S02E29 - Beginners Guide to Accessing On-Premises Resources with Azure AD Joined Devices - (I.T)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Nice video guys, I joined the Windows Admin community because it seems like a good place to share info on this and also get help when needed (I am in the midst of a on-prem domain > AAD Joined only migration also).

As a general comment, I would say that the video raises some good points on accessing on-prem resources from these devices, I was pleasantly surprised at the type of access I was getting when testing this on my AAD Joined devices. If anybody wants a little further reading on the subject, this docs page has some good info: How SSO to on-premises resources works on Azure AD joined devices | Microsoft Docs

👍︎︎ 3 👤︎︎ u/TheMerc8 📅︎︎ Mar 23 2021 🗫︎ replies

Captions

hello and welcome to another episode of intune.training the place to learn how to use microsoft intune the stephen adams show with adam and not steve this is uh johannes christian christiansen um say it say it you say it introduce yourself sir uh hello my name is johannes christensen i'm the owner of the windows admins discord community yes and he's also an all-around nice guy uh who knows all sorts of cool things and um he's uh decided to to join us because mainly because the aussie guys are sleeping it off right now and uh me and jake did a couple videos last night and um anyway johannes and i have had lots of conversations around um in tune and into and migrating to intune and getting off of on-prem resources and things and um we i thought he'd be a great resource to have in here and give some real world kind of um information and discussion around uh the topic today which is going to be um the accessing on-prem resources on-premises resources with an azure ad-only device there's been a lot of discussion recently in um and because of ignite and things just at least on twitter i've had lots of lots of conversations and just kind of over the last a little bit lots of people saying i need to still access on-premises resources so i have to do hybrid join and continually the response is well you don't need that you can do that with azure id only well no you can't that doesn't work absolutely yes it does you may know that a while back we did a video on a hybrid key trust and accessing on-prem resources using windows hello for business and if you've watched that you may remember that in the beginning uh we we talked about this piece that we're going to discuss but we never really kind of got into the weeds on how to set it up and so we want to make sure that we cover that because this is a stepping stone and it's really a an easy thing to configure that will help you get to an azure a.d only platform instead of a hybrid azure 80 platform and still do all of the same things that you're hoping to do with your hybrid environment so that's kind of the goal of this video is to walk through that um before we get started just wanted to give a plug for johannes as uh for for windows admins um honestly the windows admins um has really become a home for many of us in the community i go there daily we have a voice channel that we uh many are several voice channels that we generally get into and chat but we've got config manager intune and all sorts of other channels that are available for topics so just like if you're going to reddit or go onto twitter or facebook to ask questions and get support this is another platform to be able to do that but we've got johannes what do we have about 4 000 members strong at this point yeah 4 700 last time i checked nice um if you'd like to join win admins you can use the aka dot ms slash admins or go to discord.com invite slash when at when admins we will also put the links in the uh the description of this video the this is not you there's it's free you don't have to pay anything to join this it's just um i find this is an incredible community with a lot of really amazing people like johannes um who are just passionate about this uh work what are you laughing at i just you you're okay you've got answers to pretty much everything um so most of them involve a fair amount of profanity but that's okay i mean you know we're passionate about this stuff um so pressure adam no pressure [Laughter] so anyway we're gonna get started here so johannes from your for your environment um i'm gonna unshare my screen for a second so we can have just the chat here okay so for your environment what um is your what has been your migration process to get from your on-premises to azure id and what's that looking like and for full disclosure you're not there yet you're still working down that path right which is the case for many of us yeah exactly so i i think i started the sort of migration plans back in 2019 late 2019 and i figured out that like the first thing you should do is to move the move the authentication workload to azure 80 if you can so if you have like a an application or service or website or something that you can move you should do that first because that's a really easy sell for like the rest of your team and the company you work for and so on and so forth especially because you can always say hey we we should have multi-factor authentication for this and if we move the authentication workload to azure we can just enable conditional access and it just works besides that i started i think i don't i agree to joined my own workstation to azure 80 about a year ago and well actually more than a year ago and i've i decided instead of just fixing the the issues just on my machine i would just create the policies in intune and azure so by the time we would start moving other people to it it would all be set up it would just mostly work and you would have minor issues to contend with and all the major stuff had already been set up and fixed and that's pretty much the status that we are in right now and so you've just been dog fooding it and then just taking on that hit to experience what the the full impact of being azure 80 only and and just been making it work so have you found any things that you are unable to do while on your business network that you just can't fix absolutely nothing so that's file shares map network drives web sites nothing currently nothing but getting to the state that we are in right now was not easy because documentation was not easy to find or not easy to understand um there are like weird things that just aren't documented like nobody tells you some of this stuff like nobody knows and yeah but