Configure Windows 10 Web sign in

With the arrival of Windows 10 1809, Microsoft introduced a new way to sign in to your PC. Besides a pin, password or biometric authentication they introduced Web-sign in . This feature enables Windows logon support for identity provides like SAML. Web sign-in enables you to set multifactor authentication before signing in to Windows. Even though you cannot set the Web-sign-in as the default authentication method yet, I’m sure that this will become possible in the future.

In this blog I will show you how to enable Web sign-in, using Intune. This is what you need:

  • A test device with Windows 10 1809.
  • The test device needs to be Azure AD Joined.
  • An Azure AD group with the test device as member.
  • An Intune license assigned to a user. I’m using a test user with an EMS E5 License, but any Intune license will do.

To enable Web sign-in you will need to create a Device configuration Profile. So, sign into the Azure Portal and go to the Intune blade, where you select “Device Configuration” and “Profiles”.

Click “Create Profile”. Enter a name and for Platform choose Windows 10 and later. For Profile Type you will need to select Custom.

At the OMA-URI Settings click add and enter the following values (reference link):

Name: Web Sign In
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Data Type: Integer
Value: 1

Click OK and click OK at the OMA-URI settings, finally choose create. The policy is now created.

Now you will need to assign the policy to a group with your test device(s).

Testing the policy

Wait before the policy is applied to your test machine. This could take a while but try to reboot your test device occasionally this could help. After you see the policy is applied you can go to the logon screen of your device. If you choose Sign-in options, you should see a new icon for Web sign-in.

Select the Icon and choose Sign in. This will take you to the web sign-in page of Microsoft where you need to authenticate with your password. If you require MFA there will also be an MFA challenge at this point.

When you passes the MFA challenge the user will be signed in.

I think this feature has a lot of potential. I often get the question whether it is possible to enable MFA for Windows. However the feature is not ready yet. I find the sign in process slow if you are used to a pin or facial recognition. Further more Web sign-in is not supported in the Multi Factor Unlock feature with Windows Hello For Business.

Enabling Microsoft teams for Microsoft 365 F1 users

Recently I had to implement the Microsoft 365 F1 plan for a case. The idea was to first create a demo so that I could show the different features. One of the things I wanted to show was Microsoft Teams. So, I created a couple of test users and assigned them licenses. Some got the Microsoft 365 F1 license, others got an E3 license. I wanted to create some teams and assign members to the teams. Everything went well until I used a Microsoft 365 F1 user to log in to teams.microsoft.com. Suddenly I got the message: You’re missing out! Ask your admin to enable Microsoft Teams for

This was unexpected for me since I already made some teams successfully using accounts which had an E3 license. Furthermore, Microsoft Teams is available for F1 users. After some searching it became clear to me that you must enable Teams for F1 users.

This is how you enable Teams for Microsoft 365 F1 users (please note that the Teams admin center is being moved to the new Microsoft Teams & Skype for Business admin center.  So, things could have changed):

Log in to admin center and go to Settings and select Services & add-ins.

Select Microsoft Teams.

 

Under Settings by User/License type use the drop-down menu to select Deskless Worker (Kiosk).

Here you can turn on Microsoft Teams

After enabling Teams for Deskless Worker (kiosk) the user with the Microsoft 365 F1 license could open.

Office 365 Proplus 2019 not suppoted in 2019 VDI environments

EDIT: Microsoft announced that Office ProPlus will be supported on Windows Server 2019  
https://www.microsoft.com/en-us/microsoft-365/blog/2019/07/01/improving-office-app-experience-virtual-environments/

One of the biggest announcements of Ignite was the Windows Virtual Desktop. There have been many articles about this new product, and it looks very promising. It enables a full Windows 10 desktop environment which is, among other things, optimized for Office Pro Plus. Microsoft is really committing towards this new product, which means that support of other environments decreases.

In the presentation of Sandeep Patnaik and Gama Aguilar-Gamez they talked about Office 365 ProPlus deployments in persistent and non-persistent virtualized environments. One of the announcements they made, was that Office 365 ProPlus 2019 will not be supported on Windows server 2019. So, if you plan to update your RDS environment to Windows server 2019 and plan to use Office 365 ProPlus 2019 Licenses you might want to think again.

Office 365 2019 ProPlus support matrix

You will be able to install the perpetual version of Office 2019 on Windows server 2019. However, you will not get all the nice features of Office 2019 as you will get with Office 365 ProPlus 2019. So, if you want to use Office 365 ProPlus 2019 on an virtual environment you must move over to Windows Virtual Desktop, or stay at Windows server 2016 which will be fully supported till 2025.

