Disabling SharePoint Online Site Creation for Users with Powershell

A friendly newer feature of SharePoint Online is that users can create their own SharePoint site without admin interaction. Note that this is different from restricting Office 365 group creation, this option lives under their SharePoint landing page. To disable this functionality in the web you can just do it via the SharePoint admin center (Settings > Site Creation), but the PowerShell method is harder to find.

The cmdlet you are looking for is: Set-SPOTenant -DisplayStartASiteOption $false

You must of course already be connected to SPO, whcih is out of scope of this post, see Here

Hardening the Fortinet Single Sign On Agent Account

The Fortinet Single Sign On Agent (FSSO Agent) allows your Fortigate to map IPs to users which is useful/needed for web and other filtering policies. The agent gets installed somewhere (usually a domain controller) and then polls for logon events and keeps a database updated. This works fine, except that it wants to use a domain admin account for everything. If you are working in a hardened environment and want to restrict service account access then there are a few hoops to jump through, so here they are. This guide is not intended for getting your FSSO Agent integrated with your Fortigate, it is just talking about how to get it working with a hardened non-admin account.

Pre-Setup

In my environment we have group policies that make it so domain admins cannot login to workstations. We also deny interactive logon to service accounts. Ideally we don't want the FSSO account to be a domain admin anyways, so we won't be doing that. However, for the initial setup, this is needed. So to start i created a user called FSSO and added it to the following groups: Domain Users, Domain Admins, Service Accounts, and Event Log Readers. Note that Service Accounts is not a built-in group, that is one i created. You can skip this if your environment doesn't require it.

Installation

1. Download the FSSO Agent from support.fortinet.com, this install was done with FSSO_Setup_5.0.0295_x64.exe
2. Install the FSSO Agent on a domain controller. When prompted for Simple vs Advanced for your directory naming/structure, i use Advanced, but that is up to you and is out of scope of this post.
3. Do not use the DC agent, use the option for Polling Mode with sub-option for Check Windows Security Event Logs

Adjustments

1. Remove the FSSO account from the Domain Admins group
2. Grant the FSSO account full control over the directory C:\Program Files (x86)\Fortinet\FSAE
3. Grant the FSSO account full control over registry keys: HKLM\SOFTWARE\WOW6432Node\Fortinet\FSAE and HKLM\SOFTWARE\Fortinet\FSAE

Office 365 Hybrid with Exchange 2010 Setup

Couldn't find a guide that actually gives you ALL of the steps required to setup a Hybrid organization with Exchange 2010 and Office 365, so here it is. This is not super technical, just the overall steps and things not mentioned/explained in other guides. This assumes you already have created a 365 tenant and added your domains to it.

Configure Azure AD Sync

Prep work: make sure you have added your primary email domain as an alternate UPN suffix (see Active Directory Domains and Trusts) and set all of your users UPNs to match their primary email addresses. This is not required but makes it cleaner

Next you need to synchronize your Active Directory to Office 365. Install the Azure AD Sync tool, and check the boxes for Password hash synchronization and Exchange hybrid deployment. You can check other boxes if you know what you're doing, otherwise best not to.

Important note: If you want to set this up with a group or OU based filtering, that's fine for testing. But be aware, any user NOT synced into 365 will be unroutable for sending email from 365 back to on-prem. So you really need to sync everyone.

Run the Hybrid Wizard

Grab it from https://aka.ms/HybridWizard or by logging into the 365 admin console, opening Exchange, and going to Hybrid. You should run this from an Exchange 2010 server.

When going through the settings, the defaults are typically going to be correct. If you need to adjust anything, go for it. The wizard will automatically create connectors for you and set up various things

Do the extra tasks they don't tell you about

1. In the 365 Exchange Admin Console (EAC), navigate to Mail Flow > Accepted Domains and set your email domains to Internal relay. This is what allows 365 to route mail back to your on-premise environment
2. If you haven't already, set your Azure AD Sync to push all of your Exchange users into Azure AD. You can verify this by going to Recipients > Contacts in the EAC, and you should see them all in there as type Mail user. If they are not, then stop and fix that. Again, this is for any user in Exchange, not just the ones you want to migrate.
3. If you have assigned any licenses to users which grant Exchange access, you need to disable that or remove it. Users cannot be licensed for Exchange and also be migrated.