thanks to like in tune training and other people it's like it and like just for the viewers who are watching this this is not like a like a thousand item list this is like four or five things you need to fix that they're relatively easy to fix it's just that you don't know what's wrong or how to fix it you can't google something that you don't know what's broken yes yes that's exactly the deal right it's so then this is where this is where that personal experience and then the collaboration has really paid off because we've been able to have a mix of microsoft uh folks and other you know consultants and other people that are doing the same things or have been in the space a long time we've been able to collaborate on those things and and work through them and say okay hey all right i'm running into this has anybody seen this what am i missing and it's been great because we've all been able to we've all been one day we're wearing the expert hat because hey we've been down that road we've got the scars for it and the next day we're like i'm embarrassed to ask this question does anybody know how to do this definitely yeah so so you know i think we're we're all in the same boat here um and it's it's a fun ride so anyway that's kind of set some context and so i'm the purpose of this video is really to inspire those of you who have said we've got to go hybrid we can only do hybrid because of xyz to really rethink revisit the hybrid concept now be real clear this is for new devices that we're discussing this for if you currently have devices that are azure or that are that are on-prem uh a.d joined and and then you've enabled the hybrid registration either through group policy or through config manager client settings um that will hybrid join an existing device we're not talking about changing those at this point this is if you when you reset that device you can convert it to azure ad only but if it's hybrid today that's because it was previously formerly it was born as an ad device and you've now joined it to azure we're talking specifically for this about azure ad only devices so you so it's born as azure id it's never been connected to the domain uh network so it's not it will never you know it's starting out as azure id only it has no presence in on-premises active directory it only exists in azure ad yes and so that's what we're talking about so we're when we're talking about hybrid here we're saying don't go like hybrid autopilot do azure id only autopilot as your provisioning method to get new devices built so that's that's the framework for this this will work for existing devices as well it's so but this is what we're focusing on all right so enough of the enough of that so let's get into the meat and potatoes here um now uh i have uh to set some framework on what we've got i have built a brand new um tenant in intune and uh in azure and in tune actually so i've got azure active directory configured i've got intune configured if you want to get to here where i'm at from the from the azure active directory and in tune side of things getting your tenant configured we have a intune quick start video that we released a couple months ago that we'll link as well so that would i would start there before you go down this path okay so that's that's what the cloud stuff looks like from an on-prem perspective or on-premises i'm going to say on-prem i know technically it's on-premises but it's too much um we are going to go uh or so i've built a single server um that it that has actually i was doing this for config manager testing but it works for this as well so this device has active directory a single domain called asd.lab and this is the only server in the environment and i've set up a file share called cool stuff um as a hidden share on this in this domain and so it's got cool stuff as our share that we want to hit and there's nothing else special i have a ca set up but um it's not i'm not even i'm not issuing certificates from it at this point and i'm going to log in on this machine i think the right password for it so i've set up johannes an account on a this is a domain joined workstation so this is a traditional normal domain join workstation it's not even hybrid joined or anything like that just regular domain joined um just to show okay this is how everything functions and stuff so you can see it's just on the on the domain and i've done nothing special and i'm going to hit the file share cmo1 and then go cool stuff dollar and i can hit that file share so that's it that's all we're trying to do and so we're going to do the same thing on an azure 80 only device now caveat that azure id only device definitely has to still be have line of sight to this resource so you're going to have to either be connected physically to the domain network or on the vpn in order for this to work um but so that's what we're going to attempt to do this same function but on an azure id device so um to do that we have started with a um a device that is we've created an an azure id only user account and um this device is oh it's going to make me set up hello i thought we were on i thought we were done with this one oops yeah well whatever um okay and you'll notice like the user account is like the dot on microsoft.com because we haven't even set up like a cloud cloud anything on this okay sorry i'm gonna have to move this oh sorry one second here [Music] um i'll just cut this piece out maybe if i remember how many times have you done this oh what cut pieces out of it or no no no like this exactly this stuff like oh i had to set up multifactor authentication and blah blah blah oh yeah uh way too many times way too many okay come on dude oh okay see i love that it says can't set up your pin now okay so now this device is not on the domain network it is simply on the internet so that is evidenced by my the adapter that i've got connected to it so that's my internet adapter and so i'm going to demonstrate how this functions and what i'm hoping is that we will be able to then flip around and use um we're going so now we're the next step is going to be setting up azure id connect to on our domain environment synchronizing our on-premises uh user accounts to the cloud and then using that to log in so the account that i'm using currently on this device that is taking forever to load is just simply an internet device internet device with an internet with an azure id only user account and so if i was to attempt to connect to that chair it obviously will not work because it doesn't