Search This Blog

Monday, November 11, 2019

Windows Virtual Desktop - Part 1

This time we will take a look at Windows Virtual Desktop in Azure.

We will connect this cloud solution to our own infrastructure so that we can use on-premises services as well.

In order to make this work we already have a Site-to-Site VPN gateway connection setup to connect our on-premises network to an Azure virtual network, this post will not cover setup of the VPN gateway.

At the same time our Active Directory is connected to Azure AD with Azure AD connect, this part is also not covered by this post.

This post will be part one of a longer series, so hold on  Smile

Let’s get started.

The first thing we need is to grant Azure Active Directory permissions to the Windows Virtual Desktop server app, you can do this by going to the following link:

Grant permissions to the server app

Login with your global administrator account.

image

Accept the permissions requested.

image

After accepting the permissions you will get this confirmation page.

image

Now do the same for the Windows virtual desktop client app, on this link

Grant permissions to the client app

Login with your global administrator account.

image

Accept the permissions requested.

image

Again you will get this confirmation page.

image

Go to the Azure portal and Enterprise applications and search for Windows Virtual Desktop as shown, these to application was created when we used the two above links.

image

Select the the Windows Virtual Desktop

image

Go to Users and groups and notice that our administrator account automatically has been granted the Default Access role assigned. This is not enough so we need to grant it the TenantCreator role, we will continue to use the same global administrator account for this this, click on Add User.

image

Click on Users and groups.

image

Select the desired user and then Select.

image

Then click Assign.

image

Our global administrator account has now been granted the TenantCreator role.

image

Now we need to create the Windows Virtual Desktop tenant, in order to do this we must use the Windows Virtual Desktop PowerShell module, you can always see the latest version available here https://www.powershellgallery.com/packages/Microsoft.RDInfra.RDPowershell

image

Let install latest version with the command.

Install-Module Microsoft.RDInfra.RDPowershell

image

Then import the module.

Import-Module Microsoft.RDInfra.RDPowershell

image

Use the command Get-Module Microsoft.RDInfra.RDPowershell to see currently installed version.

image

Now sign in to Windows Virtual Desktop.

Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com

2019-10-09 09_43_53-Window

Use your account with the TenantCreator role.

image

image

In next step we create a new Windows Virtual Desktop tenant and associate it with our Azure Active Directory tenant.

New-RdsTenant -Name <TenantName> -AadTenantId <DirectoryID> -AzureSubscriptionId <SubscriptionID>

2019-10-09 09_45_46-Window

You can get your Azure AD DirectoryID if you go to the Azure Portal – Azure Active Directory and properties.

image

Your subscriptionID can also be found in the Azure portalSubscriptions and find the SubscriptionID on the Overview page of the subscription you want to use.

image

Then choose a name for the tenant and insert the correct values, we will use the name MindcoreLab for the tenant.

New-RdsTenant -Name MindcoreLab -AadTenantId 11111111-1111-1111-1111-1111111111111 -AzureSubscriptionId 22222222-2222-2222-2222-222222222222

image

We are now ready to create a service principal in Azure Active Directory and assign it a Windows Virtual Desktop role, so stay tuned for part 2.

Friday, November 1, 2019

Office 365 - problem

On Tuesday we identified a “funny” little thing when using the web version of outlook.

If we invited an internal user to a meeting and that user only had two letters in his alias the invite failed (xx@domain.com), invitations to internal people with mail addresses that had more that two letters worked without problems.

When we did the invite we saw the following error (One or more attendees have invalid email addresses).

image

As soon as you entered the name it turned red, meaning invalid address.

image

The same problem was seen when you tried to reply to an internal mail from a user with only two letters in the mail address.

I was able to reproduce the same problem on more different tenants, so no other way than contacting Office 365 support (around 17:00 Danish time).

Together with support I tested the old version of the web interface and it was working as expected.

We then did a fiddler trace and saved HTML code on the pages and the Escalation Engineer had to do his job, I must admit that I thought that it would probably take some time before they returned Smile

So it was a very positive surprise that the problem was fixed just around noon on Wednesday (Danish time), unfortunately Microsoft has not reported anything back on the case, which is a little bit strange, I was so ready to give them credit for the quick fix, but let’s see what kind of answer the return.

Friday, October 25, 2019

Access to Teams based on our own extension attributes – PowerShell

In the last two post we looked at extending Azure AD with our own attributes https://blog.mindcore.dk/2019/10/azure-ad-extension-attributes.html and how to use this attribute to dynamically grant access to a Microsoft team https://blog.mindcore.dk/2019/10/access-to-teams-based-on-our-own.html.

This time we will create the team and dynamic group using PowerShell instead.

