Forum Widgets
Latest Discussions
Repost: Make quick assist run as admin
Question: We need to be able to use Quick Assist in Windows 10 to do some administrative tasks, but if the end user initiates the Quick Assist session then the remote admin is limited to only what the end user has access to. Is there any way we can start Quick Assist as an administrator or elevate it to admin level during the Quick Assist session? Response: Quick Assist is my preferred application to resolve all technical issues remotely. It also allow me to Run as Administrator to install and configure hardware/software but there are few steps required as mentioned below: Run CMD at end-user's computer Type the below command: runas /user:domain\administrator cmd *domain will be any domain of your organization *administrator can be any administrator login. If domain is not available type the below command in cmd. runas /user:local_user cmd Put the admin password. Now you have successfully launched cmd in administrator mode, you can run the below tasks. x:\MicrosoftEdgeSetup.exe (for software installation, where x is any drive letter from your computer). appwiz.cpl for installing or uninstalling program. services.msc (Run or Stop a service) devmgmt.msc (Device Manager, to install/uninstall or upgrade the device driver) diskmgmt.msc (Disk Management) compmgmt.msc (Computer Management) regedit (Registry Editor) Above mentioned are just example, you can use the number of commands as per your requirement.Repost: Authenticator app isn't receiving notifications to approve log in on my laptop
Question: I have been trying to log in to my Microsoft account on my new laptop. I have previously used the 2-factor identification method on my old laptop, however, it doesn't seem to be working for my new laptop. When it says it has sent a notification to approve on the authenticator mobile app, nothing is coming up to approve on my mobile so i am making no progress. I also cannot find a code to enter on my laptop from the app. There is no QR code to scan on my laptop using the authenticator app. I don't know what to do and it is extremely frustrating because I cannot access anything, emails etc. Would be very grateful for some help. Response string: This sounds rather like a problem of the Authenticator app on the mobile it is not the laptop which stores any MFA information, the account setting at account.microsoft.com (or the security settings for the Microsoft Accounts set in there) triggers MFA, regardless from which machine you access those. Generally, when the message appears that a notification was send to the mobile device, there should be an option to use different verification method, which allows to also choose to enter a 6 digit token that is displayed for this account in the MS Authenticator app. Also it might show options to use another email address or phone number. Doing a new MFA registration in the authenticator app (showing the AR code) is only possible when you can access account.microsoft.com and log in using MFA - if you can't the dialogue usually also shows an option reset MFA, then you have to enter additional information to verify your identity. This does not sound like a problem specific to CSP Partners where this community is set up for, but more like a problem with a personal Microsoft Account outside of the scope of this forum. You can review guidance on how to set up MFA for personal accounts here: Microsoft account security info & verification codes - and at the end of the article you find links to the correct community and support options. Finally there is also an option to reset password and security information all together: Recover your account (live.com) Response: My MS Authenticator app does not show any 6 digit one-time-tokens. It shows 8 digit one time passwords. Also, my MS Authenticator does not receive any notifications. There is no help available anywhere, and there seems to be no way to "reset" this security information. Response: 8 digit one-time passwords are for personal Microsoft accounts, not work accounts, so you confirmed that your issue is not reg. CSP Partner security requirements where this community is meant for. I would suggest you contact Microsoft support directly - Contact Us - Microsoft Support - if you can't get access to a browser where you can log in to account.microsoft.com and use the available options to reset your authentication methods. Response: Have personal and work Authenticator use. Azure side(work) never sends notification to authenticator. Therefor cannot use any of my work related phone apps which is literally essential to my job. Personal use works every time. Cant text myself the verification code because the phone number is wrong and I have no idea how to change it. I have my new number on Microsoft account for 2 years now and my work have my new number saved in their system for the same period of time so I have no idea why my old number is in there. I guess i've never noticed this as the notifications have just stopped working recently. Any help would be great here also. Response: If you want to change setting for MFA for a work/school account, go to https://aka.ms/mfasetup and log in with your work account. There is both a setting on if a notification will be send or if the 6-digit code should be used (given the admin of the tenant did not disable certain methods) and an option to change the phone number.