know anything about it it's not on the domain any of that okay so um so this would be equivalent to a device that you've auto-piloted or otherwise manually enrolled into intune which is actually what we did is we we didn't even auto pilot it we just manually enrolled it into intune but you can see it's connected to our azure id tenant and if we jump over here i'm hoping that we will see it registered into intune if we did it properly and there we go so there's our new device okay so next step is uh we're going to go to our server and we're going to set up azure ad connect so um in uh from this is not it where is it it's going to be under azure active directory which i think that view button would have taken us there as well and it should be a setting here azure ad connect and then there will be a download link to download the tool so download azure 80 connect here and so the there are numerous ways to set up azure 80 connect and you can get really complex on how you configure it and what you do with it um like i know in our company we've got when we first enabled things we wanted to restrict a lot more stuff and we didn't want to synchronize everything to the cloud and so there was a we spent not we not me uh someone else the server folks spent time um setting up our rules for azure 80 connect to prevent certain accounts from synchronizing or prevent certain attributes or things um because there were certain security concerns involved there so this is not necessarily something to just take lightly and say oh yeah turn it on and synchronize everything if you've got an existing environment that has lots of things you certainly want to take a look at microsoft's cloud security guidance they've got a lot of great documentation on cloud security and what you do with it and how to configure things and so certainly take a take a look at that um specifically around like what types of accounts to synchronize and all of those sorts of things um okay so here we go so we're going to go through now there is express settings and then there are um you can customize this and so i'm kind of on the fence johannes what do you think do we do the express or do we go through the customize and kind of show the differences go through the customized thing okay oddly enough i've actually never done this i have like i have another guy who handled this side of uh things in where i work nice okay so it's relatively simple anyway so it looks like this is uh so we have the opportunity right here to set up a sql server for it custom installation location can set up a service account use uh specify custom sync groups so we can say okay these are the groups to that we do or don't want to sync and then if we've already set up these settings we can import these from other azure ad connect servers um okay so in this case we're going to just get a sql express local database set up so you can see if you you know if you've got a i mean this is a critical component to have in your environment and so if you want to have better controls over this and have it sitting on an actual sql box or a sql cluster or something along those lines you can see where maybe you'd want to customize this install one thing you should keep in mind is that uh a server that that hosts a azure active directory connect is a what would you call it like a high privilege role you should it's not a domain controller but you should treat it as one yes allow anybody to log into this this is a high privilege yes yeah yeah like if i in my environment if i want to look at this confirm a setting verify work through anything on it i have to work with a domain admin in order to or enterprise admin or something to to get access to it so um and then even then like the like the service accounts used for it to synchronize everything you know they've got lots of securities and controls around around that stuff as well so um okay so i i i think we're going to set this up with do not configure on user sign in initially because i think this is um a large thing or i think this is one of the main the main uh issues that many folks are running into in this setup because in the conversations we're having would say hey you need to have azure ad connect set up well yeah yeah we do okay well um the next thing we find out is well but our our azure user account is the same as our on-prem user account but the passwords are different well that's because you're not keeping your passwords in sync and um using past so the the recommendation generally from us is using password hash sync um i these are difficult to set up and so i'm not entirely sure on the rest of these but i would expect that all of them would perform the same way but it's this do not configure which is then prevents um single sign-on from working and so that's kind of the deal here is you need to have single sign-on enabled in order for the azure id uh resources to access your on-premises resources so um i mean we can i kind of want to demo this and show that we can get the user synced first and then we will show the the next step of uh you know let's let's enable it and show you the difference in the experience because i think i hope that that will help some some folks that are already kind of halfway here and they just need to go and toggle that setting [Music] uh boy [Music] so many things to type too many typing [Music] okay so this is i'm putting in my um my azure ad global admin account super secret username now in your environment you would um at some point you would have a public domain name configured and you would have that set up in an intune and an active directory and they would know about it and you'd have your like your email addresses and all of those things all um configured properly and stuff and so um for us for this environment we have not set up an enterprise um uh what you call it why is that not working connection information this is the one we want no directories currently configured okay so add directory add a forest use existing okay so uh asd so anyway you'd have an external email address or a domain name that you would have attached to username so you wouldn't have necessarily the dot on microsoft.com accounts um and i'll show you that as we kind of go through the azure id connect setup here so uh there we go [Music] is not allowed oh you're creating you actually have to create a new one what do you know works for me okay um [Music] i don't i don't mind it's just a lab so i was using the username and password fully qualified i okay asd.lab does that