In order to do this we will need the Teams PowerShell module and the AzureADPreview module.

You can always find the latest version of the teams module here:

https://www.powershellgallery.com/packages/MicrosoftTeams/

image

To see your currently installed version of MicrosoftTeams use the command:

Import-Module MicrosoftTeams

Get-Module MicrosoftTeams

image

You can always just uninstall and reinstall the module to be sure you got the latest version. (elevated)

Uninstall-Module MicrosoftTeams

Install-Module MicrosoftTeams

image

Please note that I had to use .Net higher than version 4.6 in order to make the module work.

To find the latest version of the AzureADPreview module you can go here:

https://www.powershellgallery.com/packages/AzureADPreview

image

To see your currently installed version of AzureADPreview use the commands:

Import-Module AzureADPreview

Get-Module AzureADPreview

image

You can always just uninstall and reinstall the module to be sure you got the latest version. (elevated)

Uninstall-Module AzureADPreview

Install-Module AzureADPreview

image

You will need the preview version because otherwise converting to a dynamic group will fail.

With all modules installed let’s import the modules, unless you already did that.

Import-Module AzureADPreview

Import-Module MicrosoftTeams

image

Then connect to Azure AD and Microsoft teams.

Connect-AzureAD –AccountId youradmin@mydomain.com

image

Connect-MicrosoftTeams –AccountId youradmin@mydomain.com

image

Next step is to create the team.

$team = New-Team -MailNickname "NewTeam" -displayname "NewTeam" -Visibility "private" -Description "My New team"

image

Then we get the appid used in the extension and change the group behind the team to a dynamic group.

$Appid = (get-AzureADApplication -SearchString "Mindcore Azure AD Properties").Appid.replace("-","")

Set-AzureADMSGroup -Id $team.GroupId -GroupTypes "DynamicMembership","Unified" -MembershipRuleProcessingState "On" -MembershipRule "(user.extension_$($appid)_MyAttribute -eq ""MyValue"")"

image

We could also do it the other way around, creating the group first and then link a team, right now we cannot create the dynamic group right away with the teams PowerShell module.

Final result is the same as in the last post were it was all done directly in the portal https://blog.mindcore.dk/2019/10/access-to-teams-based-on-our-own.html.

image

Tuesday, October 15, 2019

Access to Teams based on our own extension attributes

In our last post we looked at extending Azure AD with our own attributes https://blog.mindcore.dk/2019/10/azure-ad-extension-attributes.html

Now let’s try to dynamically allow access to a Microsoft team based on the attribute.

First we create a Team in Microsoft teams.

In teams we create a new private team called TestTeam.

image

We will build from scratch.

image

Private team.

image

Name the team TestTeam.

image

Skip adding members.

image

In order to use our extension attributes we need the application ID we created in the last post, in Azure Active Directory go to App registrations and find our application by name and copy the Application (Client) ID.

image

Now go to Azure Active Directory and Groups and notice that the membership type is for now Assigned.

image

Click on the group/team we just created and go to Properties and change the Membership type to Dynamic User and click on Add dynamic query.

image

Click on Get custom extension properties.

image

Paste in the application ID and click Refresh properties.

   image

After this refresh you will find the custom attributes in Property, select the required extension attribute.

image

Select the correct Operator and value, here we want all users where our Myattribute Equals Myvalue, remember to Save.

image

Remember to save once more!

image

Click Yes to accept that existing members will change.

image

If we click on Overview we are able to follow the status, here our dynamic rule is being elevated and with no update time yet.

image

This will change to Update complete and a timestamp when the rule has been processed.

image

The Members view now shows the only user we assigned our extension attribute with the value MyValue.

image

Membership type of our team/group has now been changed to Dynamic.

image

If we take a look on members in teams, the first thing to notice is that we can no longer add or remove members  - This team has membership settings that prevent you from adding or removing members – This is now done regular based on our rule.

And for now the only member is our test user with the extended attribute MyAttribute set to MyValue, if we add this attribute and value to another user, the user will automatically be added to the team.

Owners of the team is not changed by dynamic groups.

image

It will take some time before Teams shows the correct members, often it’s will be quicker to see the updated members in SharePoint.

image

And yes why is there a Add Users button in SharePoint, when we cannot add users manually any more?

If you try you will see Couldn’t add users, so it shouldn't be shown.

image

You need to have at least a Azure AD Premium P1 license for each unique user that is a member of one or more dynamic groups.

The license doesn't have to be assigned to users for them to be members of dynamic groups, but you must have the minimum number of licenses in the tenant to cover all users in dynamic groups.

In an upcoming post we will try to do the above using PowerShell only.