We use cookies on this page to better serve you. You can find more information about cookies here.

Latest posts

Entra ID External Authentication Methods with Duo
by

Microsoft recently introduced the public preview of External Authentication Methods in Microsoft Entra ID. I am very excited about External Authentication Methods as they finally allow third-party MFA providers like Cisco Duo to integrate better with Microsoft Entra ID (formerly Microsoft Azure AD).

Microsoft has supported third-party MFA providers for years. The original method for adding external MFA providers is Custom Controls, which was introduced in 2017 as a public preview.

As MFA grew in necessity, the limitations of Custom Controls became apparent. In 2020, Microsoft announced that Custom Controls would not leave public preview but a new solution that addressed its limitations would be created. In May of 2024, the replacement solution External Authentication Methods (EAM) was released as a public preview.

EAM addresses the limitations with Custom Controls, such as satisfying the Multifactor authentication requirement in a conditional access policy rather than using a custom control. EAM is a big deal, as the Entra sign-in logs show Custom Controls as a single-factor authentication when that is not true. I suspect this is because Microsoft has no way of validating whether MFA was completed or not.

Here’s an example of the Entra ID Sign-in logs with Duo using a Custom Control that reports as a Single-factor authentication.

Entra sign-in logs for Duo with custom control grant

If we drill into more details under the Basic info tab, we will still see that the login is reporting as single-factor authentication.

Sign-in log basic info for Duo when using a custom control grant

If we look at the Authentication Details tab, we will see nothing. I suspect this is because Entra has no way of knowing what happened on the Duo side of things, only that Duo said yup this user is good move along.

Sign-in log Authentication Details when Duo uses a custom control grant

If we look at the Conditional Access tab, we finally see that Duo was applied with the custom control and that the result was a success.

Sign-in log conditional access using Duo custom control

The issue of Custom Controls reporting as single-factor authentication in the sign-in logs is resolved with EAM.

Using EAM, we can now directly use third-party MFA solutions like Cisco Duo as an MFA option in Microsoft Entra Authentication methods, allowing us to use the MFA setting in a conditional access policy instead of a custom control. This even allows you to be more granular with the accepted forms of MFA, such as allowing Windows Hello rather than just Duo to grant MFA.

External Authentication Methods is currently in preview. However, everything seems to be working correctly in my testing.

In this post, I will show you step-by-step how to set up Cisco Duo with External Authentication Methods in Microsoft Entra ID.

The Process

Initial Setup

  • Login to the Duo Admin console.
  • Click on Applications > Protect an Application
  • Search for External Authentication Methods and click on Protect beside Microsoft Entra ID: External Authentication Methods.
  • Click on Authorize to spawn the process for Duo to create the needed Enterprise application in your Microsoft 365 tenant.
Read more
IT
Azure ADCiscoDuoEntra IDEUCHow ToMFAMicrosoftMicrosoft 365Office 365

Microsoft 365 Remove Stay Signed In Option
by

Microsoft 365’s Stay signed in option is designed for user convenience but can increase security risks when used on public or non-corporately owned devices. The risk is due to the potential for unauthorized access to the user’s account and the resources they have access to.

The Stay signed in option presented to users

The stay signed in option, also known as KMSI (Keep Me Signed In), stores a cookie on the device for around 90 days when the user selects Yes to KMSI. When the cookie’s lifetime is active, users will see fewer prompts to log in with their Microsoft 365 account and fewer MFA prompts, this can pose a security risk on shared or public devices.

For corporate devices that are Microsoft Entra joined or Microsoft Entra Hybrid joined, the impact of removing the stay signed in option is minimal, as these devices already participate in Microsoft Entra SSO, which reduces the number of times users need to log in with their Microsoft 365 account when accessing Microsoft 365 web resources.

Turning off the stay signed in option in Microsoft 365 can help reduce your attack surface. This helps prevent users from accidentally selecting Yes to KMSI and can positively impact an audit or penetration test.

