AAD Connect 1.5.29.0 released - With a gotcha

Microsoft released a major update to AAD Connect with build 1.5.18.0 on April 2, 2020. In the last 22 days they've released three newer builds to fix issues in this updated version.

Today they released AAD Connect build 1.5.29.0 which you can download here. But be aware, in my testing Microsoft Defender SmartScreen in the new Chromium Edge browser blocks the download because "this app is not commonly downloaded or is not signed by its publisher".

In order to download it using Edge, click Show More and Keep anyway. This does not happen with the Chrome browser.

I verified that the download is indeed digitally signed with a valid certificate, so I'm not sure why the download is being blocked.

The AAD Connect version release history on this build only lists one unhelpful hint as to what this build fixes:

1.5.29.0

Release status
04/23/2020: Released for download

Fixed issues
This hotfix build fixes an issue introduced in build 1.5.20.0 where a tenant administrator with MFA was not able to enable DSSO.

DSSO is a new acronym to me and I can't find it any any Microsoft documentation, so if you aren't having any trouble with AAD Connect, I suggest skipping this build until the documentation is updated with a better description.

Brian Desmond advised me that DSSO stands for Desktop Single Sign-On - a term I previously only associated with Okta. It's the early name for Seamless Single Sign-On (SSSO).

Read more ...

How to enable (and hack) Cisco AnyConnect VPN through Remote Desktop

If you get the following error when connecting to a Cisco AnyConnect VPN from Windows, it's because the VPN establishment capability in the client profile doesn't allow connections from a remote desktop session.

VPN establishment capability for a remote user is disabled. A VPN connection will not be established.

The client profile is an XML file that gets pushed out to the AnyConnect client every time the VPN is established. The correct way to fix this is by configuring the Citrix VPN profile on the ASA. Usually this is done by the ASA administrator using the Cisco Adaptive Security Device Manager (ASDM). If you're the ASA administrator read this article for instructions how to configure this.

But what if you're not the ASA administrator or the admin can't/won't to make this change for some reason? We can hack it! I don't normally write blog posts like this, but I honestly can't think of a single good reason to block VPN access from a remote desktop, so I don't consider this bypassing a security setting. Here's how to get around it.

First, open the client profile XML file in Notepad. It's located in the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile folder.

Edit the <WindowsVPNEstablishment> tag to use AllowRemoteUsers instead of LocalUsersOnly.



For example, change:

<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>

To:

<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>

Now save the profile to your Desktop or another location with a .BAK extension. For example, if the original profile name is ContosoVPN.xml, save it as ContosoVPN.bak.

Move the modified .BAK file to the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile folder. This will normally require admin rights. You should now have two client profile files there, for example ContosoVPN.xml and ContosoVPN.bak.

Now open Event Viewer and navigate to Applications and Services Logs > Cisco AnyConnect Secure Mobility Client. Search for Event ID 3021 from source acvpnui. It should be near the top of the Cisco logs if you just tried to connect to the AnyConnect VPN.



Right-click that event and select Attach Task To This Event. The Create Basic Task Wizard will open.

Click Next.

Click Next again.

Click Next again.

Configure the program to run using the settings below, then click Next.

Program/script:

C:\Windows\System32\cmd.exe

Arguments:

/c cd "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile" && copy *.bak *.xml /y

This task tells Windows to copy the modified .BAK profile over the .XML file that the AnyConnect client downloads from the ASA whenever acvpnui logs event ID 3021.

Check the box to open the properties for the task when finished and click Finish.

The task properties will open in a new window.

Now test it out. You should be able to connect to the AnyConnect VPN using a remote desktop (RDP).

Be aware that if things change (ports, IPs, etc.) they will be lost/overwritten by the static BAK file. If that happens you can simply delete the BAK file, attempt a connection, and edit the new XML file with the new settings again.

Read more ...

Licensing Details for Litigation Hold in Office 365

When there's a possibility or the likelihood of litigation, admins can place mailboxes on litigation hold or in-place hold. When you place content locations on hold, content is held until you remove the hold from the content location or until you delete the hold. eDiscovery is used to produce immutable copies of data for legal counsel or the courts.

Legal hold can also be used as an alternative to using third-party journaling solutions since all emails are retained and cannot be deleted by the user or admin, except by retention policies.