help i don't know why we're having trouble here what oh that's interesting okay so let's just try this again it's also worth noting we're giving this a shot live because well we didn't want to waste things so oh you know what maybe this is the deal hold on so i thought this was asking me for the new account name that i wanted to create i think it's actually asking if i want to create an account but then also asking me for my enterprise admin account for it to use first option is recommended requires you to enter admin account okay so that's what it is there we go ah it's fun all right also this is like usually something you do once yes you do very often unless you're just frequently building labs out and stuff so right so um okay so if the azure id domain had a domain assigned to it which is kind of what we were talking about um then you would this is where that would come into play and so this is where you can in azure active directory you'd come into custom domain names and you would add a custom name here and you'd set up some cname records and things and then you get then azure connect would be able to do the translation on the user accounts and things once it synchronizes additionally inside of your devices enroll devices there's a cname validation option here as well and so this would be the same deal as if you've put in you've set up your auto enrollment things and stuff you would have your external external domain this is where you would also come in and manage that so we're not going down that path right now because i don't believe we need to and then we can determine the select the on-premises attribute that is the azure ad username so this will be your upn at this point and continue without matching upn to verify domains users will not be able to assign an azure id with on-premises credentials if the upm suffix does not match the verified domain um this is going to work yeah this yeah and then in this case we could choose whether we wanted to synchronize specific things so this is an option before you go down go too far down and say oh hey i don't want all the stuff i can configure things so you definitely do have some functionality where you can go through and and um customize things as we said in the beginning we could have done the the express setup but we just wanted to be able to show the the full experience here and then so we have password right back password hash sync and um azure id app attribute i really don't like these the hovers they keep getting me you stop talking with my mouse right um so at this point we're leaving this alone because i want to show the the misconfiguration of this and say okay look once we synchronize the accounts we should be able to see what this looks like um okay so before you stop the synchronization there's one thing you should do you have to go to the uh computer management on this server that you have open okay and you need to add yourself to a a security group on this virtual server yes okay um so oh this is my domain controller though it won't have local security ah okay so in the normal environment yes but this is a single i got a single box lab like that's the whole thing here okay so the the thing you need to be aware of is that when you install azure ad connect it creates a few groups and one of them is adsync admins and adsync browse adsync operators adsync password set if you want to view what's actually happening during the um synchronization you need to add yourself to one to the adsync admins group oh well there it is so yeah and i already am yeah okay so yeah that's a good very good point so yes you do get these new accounts created and then you also get this guy this is your service account and so if you look in the services you'd also see and there's a an application on your server that's called synchronization service that you can then open and you can see in real time what's going on when you sync yeah so you can see it creates this auto automatically creates this new account with us with its own password and manages that for you so you can customize this that was what our that one option that we got hung up on you could have customized it there um and so i'm gonna go ahead and hit start and so now this is going to start the synchronization now um so what we're expecting is that we've created um two on-premises accounts so we've got johannes's account and my account and then we already previously had in the cloud a where did it go a single user account for myself which was my azure id only user account so we can see so we're already getting the on-premises directory sync service account so we get that created here and then um this is my cloud admin account and then this is my azure id only account so we can see we don't have anything here yet but that's what we're starting with and so we should see several more show up as we go there i'm going to mess this up i know it but there is a place where you can configure the additional all right johannes you may know the answer to this because i've only done it a couple times but every time i try to do it i i miss it um so okay so on a user account you can configure their uh upn uh uh whoa it's on like dhcp or on dns or no it's not the internet it's active directory domain sites and services yeah domains it's a diamond interest or sites and services i'm leaning towards sites and services okay we're gonna see it's been a while it's one of those like i i know of it and i'm like how do i add this and where do you go and it's like a little box that has a just go add a thing in and i miss it every time okay that's domains and trust let's let me close that okay so i'm messing it up here sites and services and the people watching this just just skip it sorry or okay so it's not sites and services yeah yeah it don't yeah it's your properties okay so that's just managing the domain but properties trusts is this where we do it new trusts um yeah anyway there's a thing we'll we'll figure it out um i'm not going to make you all go through it but it gives you the opport the option to um can change your upn from being the external um or the internal lab url uh to an external one so if you've ever every most everybody should already have this set up anyway but um if your upn is like you know asd.lab instead of asd.net or something you may find that that's a something you need to go and toggle because that impacts the username the email address option on your user account here in uh that's not where you do it the office 365 admin center or microsoft 