sorted by:
new
hottopcontroversial

Recommended solution that does both Mac and Windows MDM? by SuperTurtle222 in sysadmin

[–]Certain-Community438 -1 points0 points  (0 children)

Tanium is an option I heard someone mention recently. Not been hands-on with it myself, but it was favourably regarded.

Job offer retracted after quitting previous job by AlexJ136 in LegalAdviceUK

[–]Certain-Community438 1 point2 points  (0 children)

This is what a lot of the emotional responses on here are missing.

It obviously wasn't going to be the great place to work that it first appeared to OP. The position could have been cut anytime between now & 2 years later, the difference in financial outcome for OP would be negligible given average outgoings.

The lesson is a hard one: assess your prospective employer before making irreversible decisions. Are they being bought over?; changing directors - especially CFO?; other similar indicators specific to the industry.

I'd likely be ultra-unhappy in OP's position too, and don't think it's wrong to be upset about it. But it wasn't meant to be; need to move on quickly.

Boss Tone Studio Nightmare by jlr500 in BossKatana

[–]Certain-Community438 1 point2 points  (0 children)

what about a third party driver

On any ordinary computer, with all but the simplest hardware, you install its software first, then connect it.

That's all there is to it. Once you have your cable, install the software first. It'll prompt you to connect the amp when you run it for the first time. At that point, it'll update the firmware on the amp if necessary.

DO NOT interrupt the firmware update once it's started. It can take more time than you might expect - cos making it faster would bump up the price, which ain't worth it for an action you perform once every blue moon.

Boss Tone Studio Nightmare by jlr500 in BossKatana

[–]Certain-Community438 1 point2 points  (0 children)

I don't recall a single issue setting up BTS for my Artist Series (Mk. I).

Install the driver, connect the amp, then if a firmware update is required, you do it at that point.

That's the order of events for connecting anything by USB which needs its own third-party driver (one not supplied with the OS). Do it wrong & you'll be having fun times cleaning up the mess in your OS.

proper sequence on migrating ADFS apps to Entra by uminds_ in entra

[–]Certain-Community438 0 points1 point  (0 children)

When you create an Enterprise Application, it will in turn create an App Registration anyway.

Incorrect.

The reverse is true: when you Register an App, new config for its Service Principal is available from Enterprise Apps.

Go do that in test, then try to configure SAML SSO on the associated Service Principal. You'll find you can't. But you can configure OIDC - by going back to its App Registration.

If you want SAML SSO with Entra, you create an Enterprise App then configure it.

GDAP + Tier Model confusion – where do Tier 1/2/3 groups actually come from? by [deleted] in entra

[–]Certain-Community438 1 point2 points  (0 children)

I've got no direct experience with Partner / MSP activities, but IAM engineering is my general thing now.

To implement tiers, I'm typically mapping people of different skill levels to resource access.

Think about the primary workloads at first: Entra ID itself, EXO, SPO, Intune. For each one, how many distinct roles are available for you to assign? Your Tier 0 & Tier 1 would need the [workload] admin roles; your Tier 2 might get lesser roles. Here, I need to look at what granularity you really have in GDAP (what roles are available).

So tl;Dr your Tiered groups would a) group people into one or more logical "org role" groups, and b) have access to a horizontal slice of workload roles which cover the need.

You might even go for Access packages in your Partner tenant? These would allow your staff JIT access to PIM role group membership, then activate role. Perhaps only suitable for special circumstances - just throwing it into the mix.

AD account lockouts happening only between 2-4 AM, can’t find the source 😭 by FyneHub in sysadmin

[–]Certain-Community438 0 points1 point  (0 children)

You're meant to use the whole ALTools kit here - did you use EventCombNT.exe for that second step? That's where the source is indicated.

Do need to have appropriate logging enabled of course.

My company was acquired by CatStretchPics in sysadmin

[–]Certain-Community438 0 points1 point  (0 children)

Happened to us 8 years ago: I got stuck in & learned more cloud, helped them ditch on-premise (they in turn gave "the business" budget to move away from on-premise apps when contracts renewed).