In this post, I will show you step-by-step how to remove the Stay signed in? option in Microsoft 365.

The Process

  • Login to Microsoft Entra admin center.
  • Click on Identity > Users > User settings
Read more
IT
Azure ADCustomizeEntra IDEUCHardeningHow ToMicrosoftMicrosoft 365Office 365securitySSO

Palo Alto User-ID Agent Upgrade
by

Palo Alto Networks has this awesome program called the User Identification Agent, aka the User-ID Agent. It allows you to identify which device a user is using, allowing you to craft security policy rules based on the users themselves.

In this post, I will show you step-by-step how to upgrade the Palo Alto Networks User-ID Agent.

Prerequisites

  • Verify that the new User-ID agent version is compatible with your current PAN-OS.

The User-ID Agent is typically compatible with the same release number along with earlier still-supported PAN-OS versions. For example, User-ID agent 11.0 works with PAN-OS 11.0 and earlier. You can confirm this by reading the OS Compatibility section in the release notes.

The Process

  • Log in to the Palo Alto Networks Customer Support Portal.
  • Click on Updates.
  • Click on Software Updates.
  • Select the User Identification Agent.
  • Click on the version you need to start the download.
  • Connect to the server that is running the Palo Alto User-ID Agent.
  • Open Services.
  • Stop the User-ID Agent service.
Read more
IT
FirewallHow ToNetworkingPalo Alto NetworksPAN-OSUpgradeUser-ID

Active Directory Schema
by

Active Directory is very much a database. It even has a schema to define what can and can’t be created and how everything is related and linked. An oversimplification is that the Active Directory schema is the rules about the types of items you can make in Active Directory, and this also includes the available attributes for each item.

Your schema level (or schema version) is not your domain functional level or forest functional level. The schema level doesn’t always match the domain functional level or the forest functional level.

Windows Server 2019 and Windows Server 2022 both operate at the domain and forest functional level of Windows Server 2016. Even though a server running Windows Server 2019 or Windows Server 2022 has a functional level of Windows Server 2016, its schema version is higher than Windows Server 2016.

In this post, I will show you step-by-step how to check your AD schema level using the GUI or PowerShell and how to translate the output to the corresponding Windows Server version.

GUI Way

  • Open ADSI Edit.
  • Click on Action > Connect to…
  • In the Connection Point section, click on Select a well known Naming Context option and select Schema.
Read more
IT
Active DirectoryHow ToMicrosoftPowerShellWindows Server

OneDrive Shortcuts
by

A while back, Microsoft added a feature to SharePoint Online called Add shortcut to OneDrive. This feature adds a shortcut to the file or folder in another SharePoint site directly in your OneDrive. The Add shortcut to OneDrive feature is on by default.

Depending on your setup, you may want to turn the Add shortcut to OneDrive option on or off for your SharePoint sites.

Enabling or disabling the Add shortcut to OneDrive setting isn’t a per-site option, it is a global option. If you turn it off, it won’t break any existing OneDrive shortcuts it only prevents the creation of future shortcuts.

In this post, I will show you step-by-step how to check the status of the Add shortcut to OneDrive feature and how to turn it off or on.

Prerequisites

The Process

  • Connect to SharePoint Online using the Connect-SPOService command with the URL for your SharePoint admin center.

The command should look something like this Connect-SPOService -Url https://contoso-admin.sharepoint.com

  • Run the following command to check the status of the Add shortcut to OneDrive feature. Get-SPOTenant | format-list DisableAddShortCutsToOneDrive
Add shortcut to OneDrive feature status

If the returned value is false, then OneDrive shortcuts can be created. If the returned value is true, then OneDrive shortcuts can not be made.

