Showing posts with label Entra ID. Show all posts
Showing posts with label Entra ID. Show all posts
Blocking User to Use MFA - Entra ID
Use Case - I have a user named "Clouduser2" which was configured to use Azure Portal after providing MFA. Now i am being told to Block MFA for Clouduser2 due to security breach by him/her, in other words blocking access for Clouduser2.
Below are the steps
1. Firstly, i will verify whether User is configured & capable to use MFA or not. For that, navigate to below path -
Entra ID --> Security --> Authentication Methods --> Activity --> User Registration details --> Sort by Multi factor authentication --> ID's showing as Capable are configured for MFA.
2. For Blocking Clouduser2, i will search Multifactor Authenticator on the search bar.
Under Multifactor authenticator --> Click on Block/Unblock Users --> Click on Add --> Provide user detail, reason for blocking & Save.
3. We can now test the results. Clouduser2 while login will see below error & he/she won't be able to login simply because MFA is not working.
Troubleshooting Password Hash Sync Issue - Entra ID
Recently, I had a weird situation where I was not able to use my On-premise AD account to login to Azure Portal.
Azure AD connect Sync was not showing any errors and i was able to see my On-premise account in Azure portal also but for some reason when i was trying to login to portal.azure.com, I was getting incorrect password error.
I checked logging in with another Onprem account & it was still showing me the same error. Definitely issues seems for multiple accounts.
Below steps followed for fix -
1. Since the error was related to Incorrect password, so no way it could be due to things like Conditional access because CA are checked once the user is authenticated (i.e Authorization after authentication ).
2. I opened Powershell Launcher from Azure AD Connect.
Open Azure AD Connect --> Configure --> Select Troubleshoot --> Next --> Launch
3. Onprem accounts are already syncing to Entra ID, i have chosen Option 2 which will do checks against Passwords syncing to Entra ID from On-premise.
4. In this case, I suspect issues for multiple On-premise account & hence I have chosen option 1 which is "Password Hash Synchronization doesn't work at all".
If there is a specific account for which issue is reported, then we can go for Option 2 / Option3.
If there is a specific account for which issue is reported, then we can go for Option 2 / Option3.
5. Post selecting option1, it will do certain tests such as Checking if Password sync is Enabled in your tenant or On premises, Password Sync is running for the connector etc.
In below output, it's clear that Password Sync is enabled but it's not running for Local / Onprem AD Connector & this is what causing the incorrect password issue. Password typed while login was correct but since it's not getting sync to Entra ID, it is not able to authenticate the Onprem ID.
I pressed "Y" & it restarted the Password Hash Sync for the AD Connector. Post this, issue got resolved.
Stop Syncing Onprem AD Users to Entra ID using Sync Rule Editor
Use case - Stop Syncing Onprem AD Users to Entra ID.
Example - I have bunch of Users naming Dummyuser1, Dummyuser2, .... Dummyuser10 & initially there are syncing to Entra ID.
I also have an Onprem AD Group named "DenySyncingADUsers_Cloud". I need to implement a scenario where Users named "Dummyuser1, Dummyuser2 , Dummyuser3 & Dummyuser9" should not be Syncing to Entra ID.
Initial View
Steps
1. Login to your AzureAD Connect Server & Navigate to Sync rule Editor ( Start --> Search for Synchronization Rule Editor )
2. Choose direction as Inbound since this rule is from Onprem to Entra AD & click on Add New rule.
3. Fill the below details -
Name - Name of the Rule
Description - Brief description about the rule.
Connected System - Onprem Domain
Connected System Object Type - What's the object type in Onprem domain for which you are creating the rule. ( User )
Metaverse Object Type - What the object type in Entra AD for which you are creating the rule. (Person)
Link Type - Join
Precedence - Priority of the rule.
4. Once filled, click next & apply Scoping filter.
Scoping would be - DN is member of "AD Group". This means any object that is member of "AD Group" would be considered under this rule.
In this case it would be : "User Object DN" is member of "DenySyncingADUsers_Cloud DN"
5. We will leave the Join rules as it is. Under Transformations, we can set a constant "Cloudfiltered" to true. This means any object that is impacted due to this rule will have Cloudfiltered set to "TRUE"..
6. Click Finish. Rule would be created. You need to wait for the next Sync cycle to run or you can manually trigger the Sync as well.
7. Testing the results. First adding the accounts that we don't want to Sync anymore.
8. Initiating Manual Sync using below command
9. Observing the results. You won't see Dummyuser1,2,3 & 9 in Entra AD now post Sync.
Stopped-extension-DLL-exception / no-start-ma Error
I faced a strange issue few days back when i was trying to force a Delta sync it gave me "Stopped-extension-DLL-exception / no-start-ma" errors.
Steps taken for fix -
1. Using Global Administrator credentials, I logged into Azure Portal. I quickly check the Sign in logs & noticed some Failure events & on exploring them, i found possible reasons under Additional details.
Possible reasons could be a Policy blocking the access. Policy could be a coming from Conditional access or from Identity Protection .
2. Navigate to Security feature under EntraAD --> Cross checked if in past, any conditional access policy was created that might block access.
3. I then verified Azure Identity Protection Policy & under Sign-in risk Policy, i did have a Policy which was configured for Testing purpose.
Policy was about if the Sign in risk is Low & above, then for all users access would be blocked.
I disabled that policy & tried forcing the Sync. This time, it got completed successfully.
Stopped-deletion-threshold-exceeded error while running Azure AD Sync
Fixing - Stopped-deletion-threshold-exceeded error while doing Sync.
Possible Reasons - I am getting this error particularly because i have Un synced an OU from AzureAD Connect & that OU contains items which was above threshold limit for Object Sync & Unsync.
In order to fix it, we will login to Azure AD connect server & run below commands -
1. Get-ADSyncExportDeletionThreshold - Check ADSyncExport Deletion threshold currently set.
Currently it's set to 50. This means if there is an OU which contains more then 50 objects, then probably it would throw the error.
2. Editing threshold from 50 to 200 since the OU i am unsyncing right now contains total 153 objects.
Once done, try forcing the sync again & this time you won't see any error.
Syncing / Unsyncing an OU from Azure AD Connect
Scenario-
I have an OU named "Dummy OU" containing 3 sub OU's. At present all 3 Sub OU's are syncing but as per requirements i have to Unsync one of the Sub OU named "Dummy Groups".
Solution
First, we will open Azure AD Connect. Connect to Azure AD by providing 'Global Admin' Credentials of your tenant.
Connect to OnPrem AD
We will then proceed & Click on Configure. Incase you don't want to initiate the syn right now, uncheck it.
Subscribe to:
Posts (Atom)