365 admin center so the screen refreshes are slower than i'm clicking come on all right there we go so you can manage the username uh an email alias actually that's the alias this is the username and email and so you could if you have additional domains registered you can then come in here and change these guys as well so just kind of tying that together this is some of the stuff that i've run into as like i'm not a you know you you set up active directory once in a career sometimes like unless you're building it out in a lab and so i've you know i'm just doing stuff in labs and um so having to learn a lot of this stuff as as we go so um i think we are good configuration synced and then do a test sign in on the azure portal okay so you can exit that before we go any further we're going to look at the so there is a rules editor as well as a synchronization service so under the rules editor you can actually come in here and see the rules and what's set up and the way that things are mapping between user accounts this is way beyond the my expertise on how to modify these things i'm sure there's some great blogs and docs on this but you can see this is kind of neat stuff where you can see okay here's the here's what's going to happen um this attribute is going to go going to get synchronized from ad to azure ad in this way um and so you could come in and say well that's not right or i can add new things or customize things so lots of opportunities here on being able to change the user and the device synchronization options um so let's go and check sorry there's the also the synchronization service and then on the service just to interject a little bit it's in the uh active directory domains and trust and you uh yeah just open that mainstream trusts and right click on no no one up this one properties there it is okay yeah so i could add asd.com or something here and have that and then once we have that then we could come into action directory on the user properties and we could change the account to asd.com so that's so if you're synchronizing your user account and you're synchronizing it or and it's made so effectively your your cloud copy of your user account is is owned and managed by your on-premises active directory and so you can't come here and change the user username because it's managed by the local active directory so you need to go and change this in active directory in order for this to yes um there's one caveat i if i remember correctly by default it does not sync these changes you have to enable it in azure ad connect to sync uh user principal name changes in id up to oh that's okay good point yeah furthermore uh as like a pro tip for those watching you should make just for the um you should try as best you can obviously some companies and organizations are different to so that the users upn email ship address and so on and so forth all look exactly the same yes yes otherwise your users are going to have to have a miserable experience yes absolutely and and so the what you saw in that configuration um earlier on where it had the lab or the um domains listed and it said here's your azure id domain to match to um that's where you would have gone into azure id and added a domain a custom domain here and then when it's synchronizing it would synchronize so i could add asd.com here and you know great and verify and stuff and then um once we do that then that becomes a domain that's available to match from your azure ad connect from your user account so so you'd have your user accounts configured with asd.com here and then you would in the azure 80 connect wizard you would um which i can reopen here it pauses um synchronization when you do this just so don't leave it open but when you go and reconfigure it um if you configure your uh user options is this is the user sign-in synchronization oh i don't i don't remember honestly uh yet one of these um maybe it's the feder i don't know anyway one of these options it was the the option to change the yeah connect directories that's the one um [Music] as is as it is the case most of the time you just guess and click and it's not right back up you only mess with this like once and he's okay that's good move on um so you've got your your lab directory connected but then when you and of course i'm in the wrong place whatever um one of the it was the other option where it showed the lab and the domain the azure id domain and when that when you get those set up you can do it all right i'm just making a fool of myself at this point so we're gonna continue um okay so what we've seen now is we actually have users synchronized yay look at that yeah okay so these are our on-premises users and they're now synchronized and we now need to add licenses to these um place these save changes i think that works e5 gee i'm honored it's a trial uh i had to create a new lab because the one we used in our last video trials already expired so we didn't get to do it um so now that we've got these users licensed what we should be able to do is go to this device and so now this is the one where i've already signed in with my cloud only account and what we want to do now is we want to sign in with another user account and so i'm going to use adam at um into so we're going to be using this fold that's going to be our our account that we signed in with not this one the this one yeah there it is adam at intunetraininglab.onmicrosoft.com [Music] oh what's my password now okay of course i got that wrong [Music] i swear i said that password correctly already oh this is fun sorry [Music] i have no idea um we will fix it we set yours up though right so jg k is our yep [Music] the problem is i have more generic lab account password that i normally use and i can't use it with um azure id with the at with the azure id accounts and so it's making me reset them to be more complex it seems so this looks more promising yeah that's probably just doing the normal timeout it's still not going to work um we can verify by doing in private window so that's not what i meant to do private so you can just go to [Music] portal.office.com and then i'll use my new at [Music] training lab one dot on microsoft it's always the password problem here that's my admin password [Music] didn't like it uh okay that's fun let me see i'm verifying that okay your account the password i typed in a minute ago is in fact the right password so um i guess this is the question so if we've just synchronized our accounts to the cloud but we didn't synchronize passwords to