REPOST from Old community | OAuth Refresh token has expired after 90 days
PROBLEM: We have encountered an issue on our live environment: The Multi Factor Authentication does not work anymore. We try to authenticate using an OAuth Refresh Token (this authentication mechanism has been recommended by the Yammer group "Partner Center Security Guidance", which now has been closed). But since today, this authentication does not work anymore, but we get the following error message: invalid_grant: AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2019-01-02T09:19:53.5422744Z and was inactive for 90.00:00:00.: But I am absolutely sure that this refresh token has been successfully used yesterday. The Microsoft documentation https://docs.microsoft.com/en-us/graph/auth-overview says that an OAuth Refresh token should only expired if it has been inactive for 90 days. But our tokens were used. Therefore the tokens should not expire! Why do we now have a live incident? What went wrong? Please not that we are selling in 12 different markets, and therefore have 12 different partner accounts, and therefore 24 different OAuth refresh tokens (one for the live environment and one for the sandbox). Therefore it is not this easy to update the 24 OAuth refresh tokens. What can we do to avoid similar production incidents in the future? We are regularily using the refresh tokens to get new access tokens. We do this using the call "POST /{tenant}/oauth2/token grant_type=refresh_token&refresh_token=..." (see https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code). The response of this call not only contains the access token, but also a new refresh token. At the moment, we ignore the new refresh token that is returned. Should we store and use the new refresh token that is returned by this call, or would the new refresh token also expire at the same time? Does Microsoft offer a way to find out the expiry time or the issued-at-date of a refresh token? RESPONSE TO USER: Please check that you store your token(cache) also after AquireTokenSilent. You will get a new refresh token which you schould use in sequential requests. In my case I did not (correctly) store it, so I used the refresh token which I aquired the first time when I used AquireTokenInteractive. That token will expire after 90 days. There are two authentication flows: a confidentialclient which authenticates the application. The application has access to the resources of your organisation, but you have little control over who uses the software. This is, even for background processes, not workable when you develop your own software for multiple customers (you cannot guarantee that customer 1 might never access data from customer 2). In that case you develop a Public Client where you get access via a user's account via AquireTokenInteractive (that method also supports multifactor authentication and it shows any consentscreen necessary). Once you have access you can use AquireTokenSilent to renew the token. Note that AcquireTokenSilent DOES return a refresh token (valid for 90 days), and you should make sure you store this after every request. The refreshtoken is not visible if you look in the debugger, but it is visible if you use Fiddler to view the raw data (and decode the token). That was in hindside my problem: I created a daemon process for which the interactive flow does not seem logical, and since I had token issues I went for the confidential flow. But there you do not get the consent screens and it does not work with multifactor authentication. My conclusion: if you are developing 3rd party software then even for background (daemon) processes you could (should) use the publicclient flow. There is no problem with the token process: it will continue to work forever once you aquire a token. Only when your software is 'down' for more than 90 days you will need to log in again (and when access for your app is changed from the client's azure account) Relevant links: https://docs.microsoft.com/nl-nl/azure/active-directory/develop/msal-client-applications https://docs.microsoft.com/nl-nl/azure/active-directory/develop/msal-net-acquire-token-silentlyRepost: change region and language settings using group policy
Question: Please share the steps for configuring "region and language settings" using group policy. Response: Something here may help. http://dennisspan.com/configuring-regional-settings-and-windows-locales-with-group-policy/ Response: To set up the Regional settings for multiple users, use the group policy and to the following steps: Launch Group Policy Management, create a new GPO or configure the one you have. See the screenshots. Make all needed settings, and use F6 to confirm the configuration from red to green. Consider having a trustworthy Microsoft office 365 backup software from NAKIVO, as you can never predict a ransomware attack or other issues.Question: How to allow multiple users on Azure VM
