Disabling Directory Sync for Hybrid - Overthinking?
Hi all, I am at the finish line for decommissioning On-Prem AD and moving from our Hybrid environment to managing our identities in Entra. About to cut off the Directory Sync. Weirdly couldn't find a concrete answer on this question online, but I might just be overthinking this. **Devices are Entra enrolled + Intune Managed, NOT Domain Joined.** User profiles that originate from On-Prem AD on the endpoints still show as DOMAIN\username. User profiles that originate from Cloud on the endpoints show as AzureAD\email address removed for privacy reasons. What happens to these On-Prem User Profiles when we disable Directory Sync? Do they change over auto-magically to "AzureAD\email address removed for privacy reasons" on the endpoints? Am I missing something here? Thanks in advance.
Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.
Entra hybrid join issue caused maybe by 2 M365 accounts
Hello to everyone, one of my collegue has 2 Microsoft 365 accounts on its notebook when we tried to do the procedure to hybrid join his device; I suppose the other account give us problem in the procedure; now, there is only one account even if I can see in event log, in AAD log, that there is an error and 2 warnings bound to the old account. However, I tried to repeat the procedure but without any luck; what I see that it is different from the other devices, if I give the cmd dsregcmd /status is in these 2 lines: DisplayNameUpdated : YES OsVersionUpdated : YES while on other devices I see: DisplayNameUpdated : Managed by MDM OsVersionUpdated : Managed by MDM We have all a Microsoft 365 Business subscription and the configuration and steps for the other devices was: We have all devices with Entra registered user, we started with this when we have only the Microsoft 365 Basic subscription We enrolled all devices, with group policy, in MDE when we upgraded to the business Installed the Azure AD Connect Users sync Devices sync So, in the Entra portal we have first only the entry for registered, then when we synced the devices we have a second entry with hybrid registered and finally only one entry with Owner, MDM and Settings field filled with correct data; for example, when I make an hybrid join device, initially in the row I see MDE as MDM, then when the hybrid and registered compose one row I see Intune in that field. For the device that give us problems, I see a row like this in Entra portal while in Intune Any help is greatly appreciated.
Entra Private Access Licensing
I'm a bit stuck trying to figure out what licensing we need to get us working on BYOD devices such as iPads if we want to use the Private Access part of Global Secure Access. A few places on Microsoft's website mention that as long as we have an Entra ID P1 or P2 license and a Private Access license assigned to a user, we should be able to enrol mobile devices without any issues. However, when I try to sign into MS Defender on an iPad (tried 2 different ones), I get an error saying invalid license. One of the users I am currently testing has an Office 365 E3 license assigned as well. Where am I going wrong?Migration to Cloud Sync (passwords)
We want to migrate from AAD Connect Sync to Cloud Sync. When provisioning new users we could use temporarily passwords in AAD Connect Sync, through this feature: Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true Is this feature still available in Cloud Sync? If not what is the workaround?Entra ID Connect Sync - Issue Updating the SQL 2019 Local DB
Hello, Does anyone know how to patch/update the SQL Server 2019 LocalDB utilised by Microsoft AD Connect / Entra Connect? We have identified vulnerabilities on the version of SQL 2019 LocalDB used by Microsoft Entra Connect. The trace file in C:\ProgramData\AADConnect shows the following version: Package=Microsoft SQL Server 2019 LocalDB , version=15.0.4138.2 (CU11) We are attempting to update this local database to version 15.0.4415.2 (CU30), using the following package: https://www.microsoft.com/en-us/download/details.aspx?id=100809 However, when we run the package it cannot identify the SQL Server 2019 LocalDB server instance. There is a message stating: "The version of SQL Server instance Shared Component does not match the version expected by the SQL Server update. The installed SQL Server product version is 11.4.7001.0, and the expected SQL Server version is 15.0.2000.5" The version it references is SQL Server 2012, however the logs show the database as SQL 2019 and the database instance name within the Entra Connect / AD Connect agent includes 2019. I have attempted leaving the service running, manually starting the database instance, running as admin, and running the package via command prompt targeting the instance. Any insight would be greatly appreciated. Many thanks.Microsoft Entra Hybrid Join Issue Despite Setting Up All Essentials