Litigation hold in O365 originally only existed for Exchange Online mailbox data, but has been extended to include other workflows, like SharePoint Online, Teams, Skype for Business Online, etc.

For more information about litigation or legal hold in Office 365 please read In-Place Hold and Litigation Hold in Exchange Server.

This article will describe the technical licensing requirements for holds in O365, both lit hold and in-place hold. For brevity I will refer to both types of holds as "lit hold" in this article, since the licensing requirements are the same for both.

The user you wish to place on hold must a subscription that includes Exchange Online (Plan 2). This includes the following online licenses:

• Microsoft 365 E5
• Microsoft 365 E3
• Office 365 E5
• Office 365 E3

Users in subscriptions that include Exchange Online (Plan 1) can also be put on hold if the user has the Exchange Online Archiving add-on license. Holds only apply to mailbox data with this license.

To learn how to place a mailbox on hold, see the following articles:

• Place a mailbox on Litigation Hold
• Create or remove an In-Place Hold

One of the advantages of lit hold is that the user account can be deleted after they leave the company and the data will still be preserved for eDiscovery. This way you're not burning a license for a user who does not access their mailbox any longer. This is called making a mailbox inactive. A lot of organizations do this, so I want to dive into the legalities of this.

First, it's completely acceptable to do this and Microsoft supports it.

Second, you need to aware of the licensing terms regarding license reassignment. According to the Microsoft Volume Licensing Product Terms,

Customer may reassign a License to another device or user, but not less than 90 days since the last reassignment of that same License, unless the reassignment is due to (i) permanent hardware failure or loss, (ii) termination of the user’s employment or contract or (iii) temporary reallocation of CALs, Client Management Licenses and user or device SLs to cover a user’s absence or the unavailability of a device that is out of service.

Let's use some examples to illustrate this.

1. John Baker's mailbox is on litigation hold when he leaves the company. The administrator makes John's mailbox inactive by deleting John's user account, which releases John's Microsoft 365 E5 license. The inactive mailbox is still subject to eDiscovery searches until one of the following:
   • All litigation holds are released from John's mailbox (there may be more than one).
   • All the data ages out based on the organization's litigation hold retention policy. Discovery can still be made, but no results will be returned.
   • The organization is no longer a Microsoft Online customer. In this case, it is the responsibility of the organization to remove all data from Office 365 before they leave.
   The released license is reassigned to John's replacement, Gary. This license cannot be reassigned again to a another user for 90 days except for the reasons listed above.
2. Susan Mitchell's mailbox is on litigation hold when she goes on leave for 30 days. Susan will not access her email while out on leave. The administrator deletes Susan's account from Azure AD, which removes her license, and assigns it to her temporary replacement. When Susan returns to work, the temporary replacement's account is deleted, which again removes the license, and the license is reassigned back to Susan. This is allowed by the licensing terms because it was a temporary reallocation.
3. Contoso has assigned 100 Office 365 E3 licenses to its workers. Contoso buys 100 new Microsoft 365 E5 licenses, assigns them to the same workers, and removes their Office 365 E3 licenses. The Office 365 E3 licenses can be assigned to other workers but cannot be reassigned again for 90 days except for the reasons listed above.
4. Northwind Traders has 500 Office 365 F1 licenses assigned to users. These licenses do not include Exchange Online (Plan 2), so litigation hold is not an option for these users, however Northwind wants to retain their emails indefinitely. The administrator assigns a single Microsoft 365 E3 license to a user, enables litigation hold, and then removes the E3 license. He then repeats these steps for each user. This is a licensing violation for several reasons - Active mailboxes under litigation hold must have a valid license that includes Exchange Online (Plan 2) and it violates the licensing reassignment policy.
5. Fabrikam has 500 Microsoft 365 F1 licenses assigned to users. These licenses do not include Exchange Online (Plan 2), so litigation hold is not an option for these users, however Fabrikam wants to retain their emails indefinitely when they leave the company. Fabrikam also has a single Office 365 E3 license. Five users leave the company. The Administrator can assign the Office 365 E3 license to one of the five users, enable litigation hold for that user, then delete the user account (releasing the F1 and E3 licenses). The mailbox will be retained due to litigation hold. She can repeat this for each of the separated users, one at a time. This is permitted because the 90-day reassignment policy does not apply to terminated users.