the cloud do we not get the first password synchronized to the cloud i oh that's a good question i don't think you do right so maybe not you would have to you yeah you would have to like i think you're now in this in a like a split split environment scenario because i've disconnected the two accounts right yeah they're synced up but like the the credentials are not yeah that's i mean that's at least what i what i would think is the is the case here is that we've somehow configured uh oh so sorry folks we are we are doing this live we don't know we've never cause we always just click password hashtag like why wouldn't you turn that on so we're giving it a shot so um let's try this again so adam at sorry wait i've i've told it to reset my password okay and then i've copied copy the new account so where's my new in private window so that's my new password and now we get to reset that password [Music] okay and all of this is just going to let us prove that this doesn't actually work until we enable the password synchronization because we're already out of sync and so it's not going to like me here so we've got to wow [Music] and got to put my oh i can do skip setup there we go skip setup it works all right so we've got our new so we're signed in with that account and so in theory we should be able to use that same account here so [Music] wow i just can't type [Music] get in we got in yeah okay so it's kind of cool because now i know that was that it was the long password but i mean the wrong the long um upn but if we had had set up our domains like we talked about that would have been my just my email address right um generally i know some folks their upns and emails aren't the same i don't know why but there's reasons there's a reason for it um so um what we're going to do now that that machine is getting connected or once it once it fully connects i'm going to switch the device to use the um the domain um i'm going to switch switch the network adapter to use my on-prem [Music] version of this uh to connect to my domain controller that we've been working on but i can't do that right now while it's asking me for hello great which is fine yes can i skip it well you have to disable windows hello for business in your tenant i didn't meet i don't recommend anyone to do i didn't enable it your journey to azure 80 should also be you coincide with your journey towards passwordless and windows hello for business yes okay so i am i'm just doing the doing the two factor over here should be good sms registers is actually done all right [Music] and we're not we're not even using hello for this demo um but it's obviously requiring it still so i just missed something in our tenant config okay so this just a normal azure id only device on the internet and so now we're going to switch the adapter over to use my lab on vlan and it gets a little funny on switching the vlan sometimes so i may actually we're just going to bounce the box the first step in every troubleshooting right okay so i know it's taking us a while to get here but it's really trivial things and we're taking more time just to talk through the things than it was actually going to take you to do this if you'd have done azure 80 connect express settings you'd already be connecting to your on-premises resources at this point so i'm not going to do an enhanced session and i'm going to not to mention most of you who are watching have probably already set this up yes skip this one if you've already done this should have said that in the game okay go so i am on the domain network now doing this sign in um now another thing in your environment like this might not have actually worked because this device doesn't have certs on it or any of that kind of stuff it might not actually have access to the the network or any of those things but we're just going to show the difference here so if i do so we can see that we are on the same network so we're definitely on this network and so then let's see if i can do ping cmo1.asd.net and i get nada that actually could just be my lab configuration as well um but the the thing note is that this device doesn't know about anything on this network it doesn't know about dns or things [Music] i don't think it does unless the domain controller just helping us out here so i got nothing on that and i think this is worth taking a minute and taking a peek at it's actually going to try to run his admin but it doesn't have admin rights because it doesn't who's that going to be [Music] let's remember that okay so johannes do you know which logs show these things that that's going to show us the um credential issues that we're going to see you're firing the big guns now this is not something i keep in the back of my head okay so well let's try this okay so since we're not entirely sure if dns is going to help us out here or not um let's try that okay so this is so i think dns is part of the issue in this in this instance um so i'm trying to hit this uh server and it doesn't like me okay so if i put in if i tell it to use use this account then it's not going or it's already attempted to use this account and it's not working um even though i know this account has rights to the resource but it's because we're logging in with the azure id version of this account okay so the you can see the azure id log this is not the one okay so there are lots of stuff in that one um that's not what we're looking at so we're looking at security kerberos i think it's gonna be it's yeah you have to enable enable okay so we're gonna kill that kill that and then we'll do it again [Music] i think this one's gonna show us what we want i hope maybe not no oh some of these logs will show you the security pieces oh i disabled that one that was supposed to be enabled um dang i forgot to verify what log to use for this as we do this um anyway that one that log is great for troubleshooting like i know that i've done it for hello for business troubleshooting that one's been a great log for it um there's the oh what's that what's that cool command that we've been um the one where you so you reset your ticket oh i think i know the one you're talking about um oh man somebody just tweeted it to me yesterday i know it hold on let's see there's other people see this is this is normal i'm like i know there's a thing hang on i gotta go find it shoot um k-list that's the one yes um okay so what's k-list do for us [Music] we have no tickets okay and there's i know there's some command line options like k-list purge and stuff i