@@AndyMaloneMVP I just finished the exam and I PASSED!!!!!!! I am so excited. I couldn't have done it without your videos! Well, a lot of other videos too, but your one of the ones I come back to. Others not so much.
Thank you for the concise walkthrough and demonstration. I am looking at CA for our tenant now - the report-only option is a god send! I'd like to learn a bit more around this - what certification path(s) do you recommend? Thanks.
Hi thanks for your question. To be honest the conditional access reporting only feature is a minor thing. You can read more about it on docs.microsoft.com. It’s essentially a try before you buy tool, in addition to this you can also use the what if tool in conditional access. In terms of certificating this is covered in the MS 100 exam as well as the SC 300 exam. Thanks again for reaching out and all the best, Andy
You’re very welcome. I’d advise you to take a look at some of the newer conditional access videos. There’s been a few changes recently including the introduction of templates and dynamic device rules which are really interesting. Thanks for reaching out and all the best, Andy
Thank you!! I have a process question for you. If I walk into an environment of about 80 users and nobody has really been compliant with password resets, some users haven’t reset since 2016. How would you go about writing a script that forces password resets, but doesn’t lock the users out. Furthermore, all of the users have different ways of logging in summer VPN summer in the office on the domain and they are a hybrid location, so they have on premise domain along with hybrid to office 365. What procedure would you follow to make sure the users all do password resets and become compliant so I can turn on multi factor authentication and set a 90 day password reset procedure and default group policy?
You wouldn’t need a script. Simply create a conditional access policy, assuming all your machine is a hybrid joined of course. More details on this can be found at docs.microsoft.com
Hi Andy, @ work we keep gettin an Error you cant get there from here, the reason for that is that our PC's do not register on Intune or AAD very quickly, as we have Hybrid environment any suggestions or pointers
Hmmm this sounds like a conditional access problem. Conditional access is one of the only reasons to retain AD Joined devices. Of course when connected via Azure AD connect Are hybrid devices and cannot be managed via Intune. The other thing that could be causing this problem is a conditional access policy which has been set against an administrator role. I’m generally means that the admin function that you’re trying to perform can only be performed on a specific machine, or from a specific location. At least that is what it looks like to me. If you continue to have problems I would probably reach out to Microsoft and place a support call. I hope you get to the bottom of it thanks again. Re your text message. Unfortunately as I said on my website I cannot accept personal support requests. One thing to remember hybrid devices cannot be managed by Intune. They are managed to by AD Group policy, or system centre config manager. If my tips here don’t resolve your issue I would post a question on the Microsoft tech community or seek assistance from Microsoft support. The Best of luck, Andy
Thank you for great CA demonstration. Can I use my own OIDC enabled IDP (based on IdentityServer4 or OpendIddic) instead of DUO MFA? When I create a Custom Control with my IDP credentials, and authenticate the user, I get the error "AADSTS50172: External claims provider ddacd392-67fa-46cc-9aab-60592d9c0c06 is not approved." Does this mean that such a solution with custom 3th party credentials provider is not supported in Azure? Or do I need to make additional settings?
Hi there thanks for reaching out. Yes Microsoft azure does fully support OIDC However you have a pretty specific error cod e, And as such I would strongly recommend that you place a Support call with Microsoft. One question comes to mind is what version of Azure a D are you working with? As if you are working with a non-premium version, this may cause problems. Have you tried sending in a support ticket for this? They are very good and I’m sure someone can help you. Thanks again for dropping by, and the very best of luck.