Migrate

At this point you can go to Recipients > migration and start a batch. Use the Remote move migration option and select whoever you want to migrate. I suggest just letting them auto-complete, but you can manually complete them if you wish. This takes a while. Once it's done, they may get a message in Outlook asking them to restart, however as long as they're on a newer client it should auto-reconfigure for 365 and you're done.

Setting up iOS14 mail with Azure AD App Consent

If you locked down your Azure AD to make it so users can't consent for approval on apps, then you may end up with iPhone/iPad users trying to setup their devices with iOS 14. Well, they can't consent, and the app isn't listed in the gallery or anywhere else. The user gets a message Need admin approval for Apple Internet Accounts. Instead of turning user approval back on, or trying to get a hold of an iOS 14 device yourself, you can still do the approval.

Head over to your Azure AD tenant and grab your Tenant ID (from the Overview tab). Then modify the following URL to add your tenant ID in:

https://login.microsoftonline.com/TenantID/oauth2/authorize?client_id=f8d98a96-0999-43f5-8af3-69971c7bb423&response_type=code&prompt=admin_consent

Heading to that URL should prompt for consent, and then your users can get in. Note that i omitted the redirect_uri parameter which would send you to the next site, so it may seem to hang after you approve. Just give it 10 seconds and close it out and have the user try.

Domain Controller Demotion Error: The operations master roles held by this directory server could not transfer to the following remote directory server.

In demoting a Domain Controller, ran into the following error:

The operations master roles held by this directory server could not transfer to the following remote directory server. 

FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=domain,DC=local

Apparently during the last demotion, the roles for the DNS Zones weren't transferred (both for Forest and Domain). There is an easy fix, but it wasn't very straight forward to google.

1. On the new Domain Controller (the one you're not demoting), open notepad and paste this into a file named fixfsmo.vbs:
   
   

   const ADS_NAME_INITTYPE_GC = 3
   const ADS_NAME_TYPE_1779 = 1
   const ADS_NAME_TYPE_CANONICAL = 2
   
   set inArgs = WScript.Arguments
   
   if (inArgs.Count = 1) then
       ' Assume the command line argument is the NDNC (in DN form) to use.
       NdncDN = inArgs(0)
   Else
       Wscript.StdOut.Write "usage: cscript fixfsmo.vbs NdncDN"
   End if
   
   if (NdncDN <> "") then
   
       ' Convert the DN form of the NDNC into DNS dotted form.
       Set objTranslator = CreateObject("NameTranslate")
       objTranslator.Init ADS_NAME_INITTYPE_GC, ""
       objTranslator.Set ADS_NAME_TYPE_1779, NdncDN
       strDomainDNS = objTranslator.Get(ADS_NAME_TYPE_CANONICAL)
       strDomainDNS = Left(strDomainDNS, len(strDomainDNS)-1)
       
       Wscript.Echo "DNS name: " & strDomainDNS
   
       ' Find a domain controller that hosts this NDNC and that is online.
       set objRootDSE = GetObject("LDAP://" & strDomainDNS & "/RootDSE")
       strDnsHostName = objRootDSE.Get("dnsHostName")
       strDsServiceName = objRootDSE.Get("dsServiceName")
       Wscript.Echo "Using DC " & strDnsHostName
   
       ' Get the current infrastructure fsmo.
       strInfraDN = "CN=Infrastructure," & NdncDN
       set objInfra = GetObject("LDAP://" & strInfraDN)
       Wscript.Echo "infra fsmo is " & objInfra.fsmoroleowner
   
       ' If the current fsmo holder is deleted, set the fsmo holder to this domain controller.
   
       if (InStr(objInfra.fsmoroleowner, "\0ADEL:") > 0) then
   
           ' Set the fsmo holder to this domain controller.
           objInfra.Put "fSMORoleOwner",  strDsServiceName
           objInfra.SetInfo
   
           ' Read the fsmo holder back.
           set objInfra = GetObject("LDAP://" & strInfraDN)
           Wscript.Echo "infra fsmo changed to:" & objInfra.fsmoroleowner
   
       End if
   
   End if
   

2. Open an administrator cmd prompt at the location of the vbs
3. Run it once each with ForestDnsZones and DomainDnsZones (or just specify the one you're getting in the error) like this:
   
   

   cscript fixfsmo.vbs DC=ForestDnsZones,DC=domain,DC=local

4. You will need to fully close and re-run dcpromo to do the demotion, but it should go through now

Credit to this blog for the script.