Read more
IT
CustomizeHow ToMicrosoftMicrosoft 365OneDrivePowerShellSharePoint

VMware vCenter Reduced Downtime Upgrade with Automatic Switchover
by

VMware vCenter RDU (Reduced Downtime Upgrade (or Update)) is a relatively new feature that allows you to update your vCenter to the next version with limited downtime, just like the name indicates. It works similarly to the process for upgrading from vCenter 7 to vCenter 8, which is also very similar to doing a fresh install of VMware vCenter.

In October 2021, VMware introduced the vCenter Reduced Downtime Upgrade feature. However, the feature was not available for on-premises vCenters. In September 2023, vSphere 8 Update 2 introduced the feature for on-premises vCenters. With the release of vSphere 8 Update 3 in June 2024, more features have been added, including one called automatic switchover, allowing the whole process to be even more seamless.

The magic that makes vCenter RDU work is the vCenter installer ISO. When you mount the ISO to your existing vCenter, the RDU process will create a new upgraded vCenter VM. Once that part is completed, it will transfer the settings from your current vCenter to the newly upgraded vCenter VM and cut you over. This process reduces the time that VMware vCenter is down and can also reduce some risks of in-place upgrades.

My blog post, Install VCSA Updates, covers the traditional method of upgrading VMware vCenter in-place.

In this post, I will show you step-by-step how to upgrade VMware vCenter using the Reduced Downtime Upgrade with Automatic Switchover.

Prerequisites

  • Backup of vCenter.
  • VMware vCenter ISO.
  • Temporary IP for the new upgraded vCenter VM.
  • Temporary root password for the new upgraded vCenter VM.

The Process

  • Upload the VMware vCenter Server Appliance ISO to a datastore in vCenter.
  • Attach the VCSA ISO to your current vCenter VM.
  • Click on your vCenter and select the Updates tab.
  • Under the vCenter Server section, click on Upgrade.
  • The process will check and confirm that your upgrade path is supported. If all is good, click Next.

In my example, I am upgrading from vCenter 8 Update 2b to vCenter 8 Update 3.

  • Confirm that you have a backup and click Next.
  • Click on Upgrade Plug-in to upgrade the vCenter Server Life-Cycle Manager plug-in.
Read more
IT
How ToUpdateUpgradeVCSAVMware

I’m Going to VMware Explore
by

I am very excited about VMware Explore this year, as it will be my first time at VMware Explore and the first large tech conference I’ve attended in person.

VMware Explore is a conference about VMware products that VMware (technically Broadcom now) organizes. It used to be known as VMworld, but in 2022, it was renamed VMware Explore. VMware Explore usually takes place in Las Vegas and Barcelona.

The VMware Explore event that I am attending takes place from August 26th to August 29th in Las Vegas. What’s really cool about VMware Explore is that it covers a wide range of topics, from entry-level to very technical. One of the items at VMware Explore that I’m excited about is the hands-on labs, which will allow me to play with some of the VMware products I’ve only read about.

I’m eager to learn more about VMware Cloud Foundation, Tanzu Kubernetes, NSX, and so much more. I’m also very excited to network with other like-minded people and nerd out about all the technical things. I will also be able to meet other vExperts with whom I’ve only spoken with online.

There are over 400 sessions at VMware Explore, and here are a few of the sessions I plan on attending.

Read more
IT
vExpertVMwareVMware Explore

vCenter ESXi Config Backup Script
by

When using VMware vCenter, you may only occasionally need a configuration backup of each VMware ESXi host. However, there are some situations where having a config backup of each ESXi host is nice to have.

I didn’t want to back up each ESXi host manually, as it doesn’t scale well. Instead, I created a PowerShell script called vCenter ESXi Config Backup to do everything for me.

You can find the script on my GitHub. https://github.com/thedxt/VMware#vcenter-esxi-config-backup

Prerequisites

How It Works

The vCenter ESXi config backup script connects to VMware vCenter, uses vCenter to connect to each ESXi host, and takes a configuration backup for each host. Because the script uses vCenter, you don’t need to enable SSH on any of the ESXi hosts for the backup to work.