Remove User from all online groups

Recently I needed to get an overview of the group memerships for an user. More specifically the group memberships of all the online groups. I figured that it probably pretty easy to get an overview since for Active Directory you can use Get-ADPrincipalGroupMembership. So I my guess was that there would be a similar command for the online groups, something like Get-MsolPrincipalGroupMembership or maybe Get-AzureADPrinicpalGroupMembership. To my surprise it turned out that there is no similar command for Get-AdPrincipalGroupMembership for online groups.

Either way I still needed the overview and to remove to user from all of its groups. So I created a PowerShell script to scan all the groups for that user. If the user was a member in the group it would be removed.

I wanted to share the script since I think it can come in handy in a lot of occasions. So I put in a little bit of extra effort to create a script that can provide an overview of all the groups and remove the groups.

You can download the script here.

Before you can use the script you will need to connect to Exchange online.

You can use .\REMOVE-User-From-Online-Groups.ps1 -UserPrincipalName “example@domain.com” to get an overview of all the groups that the user is a member of.

If you want to remove the user from all those groups you can use .\REMOVE-User-From-Online-Groups.ps1 -UserPrincipalName “example@domain.com” -Remove $true

If you have any questions about the script please leave a comment.

<#
.SYNOPSIS
This script will output all de distribtion and security groups a user is member of.
With the switch -Remove the script will remove the user from those groups.

.NOTES
Author: Stephan van de Kruis
First Creation Date: 2018-02-04
.EXAMPLE
.\REMOVE-User-From-Online-Groups.ps1 -UserPrincipalName "example@domain.com"
.\REMOVE-User-From-Online-Groups.ps1 -UserPrincipalName "example@domain.com" -Remove $true

.PARAMETER UserPrincipalName
The UserPrincipalName of a user (e.g. 'example@domain.com')

#>

[CmdLetBinding()]
param(
[Parameter(Mandatory = $true)]
[String]$UserPrincipalName,

[Parameter(Mandatory = $false)]
[boolean]$Remove = $true
)

####
#Look for user in distribution and security groups
####

if(!$Remove){
try {
$OnlineUser = Get-MsolUser -UserPrincipalName $UserPrincipalName
$DistributionGroups = Get-DistributionGroup -ResultSize 5000 | Where-Object {$_.IsDirSynced -eq $False}

foreach ($DistributionGroup in $DistributionGroups) {
if(Get-DistributionGroupMember -Identity $DistributionGroup.Name | Where-Object PrimarySmtpAddress -eq $UserPrincipalName) {
Write-Output "Info: Found $($OnlineUser.DisplayName) in group $($DistributionGroup.Name)"
}
}
}
catch {
Write-Output "An error occurred"
Write-Output $_.Exception.Message
}

try {
$SecurityGroups = Get-MsolGroup -GroupType Security -MaxResults 5000 | Where-Object {$_.LastDirSyncTime -eq $null}

foreach ($SecurityGroup in $SecurityGroups){
if (Get-MsolGroupMember -GroupObjectId $SecurityGroup.ObjectId | Where-Object ObjectId -eq $OnlineUser.ObjectId ){
Write-Output "Info: Found $($OnlineUser.DisplayName) in group $($DistributionGroup.Name)"
}
}
}
catch {
Write-Output "An error occurred"
Write-Output $_.Exception.Message
}
}

####
#Removing user from distribition and security groups
####
if($Remove){

try {
$OnlineUser = Get-MsolUser -UserPrincipalName $UserPrincipalName
$DistributionGroups = Get-DistributionGroup -ResultSize 5000 | Where-Object {$_.IsDirSynced -eq $False}

foreach ($DistributionGroup in $DistributionGroups) {
if(Get-DistributionGroupMember -Identity $DistributionGroup.Name | Where-Object PrimarySmtpAddress -eq $UserPrincipalName) {
Remove-DistributionGroupMember -Identity $DistributionGroup.Name -Member $OnlineUser.UserPrincipalName -BypassSecurityGroupManagerCheck -Confirm:$false
Write-Output "Info: $($OnlineUser.DisplayName) removed from the online group $($DistributionGroup.Name)"
}
}
}
catch {
Write-Output "Error: Removing the user from the distribution group failed"
Write-Output $_.Exception.Message
}

try {
$SecurityGroups = Get-MsolGroup -GroupType Security -MaxResults 5000 | Where-Object {$_.LastDirSyncTime -eq $null}

foreach ($SecurityGroup in $SecurityGroups){
if (Get-MsolGroupMember -GroupObjectId $SecurityGroup.ObjectId | Where-Object ObjectId -eq $OnlineUser.ObjectId ){
Remove-MsolGroupMember -GroupObjectId $SecurityGroup.ObjectId -GroupMemberObjectId $OnlineUser.ObjectId -GroupMemberType User
Write-Output "Info: $($OnlineUser.DisplayName) removed from online group $($Securitygroup.DisplayName)"
}
}
}
catch {
Write-Output "Error: Removing the user from the security groups failed"
Write-Output $_.Exception.Message
}
}