I’m facing an issue where my client computer is unable to join Hybrid Azure AD, even though I’ve already set up all the essential steps, I downloaded that Microsoft Entra Connect Sync tool from the official site and did all the necessary steps. including configuring the SCP (Service Connection Point). Our main server is in New York, and our branch office is in Asia region, I want to have Microsoft Entra Hybrid Joined to all of my office PC in order to apply some conditional access policies. Despite these setups, the device fails at the discovery phase, and I can’t figure out what’s missing. This is what it says when I try to manually add the client PC TenantInfo::Discover: Failed reading registration data from AD. Defaulting to autojoin disabled 0x800706ba DsrCmdJoinHelper::Join: TenantInfo::Discover failed with error code 0x801c001d. Has anyone encountered a similar issue? Any guidance or troubleshooting tips would be greatly appreciated. Thanks!API-driven provisioning field mapping changes resynchronize all users and groups
We have configured API-driven provisioning for on-premises Active Directory, along with Azure AD Connect, to synchronize on-premises AD users with Azure Entra ID. As part of the provisioning setup, we have used a separate Organizational Unit (OU) in on-premises AD (designated as the default OU for new users) while configuring API-driven provisioning. We are attempting to make some changes to the API field mapping, specifically the ‘UserPrincipalName’ regular expression (custom domain) and the ‘manager’ field, and saving the configuration. Upon attempting to save, a prompt appears (as highlighted below screenshot), indicating that this action will resynchronize all users and groups. Could you please clarify: Will this resynchronization update any existing users outside the default provisioning Organizational Unit (OU)? Specifically, what does the resynchronization operation update? For instance, will it modify the 'UserPrincipalName' and 'manager' attributes for all users including old users outside of provisioning Organizational Unit (OU)? Screen Shot - While Saving Mapping.Entra Hybrid Join - Problems with Server 2016 and userCertifiate
Dear Community, I am having some troubles with the hybrid join of a group of servers (Windows Server 2016). The basic problem is that Windows is not creating the required self signed certificate and therefore the AD attribute “userCertificate” is empty. As we now, while it is empty, the objects are not getting synced to EntraID. (A Mobile Attempt: Azure AD Hybrid Join and the UserCertificate Attribute) And I don’t find out, why this certificate is not created. As mentioned, it affects only some Server 2016, which are our RDS Terminal Server. All other Windows Server and Clients are successful synced and have a userCertificate (including other Server 2016). All our servers are VM, based on VMWare. Some more words about these RDS Server: They are cloned from a VMWare template The deployment process is as follows: o On a Master VM we install all updates / software It is domain joined and has a userCertificate o Master VM gets converted into a VMWare template o New RDS TS are created from this template With a configuration to reset SID and automatic domain join The have no userCertificate Test lab for troubleshooting I created some new VMs to test and verify the behavior. Here is what I did: Installed a new Windows Server 2016 VM from DVD Installed all latest updates Converted it into a VMWare Template -> Srv2016_Template This should be my new template for Server 2016 Created new VM from this template: Srv2016RDSMaster Used a configuration to generate new SID and automatic domain join This should simulate my Master template for new Terminal Server --> It has a “userCertificate” in its AD Object Converted it into a VMWare Template Created new VM from this template: Srv2016RDS01 Used a configuration to generate new SID and automatic domain join --> It has no “userCertificate” in its AD Object Troubleshooting steps Networking No proxy, direct Internet No DENY on our firewall -> Internet available Verified that these URLs are accessible https://enterpriseregistration.windows.net https://login.microsoftonline.com https://device.login.microsoftonline.com https://autologon.microsoftazuread-sso.com Active Directory and Infrastructure Service Connection Point (SCP) is set in the forest and has the tenant name and ID (otherwise no computer would be synced) GPOs are not linked to the OU in which the computers are Local troubleshooting on the VM Scheduled Task for “Workplace Join” is enabled and runs dsregcmd /status EventLog – “Application and Service protocols” -> “Microsoft” -> “Windows” -> “user Device Registration” Two errors, each time the Workplace Join task starts: Sysprep Also tried on the VM a sysprep, rebooted, manually joined it to AD --> Still no userCertificate Tried the same again and deleted also the AD object --> Still no userCertificate Activated TLS 1.2 Enable TLS 1.2 on servers - Configuration Manager | Microsoft Learn -> no affect Articles I read and verified Plan your Microsoft Entra hybrid join deployment - Microsoft Entra ID | Microsoft Learn Configure Hybrid Azure AD Join - Everything you need to know A Mobile Attempt: Azure AD Hybrid Join and the UserCertificate Attribute Troubleshoot Microsoft Entra hybrid joined devices - Microsoft Entra ID | Microsoft Learn My conclusion I guess it has something to do with Server 2019. Why I am saying this: I have tested the same setup with an old, existing Server 2019 template (created “Master VM” -> converted into template -> created VM from this template) --> all VMs have userCertificates in their AD object So I would be glad if someone has ideas about it. Thanks, Chris
