policy, if yours has been set by ‘Domain‘ group policy, you will need to speak to your IT department.

Repair Microsoft Office

Run appwiz.cpl > Locate Microsoft Office > Change > Yes.

Try Quick Repair first (you can rerun and try Online Repair if you wish afterwards) > Repair > Close.

Update Microsoft Office

You should be able to update office from File > Office Account > Update eOptions > Update Now.

I cant see that option! If you have a retail or volume copy of Windows you may need to manually download the updates. To find out your version of office see the following link;

Finding Out Your Microsoft Office Licence Version

Outlook 2016 and 2019 (Office 365 Version)

You may need to create a DWORD registry value called ServerAssistedSearchTimeout and set its value to 5000 (decimal), in the following key;

[box]

HKEY_CURRENT_USER > Software > Microsoft > Office > {version} > Outlook > Search

[/box]

 

Please feel free to comment any ‘fixes’ I’ve missed, below!

Related Articles, References, Credits, or External Links

macOS: Microsoft Outlook Search Broken

Microsoft Teams: Custom Background Images

KB ID 0001669

Problem

With the current lockdown and everyone working from home, I’m using Teams a lot. I use one of the images that I use here at PNL as one of the background images that ‘appear’ behind me when I’m using the webcam in Teams. I was asked today how I did that, so I thought I’d write it up here.

Solution

I’m using Teams on my MacBook but the procedure it pretty much the same in Windows, if you can’t see the options I’m mentioning, you might want to simply update your copy of Microsoft Teams.

Firstly: You need to actually be in a call before you can change your background! On your options bar, (if you cant see it, click on the Teams window). Click the elippses (3 dots) and select ‘Show Background Effects‘. 

You can then simply select one of the Microsoft Included backgrounds, and apply them, (theres a long list scroll down!)

Adding Your Own Custom Image To Teams Backgrounds

This is pretty easy, but you will find that the image will be ‘flipped horizontally’ when other users see it like so;

So if it’s a landscape or an office backdrop that’s probably not going to bother you, but if you have text on the image, it will be back to front, or like me it just makes your OCD itch! Then simply use your favourite graphics editing software to flip the image before you put it in the correct folder.

Where to Save your Teams Custom Backgrounds

For macOS: In finder > Go > Got to Folder > ~/Library/Application Support/Microsoft/Teams/Backgrounds/Uploads

For Windows Clients: In Windows explorer > %AppData%\Microsoft\Teams\Backgrounds\Uploads

Don’t forget to restart Teams before they will appear.

Related Articles, References, Credits, or External Links

NA