By default, the vCenter ESXi config backup script assumes you are not connected to vCenter and will prompt you to connect to vCenter. You can suppress this behavior if you are already connected to vCenter by setting the optional parameter named connected to the value of Yes.

The script checks to see if the backup folder you defined exists. If the folder does not exist, the script will create it.

Next, the vCenter ESXi config backup script enumerates all of the ESXi hosts in vCenter, it connects to each one and takes a configuration backup. The script outputs the backup into the folder you defined.

Read more
ITScripts
BackupsESXiPowerCLIPowerShellScriptVCSAVMware

UniFi Network Application MongoDB Upgrade
by

If you have been using the UniFi controller for a very long time, there’s a chance you are running an older version of MongoDB. When Ubiquiti released version 8.1 of the UniFi network application server, they finally bumped up the supported MongoDB version from 4.4 to 7.0.

The MongoDB upgrade path only supports jumping one major version at a time, and some manual steps are needed. Yes, you could take a settings-only backup and reroll the whole setup, but where’s the fun in that?

In this post, I will show you step-by-step how to upgrade the Mongo database version from 4.4 to 7.0 for the Unifi network application server running on docker.

Prerequisites

  • Backup your UniFi config. My blog post, UniFi Network Server Settings Backup and Export, covers how to do this.
  • Running UniFi network application version 8.1 or newer.
  • The service name of the MongoDB for UniFi from your docker compose file.
  • The container name of your MongoDB for UniFi.

The Process

The entire process revolves around docker exec as we will execute commands directly into the Mongo database container.

You can follow this process on other UniFi controller setups that aren’t done with docker. However, I’ve only validated the process with on a docker setup, but the command structure would be similar.

To be extra safe during this process, I will bring down my UniFi docker stack and only bring up my UniFi database container.

I will run the command docker compose down to bring the UniFi controller offline. This helps ensure the UniFi network application doesn’t try to write to the database while the database is upgrading.

  • Bring up the MonogoDB container for UniFi with the following command. Replace Mongo_Service_Name with the service name for MongoDB from your docker compose file. sudo docker compose up Mongo_Service_Name -d

If you are using my docker compose setup from my blog post, UniFi Network Server with Docker, the MongoDB service name will be unifi-net-app-db

For me, the command will be sudo docker compose up unifi-net-app-db -d

Before starting any upgrades, let’s double-check which version of MongoDB is installed and what the compatibility level is currently set to. We will do that by using the MongoDB shell with the command mongo. We will tell Mongo that we will provide some commands from which we want the output by using the argument eval followed by our commands.

The command to check which version of MongoDB we are running and what our compatibility level is set to is the following command db.adminCommand( { getParameter: 1, featureCompatibilityVersion: 1 } )

To run this against our Mongo docker container, we will use docker exec with a shell command followed by the mongo shell commands we want to run.

  • Run the following command to check what MongoDB version is running. Replace Mongo_Container_Name with the name of the MongoDB container that you are using with UniFi. sudo docker exec Mongo_Container_Name sh -c 'mongo --eval "db.adminCommand( { getParameter: 1, featureCompatibilityVersion: 1 } )"'

For me, the command looks like

sudo docker exec unifi-net_DB sh -c 'mongo --eval "db.adminCommand( { getParameter: 1, featureCompatibilityVersion: 1 } )"'

Your output should be something like this

MongoDB server version: 4.4.29
{ "featureCompatibilityVersion" : { "version" : "4.4" }, "ok" : 1 }

The output above confirms that we are running MongoDB 4.4, and our feature compatibility is set to the same version.

If you get an error that mongo is not found, this is due to running a newer version of MongoDB that no longer supports the mongo command as that command has been deprecated in newer versions.

The replacement command for mongo is mongosh. However, the output differs from the old mongo command when gathering the compatibility levels.

Read more
IT
DockerHow ToMongoDBNetworkingSelf-hostedUniFiUpgrade
theDXT on GitHub
theDXT on X (Twitter)
theDXT on YouTube