Special note 1:

The correct way to remove a license from a lit hold mailbox is to delete the user account from Azure Active Directory, which releases the license. This is documented here. While you are not prevented from removing a license from an existing user account, it will put the Azure user into an error state. This should be avoided.

Special note 2:

There are some conditions where you may have a mailbox that no one logs into that may still require a license. Examples include shared mailboxes under lit hold or where messages stored in a shared mailbox are needed for a Microsoft 365 Advanced eDiscovery case (the shared mailbox is a "custodian"). 

Hopefully, this information is useful and clears up some confusion around litigation hold and licensing. Special thanks to Microsoft and Tony Redmond for reviewing this article for accuracy.

Read more ...

AAD Connect version 1.5.18.0 is available now

Microsoft released AAD Connect version 1.5.18.0, which is a major version upgrade. Most AADC implementations should automatically upgrade to the latest version. Run Get-ADSyncAutoUpgrade to ensure automatic upgrade is enabled.

The most important functional change is that group objects now use mS-DS-ConsistencyGuid as the source anchor. This helps in multi-forest scenarios.

Read the Azure AD Connect: Version release history here.

1.5.18.0

Release status

04/02/2020: Released for download

Functional changes ADSyncAutoUpgrade

• Added support for the mS-DS-ConsistencyGuid feature for group objects. This allows you to move groups between forests or reconnect groups in AD to Azure AD where the AD group objectID has changed, e.g. when an AD server is rebuilt after a calamity. For more information see Moving groups between forests.
• The mS-DS-ConsistencyGuid attribute is automatically set on al synced groups and you do not have to do anything to enable this feature.
• Removed the Get-ADSyncRunProfile because it is no longer in use.
• Changed the warning you see when attempting to use an Enterprise Admin or Domain Admin account for the AD DS connector account to provide more context.
• Added a new cmdlet to remove objects from the connector space the old CSDelete.exe tool is removed, and it is replaced with the new Remove-ADSyncCSObject cmdlet. The Remove-ADSyncCSObject cmdlet takes a CsObject as input. This object can be retrieved by using the Get-ADSyncCSObject cmdlet.

 Note

The old CSDelete.exe tool has been removed and replaced with the new Remove-ADSyncCSObject cmdlet

Fixed issues

• Fixed a bug in the group writeback forest/OU selector on rerunning the Azure AD Connect wizard after disabling the feature.
• Introduced a new error page that will be displayed if the required DCOM registry values are missing with a new help link. Information is also written to log files.
• Fixed an issue with the creation of the Azure Active Directory synchronization account where enabling Directory Extensions or PHS may fail because the account has not propagated across all service replicas before attempted use.
• Fixed a bug in the sync errors compression utility that was not handling surrogate characters correctly.
• Fixed a bug in the auto upgrade which left the server in the scheduler suspended state.

Read more ...

How to Delete a Directory from AAD Connect

You can use Azure Active Directory Connect (AADC) to synchronize one or more on-premises Active Directories to Azure Active Directory. Once additional directories are added to AADC, it may not be obvious how to remove a directory. Here's how to do it.

First, let's look at our example which syncs two directories, theguillets.com and contoso.com to the same AAD tenant.

Here's what it looks like from the View current configuration option in AADC:



And here's what it looks like from Customize synchronization options in AADC. Notice that you can only add directories, not remove them.



In this example, I want to remove the contoso.com directory from AADC so it will no longer sync to Azure AD. Before we can remove the directory we need to disable the AADC sync scheduler. Run the following PowerShell cmdlet:

Set-ADSyncScheduler -SyncCycleEnabled $false

Next, open the AADC Synchronization Service Manager located at C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe. This tool is useful to see the synchronization process and confirm that syncs are happening error-free.



Click the Connectors button at the top and you will see the directories that are currently configured to sync.



Select the directory you want to remove and click Delete. I'm deleting the contoso.com directory.



Select Delete Connector and connector space and click OK. Click Yes on the following prompt to delete the directory from AADC and Azure AD:



It will take a few seconds to delete the contoso.com directory objects from Azure AD and the AADC metabase.



After the directory has been removed from AADC, re-enable the AADC sync scheduler and perform a delta sync using PowerShell:

Set-ADSyncScheduler -SyncCycleEnabled $true
Start-ADSyncSyncCycle

Click the Operations button at the top and you will see that the contoso.com directory is no longer listed in the sync cycles.



 The directory is now removed from the AADC configuration.

Read more ...