believe um but so we just want to see do we have any any tickets okay so we don't all right so all that to say okay so we didn't do this right because we can't we still can't get to the domain resources so what do we need to do next okay so the next piece is we need to go back into our azure ad connect and we need to reconfigure it to synchronize our credentials properly fully and so for many of you who say well i've already got azure connect it doesn't work well this is this is where you need to go and go to change user sign in we might need to also change the extra synchronization options on that other tab okay so now we're just going to change the password hash sync but i believe you can do any of the ones that allow you that enable the single sign on is what you want in here so if you have a choice between uh password has sync and pass-through authentication use password hash sync it's just easier yeah and each of the rest of them require additional complicated things and if you're going to then proceed to do windows hello business you're going to want the password hash sync anyway because it needs to synchronize your next gen credential between your devices our user account and active directory okay so we've synchronized that what i'm hoping is that it's going to overwrite my cloud user account what do you think because again you think it's going to be right yeah it should because now you're treating your on-prem active directory as the source of truth so it will be authoritative basically okay so we need to look at the synchronization service and see if we're done which i think we are because we did the no we haven't it hasn't actually synced so you can run like full synchronization on it manually here so you can just right click on any of these and hit run and choose what you want to do or you can wait for it to do its thing the list will auto refresh as it does things for you but uh we're gonna also see exactly what it did update yeah if you click on one of these options you can see in the lower um lower left which attribute was updated or removed or whatever yep uh yeah and so it takes some take some work but you can you can look through here and find things to things that aren't working or find errors or bugs or you know whatever in the process and and see what's going on okay so we're going to try again i hope this works [Music] so typing in my old password is there a chance that that's going to work look at that so you saw me go through the whole hassle of well that it didn't work because it didn't like i needed to create a new azure idea password for my azure id version of my account and now i turned on password hash sync and it synced my my domain credential to the cloud so now my device should have access for my user account sorry let me be real clear this is a user-based authentication it's nothing to do with the device sort of nothing okay so let's get that ip address again in fact who knows dns might even work but i don't think so [Music] look at that it did nothing else all right so look now we got this cool stuff oops cool stuff dollar secret share look who's hanging out in there this guy mr reader himself um so i know this was a whole lot of stuff but ultimately because okay so we're trying to mix up some some things here and there's a large audience on this and so i know this is a lot of a lot of moving parts here but the end in the end simply configure azure 80 connect to use some version of password hash synchronization to keep the accounts in sync so that your credentials are the same and then magic will happen that's it um now we mentioned in the beginning i think or maybe we didn't we talked about our hello for business video that we did um it gets uh there's you just go from here to then okay i want to use hello credentials all right well hello credentials are more difficult because they require additional configuration you've got to have a root certificate and you've got to turn on um uh you've got to do is set up a crl and different things so there's more things that are involved in that process okay so i wanted to do k list here and see do i get a ticket no so maybe not maybe it doesn't maybe i'm looking at the wrong i'm probably looking at the wrong thing but ultimately i mean there it is like we didn't that's it i logged in with azure id credentials i had an azure id only device just show you clear on this file shares it's all on-premise resources printers websites yes whatever so look i've got is running on this machine i'm sure because it's a config manager box so um i should be able to now let's let's check out dns for us here because i know in my labs i generally like add some stuff but that just work no okay so it doesn't know about the dns handling but i probably can configure it right here on the network adapter right yeah you should so this is something that like i push down from my um from intune as a configuration option oh man [Music] not the password [Music] so properties now you would not do this manually but [Music] it should work right don't you need to actually set a dns server um no okay i mean again this is like the last time i said about domain was like six years ago nope just worked okay so um now and that that setting is not an uh thing that you can set as part of uh you have to do a customs no there's nothing uh a powershell script i've got a powershell um remediation script to be able to set your dns um lookup stuff but um anyway so now we've got short names and now we can go to cool stuff dollar and it still works okay so now that i've got that who doesn't love that me this guy i've probably seen this like two or three hundred times stop i don't want that ever like i just don't want it to i want like just ask me later like have it as a thing i can do later i don't want to do it when i first launch because if i'm launching it i probably don't i'm not launching it so i can set it up i'm launching it so i can do something useful okay so cmo1 dot asd.net and hit enter might be https [Music] heck it might not even be configured properly should be running default website config manager yeah why is that not working are you honest beats me does it work on the one on on this server itself i should browse localhost works oh oh [Music] this is going to be a two hour video oh maybe something's not configured in my dns somewhere oh that makes sense right we need to add the hostname bindings that's probably all i bet that'll do it might as well do both right yeah this is definitely one of those things that