Setting up ConnectWise Manage with Duo Access Gateway via SAML

This will give you all the details on how to set up ConnectWise Manage with Duo Access Gateway via SAML. I could not find any documentation for the pairing of these two products, so there was a little bit of trial and error.

Pre-Requisites

• A Duo Access Gateway (DAG) server already setup and ready to go.
• A Duo account with Duo MFA or higher licensing. (the free version does not support this)
• You must have an admin account to both CW:M and Duo (duh)

Recommendations/Caveats

• The moment you save the SSO configuration in CW:M, it will remove all settings related to LDAP and existing 2FA with Google Authenticator. The CW documentation says it disables it, but no, it rips it out.
• I recommend you sync your training database and do the setup there first. This way you can do it live, and also avoid issues caused by the point above
• I am not going to train you on how to use the various products, this is just about the integration. I expect you already know how to create applications in Duo and add them to the access gateway.
• This example is going to be for the training database in CW:M, so all URLs etc will reference that. The fake CW:M URL i will be using is manage.domain.com, and your DAG URL will be dag.company.com

Duo Setup

1. Log into the Duo Admin Panel and create a new Application of type SAML - Service Provider
2. Enter the following settings:
   
   • Service Provider Name: ConnectWise Manage - Training
   • Entity ID: https://manage.company.com/v4_6_release/auth/training/metadata
   • Assertion Consumer Service: https://manage.company.com/v4_6_release/auth/training/Acs
   • Service Provider Login URL: https://manage.company.com
   • NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
   • NameID attribute: userPrincipalName (this can also be mail, just make sure it's an email address format that your DAG is pulling in from your identity source
   • All other settings: default
3. Click Save Configuration
4. Scroll down and set the name of the Application (i recommend setting it to the same thing: ConnectWise Manage - Training)
5. Save and then click the link at the top to download the configuration file
6. Head over to your DAG admin panel and upload the downloaded json file
7. Download the certificate

CW:M Setup

1. Navigate to System > Authentication (or Setup Tables > SSO Configuration)
2. Set the following options:
   • Description: Duo Access Gateway (this can be whatever you want)
   • SSO Type: SAML
   • Login URL: copy and paste SSO URL from the DAG Admin
   • Identity Provider ID: copy and paste Entity ID from the DAG Admin
   • Identity Provider Certificate: upload the certificate you downloaded from the DAG Admin
   • Locations: check the box for the locations that this SSO applies to. In most cases it will just be All.
3. Save and you're ready to test
4. Use a different (incognito/private) browser window to test so you don't get locked out.
5. Upon login it will redirect you to the SSO login. It will also handle user enrollments here so if this is a brand new org it's a good way to force your users to enroll
6. Once you're done and tested, repeat the process for your production database. Replace training in the URLs with your company id. Create a new Duo Application for this, that way you will have it always working in both live and training.

Chrome, Remote Desktop Services, and Time Zone Redirection

If you're using RDS and have enabled the GPO for Time Zone Redirection, there is a small issue with Chrome that may cause some issues. For whatever reason, JavaScript date functions in Chrome will pull the system's time data instead of the user's. So if your server is in UTC and your user is in Eastern, Chrome's detection will come back as UTC. Firefox and Internet Explorer do not appear to have this flaw (i did not test with Edge).

To tell if you're affected, open the Chrome inspector (Ctrl+Shift+I) and go to the Console tab. If you just enter in new Date() you will see a preview of what the date is, including the time zone.

As far as i can tell, there is no workaround, if someone has one please let me know. I'll be setting up separate pools for users just for this.