Some partners followed the below article and were able to resolve their issue: https://community.dynamics.com/365/b/dynamics365enterprisecloudfronts/posts/setup-simultaneous-remote-login-for-multiple-users Here are a few other responses from community influencers: Comment: This sounds like a scenario where you are hosting an application/service for end customers, e.g. a SaaS offering, but as rich client where RDP protocol is required. The solution is to enable Remote Desktop Services to allow multiple users working simultaneous on a VM. You could either build a RDS farm in Azure yourself, or you use Windows Virtual Desktop as Gateway/broker Service to publish the application, which I would recommend. You need to use WVD with Windows Server-based session hosts though, not WVD with Windows 10 Multi-Session - this is because of licensing reasons. Since you are providing a hosted service, the access of the end customers would need to be licensed via RDS Subscriber Access Licenses (RDS SALs) obtained via SPLA, for hosted scenarios like this there is no other option then to use SPLA licenses because usage of RDS role is not covered with the Windows VM license that Azure offers. Comment: Does not change that you need RDS and the licenses (RDS CALs - or RDS SALS via SPLA when it is about a hosted solution like described by the OP). Since this thread was revived via the new post, and since there were changes, some additional information: You can now also offer Windows Client OS (Windows 10/11 Multisession) in Azure Virtual Desktop as basis for your hosted, custom services/apps, not only Windows Server how I described. This is possible because there is a new licensing options - AVD remote app streaming: What is Azure Virtual Desktop remote app streaming? - Azure | Microsoft DocsConfiguring the Secure App Model for PowerShell / API / Graph scripting with GDAP for Partners
Hi whomever may find this! With the old MS Partner Community Forums going read-only as of March 8th, 2023 I thought I'd post a few useful links here in case someone is searching and unable to post on the old forums. The 2 main GDAP related threads on the old forum that feature info on getting Secure App Model to work with GDAP and the Exchange Online V3 PowerShell module (with the ExO automation App ID: a0c73c16-a7e3-4564-9a95-2bdf47383716 being retired eventually) are: MS Graph/Secure App and GDAP Exch Online V3 and Secure App These are both long threads, lots of info in a meandering kind of way. They disappeared after June 30th, 2023 - so these are links to the Internet Archive's WaybackMachine. But they're how we worked it all out - so useful background. So the best place to find current, step-by-step instructions for getting things to work is this post: My Automations Break with GDAP: The Fix! It appears Nick has collected up all the info from the above 2 links, tested it, and made a fairly complete blog post, so start there. (note: for the ExO V3 stuff you must use the Customer's initial onmicrosoft.com domain for things to work properly) Big thanks to him! Nick has 2 additional posts that may be of interest as well. One on Leveraging APIs for unattended Automation. And one on Updating the GDAP Consents across all your Customers. For some background info you can check out some of these links: The code leverages the The Secure App Model. It can be implemented in PowerShell. Setting it up involves a few steps. But many (most?) of us likely followed Kelvin's post on CyberDrain (or Gavsto has a simple introduction too) ... originally. Though still useful background info these links have lots of outdated info, eg. they still reference Msol and AzureAD commands, but you can still mostly use them to follow along. There's also a post about securely storing secrets, like the RefreshTokens. For CURRENT info, use the link above for GDAP + Secure App Model. Msol/MSOnline doesn't work with GDAP and AzureAD uses the old AzureAD Graph which is also being retired (use MS Graph instead, which works with GDAP). Remember: RefreshTokens are good for 90 days, redeem them for an AccessToken which is good for 60 mins. After 60 mins get another one. Before 90 days are up, get an AccessToken (which always includes a new RefreshToken) and save it instead of the old one. You can repeat that forever. But you may need to restart the process if the account you used initially changes its password - so use a dedicated account. For: Exchange Online and the Exchange Online Management V3 module and you can refer to the posts in this forum, since there are mistakes and omissions in the official MS docs. Main error: use the original .onmicrosoft.com domain as the CustomerTenantID when connecting with Connect-ExchangeOnline If you use their public customer.com or their TenantID (Guid) it will work inconsistently, and you'll have problem writing (reading may work) The Secure App Model mainly uses Delegated permissions, see: App-Only vs Delegated Permissions and there's more info here. Any Graph API calls will list Permissions needed depending on if you're using Delegated or Application, with GET /users/{id} for example. We generally use Delegated since we're accessing on behalf of Customers. You'll need to ensure your Secure App Registration has the required Graph permissions AND so does your customer Consent. Hopefully that helps someone! --Saul [Edited to add the WaybackMachine links and Nick's new posts]
Getting 403: "Insufficient privileges to complete the operation.
Hello Team, When I try to access '' user properties '' for one of the customers I have a relationship with, I get the error message of '' Getting 403: "Insufficient privileges to complete the operation. '' I already have a GDAP relationship with them and an active security group, and i'm a member of that security group, and also my profile is global admin. I can access user properties for all other tenants except for me. any help please.