Office 365: Let users assign permissions for shared mailboxes

Sometimes it’s just more time effective to give the user some extra control. It can be very time consuming to assign the proper rights to shared mailboxes. There is always somebody who needs access en somebody who doesn’t need it any more. The service desk can get a lot of requests. These requests have have to be approved by somebody, and then the request has to be executed. It might be a lot simpler to assigning an owner to the mailbox which can handle the request themselves, and assign the proper rights.

Now in Active Directory you could assign managers to security group which could then edit the group membership. In Office 365 this is a little bit harder to do, but it is possible. In this blog post I will explain how this can be accomplished.

Continue reading “Office 365: Let users assign permissions for shared mailboxes”

Deploy a Azure Web App using Gitlab – Part 3

In Deploy a Azure Web App using Gitlab – Part 1 a Gitlab server was installed and some basic settings were applied. In Deploy a Azure Web App using Gitlab – Part 2  a SSL certificate was added so that HTTPS traffic could be used. In this third and final part I will start with what I intended to do; namely deploying a simple web page from Gitlab to an Azure Web App. More specific using a private Git repository so that the “code” will be safe. In short this is what’s going to happen:
1. Create a new project in Gitlab
2. Create a new App service
3. Connecting Gitlab with Azure
4. Connecting Azure with Gitlab
5. Configuring triggers or Webhooks

So creating a new project is pretty easy. Just hit the New Project button and give your project a name. I want to use a private project so that I know nobody can access the resources.

So create the new project and then we can start uploading some basic content. I like to use Visual Studio Code for this. Gitlab is kind enough to provide you with all the necessary commands to get started. These can be found at the project starting page.

git clone https://gitlab.stephanvdkruis.com/root/example-project.git
cd example-project
touch README.md
git add README.md
git commit -m "add README"
git push -u origin master

Continue reading “Deploy a Azure Web App using Gitlab – Part 3”

Deploy a Azure Web App using Gitlab – Part 2

So in Deploy a Azure Web App using Gitlab – Part 1 the Gitlab server was deployed and the url was changed by using an ssh connection.

In the second part I wanted to share how to implement a SSL certificate into your Gitlab server so you can have a secure connection. Please note that I bought a certificate for my sub domain. There is also documentation available on Gitlab, but I will show every step I took to accomplish this. Furthermore I came across some issues synchronizing Gitlab with my local PC. This was caused by not having the appropriate Root Certificates on the Gitlab server, however this was not explained in the Gitlab documentation.

Getting started

OK so you will need your key and .crt file. These files will be copied to Gitlab. If you enable HTTPS on your Gitlab server, Gitlab will check the /etc/gitlab/ssl/ directory for the key and certificate. This directory does not exist by default so this has to be created by running

sudo mkdir -p /etc/gitlab/ssl
sudo chmod 700 /etc/gitlab/ssl
cd /etc/gitlab/ssl/

Continue reading “Deploy a Azure Web App using Gitlab – Part 2”

Deploy a Azure Web App using Gitlab – Part 1

So recently I decided to start writing about things that I want to learn and that interest me. One of the first things I thought of doing was to use Gitlab to deploy virtual machines on Azure. I recently saw the power of using Desired State Configuration (DSC) to manage Windows machines, which were deployed from Gitlab. Basically you can deploy entire environments with some simple code. I thought this was amazing and I wanted to learn how to do this.

But I wanted to start small, and first set up an environment from where I can build more complex projects. So I decided to create a simple Azure Web app to test my environment. This Web App should be connected to a private Gitlab repository. In the process of building this environment I was faced with some challenges, so I thought why not make this the subject of my first blog post. I will show some basic configurations, including enabling HTTPS on Gitlab. And I will show how to deploy a simple website using Gitlab, by pushing code from a local pc.

Continue reading “Deploy a Azure Web App using Gitlab – Part 1”