i never ever do that's part of my job well not never ever just very rarely is that the right cert ssl rules yeah that's right okay so now if we hit it does it work i'm just gonna quit trying at this point um i don't know what i'm missing there but that totally works look at that um so same result that's the same thing all good um now this specifically like so this is using the like the the cert on here this i mean from a config manager perspective like you start getting into things that need certs and stuff like that so like okay so if you've got a website that has https enabled and it's got a cert on it and it's internal well then what do you need here you need a trusted root cert on your box okay great easy one you go into configment or into intune and you go set up a new configuration profile and you there's an option to select a template for uh what am i looking for certificates trusted certificate you have to create a new profile per certificate um and uh in this case you have to actually go export the search so i haven't exported the cert from my ca but um so i would go here and export it and then import the cert and then i'd push that out just like any other configuration setting for our devices so that's how you get your trusted root cert on okay and then you need like user auth asserts and things great you then look at skep or the pfx connector or um you know those sorts index index to be able to push down custom certs for your users for your devices so there's ways to get through these things um but the first step is just like crossing this bridge of let me just let me just prove that this can work and then go from there so i think that's kind of that's kind of the story here it's just this is possible it's doable um and if you've already got azure 80 devices and they're not working on prem with on-prem resources go and check your azure id connect configuration something is misconfigured or you're using the wrong user credentials to sign in um you know you're just something's not not right in that in that mix um now when we we set up before with my azure id only um account um oh yeah yeah sorry that was we we actually said we wanted to try that um sorry this is a uh we're trying to learn learn something here um the learning by doing this machine so i think we know the answer now already but we an azure id only user account on business network should not work and it should really be the same as we just had with this account before we synchronize the password correctly because it didn't have we didn't on-prem active directory does not know about that user account it doesn't know about that password it doesn't trust it um right so [Music] lab 1.1 [Music] there we go all right so oh what about the file share that's something i'm really i'm really interested in finding out now it won't have access to cool stuff because yeah i'm getting access to cool stuff okay so definitely doesn't like that but the website the website could work because it's it's basic auth or like it's anonymous whatever auth on it i think by def on the root so it probably doesn't have windows auth configured which would make sense that that could work uh where's the authentication settings yeah so it's got anonymous enabled so if we were to turn on windows auth um this would this would not work like 99 sure on that but it would from the other account [Music] yep there you go yep so no working um but you could type in like this [Music] and get there which is kind of cool too which is probably what you're doing anyway if you've kind of got this halfway working but not quite um but uh yeah so that kind of confirms that so you've got if you're all your websites are configured for anonymous author great but um anyway you know let us know if you want to see more stuff around this because like we've talked about things like um the uh so like on windows auth you can change you can change the kerbros the providers here to you can add kerberos and different things as different providers to help make this more modern on is but then you can also do things like azure app proxy and stuff and so i know we've generally stayed away from the on-prem discussion in our channel but we're starting to kind of recognize that if we if we're trying to get people who currently have on-prem stuff to move to the cloud um that promoting azure id only and helping with that migration i think is we need a little we need to provide a little bit more migration and uh guidance i think so try and me and because it's not obvious you you're gonna bump into things that you don't you've never seen before and there's nothing obvious that that what the issue that you're facing isn't obvious yeah yeah it's really not um and you gotta know like it's a question of uh whether you think it to be possible and then proving that it is in fact possible or just assuming that it's not possible and saying and and going to hybrid route saying oh we can't do it because that doesn't make sense why would that work but it's designed to work um for and for those of you who have gone a little bit further and have like once you start reading up around up about um hybrid key trust and all of those things and just you see a list of certificate requirements and you just give up uh you don't have to it's not complicated to set up really it's a it's a complicated concept but in the practical setup is not it it's it takes minutes really yeah except in our video where we just really royally had a hard time and we now understand it greatly it's much much better now sorry maybe someday maybe that'll be our next uh next round here is we'll do it again because we've got everything configured and should make it work easier yeah so well uh i think this has gone on long enough almost two hours before but um yeah it's been a bit so thank you for sticking with us if you did um hopefully you found this useful hopefully you made it to this far um but uh yeah let us know what else you need to see and uh hopefully you'll make a make the cloud journey soon um thanks johannes for joining me i know i just kind of rambled on a bit but thank you for helping bounce ideas around and share your thoughts on this um hopefully we'll have you back on again thank you see you next time

Info

Channel: Intune Training

Views: 13,902

Rating: undefined out of 5

Keywords: Microsoft, Intune, Training, Azure, AAD, MEM, MSIntune, Microsoft Endpoint Management, MEMIntune

Id: dUJnIakSPkA

Channel Id: undefined

Length: 71min 45sec (4305 seconds)

Published: Mon Mar 22 2021