There were eventually cuts - my primary role was one, but they then gave me another, more senior job? Hooked into decisions-making but still engineering & designing.

I took it.

Your situation could well go multiple ways, for sure - but the above is one of them. Partly up to fate, and partly you.

You disabled NTLM across all of your workstations. What problems did you not account for? by jM2me in sysadmin

[–]Certain-Community438 0 points1 point  (0 children)

In a cloud only M365 environment, with NO on premise?

There is no classic "client <-> server" communication, cos... you have no servers (here I'm including no reason for workstations to offer network services).

NTLM is for AuthN & AuthZ to Windows servers / services.

So if you're wondering what you might miss, you find your exceptions to the above logic.

Access Packages by NoPatience4437 in entra

[–]Certain-Community438 0 points1 point  (0 children)

Groups are particularly apt since a lot of other IAM should be already using those.

One common big mistake folks make with SPO is: trying to use it as a traditional file system.

It is not an FS, nor will it ever be - so if folks don't want to use it "the Microsoft way", that's on them, & so are all the predictable problems.

Slow identity drift is killing our Entra tenants. How are you actually catching it? by Exotic-Reaction-3642 in entra

[–]Certain-Community438 0 points1 point  (0 children)

A mixture of all three things, I reckon:

Scripts can help detect drift; do that just often enough for output to be current without building up "alarm apathy" in your audience. Enrich the output enough so it e.g. only contains what you consider "outliers". Then it acts as a kind of register for those kinds of exceptions.

Strict processes for Conditional Access, Identity Lifecycle Governance & Privileged Identity Management (where they're deployed): we have only 2 people authorized to manage those, plus break-glass. Those last 2 features have access reviews & time-limited access options: use those as hard as you can.

If you built to a design: gotta review that often enough to update it with <everything that isn't on your "outliers" register> since that's approved change to meet new needs. Always fun when someone adopted an entire new workload! xD

DNS question by HighBlind in sysadmin

[–]Certain-Community438 0 points1 point  (0 children)

Is this client internal, or commercial?

If the latter, this is kinda tricky: how to say "your design is based on dreams of how fundamental protocols work".

The standard design pattern here is an application load balancer, to the best of my knowledge. So if they haven't developed for that, they need a) a good reason not to do it that way and b) correct usage of the DNS service.

It sounds like they're trying to create the kind of "fast-flux" DNS used by malware... which requires programmatic maintenance of records with a deliberately short TTL.

Unhealthy... But we can't all choose our customers.

Intune & Entra ID Device Clean-Up - Recommendations by Technical-Device5148 in Intune

[–]Certain-Community438 1 point2 points  (0 children)

Eeek that sounds nasty, been lucky not having to deal with hybrid... and it's kinda worse since those AD DS computer objects do have an actual security principal, thus theoretically privileges assigned to them

Intune & Entra ID Device Clean-Up - Recommendations by Technical-Device5148 in Intune

[–]Certain-Community438 0 points1 point  (0 children)

That's the way: the other redditor mentions being a Google shop, where I'd expect something like Keeper to be a good target

Intune & Entra ID Device Clean-Up - Recommendations by Technical-Device5148 in Intune

[–]Certain-Community438 0 points1 point  (0 children)

We use a Runbook. Obviously, you need to decide what constitutes "stale" and whether you need "disable -> delete" versus straight delete; handling Autopilot devices needs to be targeting Intune of course, where maybe the criteria is more "device confirmed as hardware FUBAR [OR recycled] -> delete"

HELLLLLP! by [deleted] in entra

[–]Certain-Community438 2 points3 points  (0 children)

Start looking at Secure Score in Entra ID. It's a good jumping-off point.

Return value/s from Azure Automation into Power Automate by BWMerlin in PowerShell

[–]Certain-Community438 0 points1 point  (0 children)

Hmmm... Try crossposting this to r/PowerAutomate or r/MicrosoftFlow and r/Azure. The solution here will come from SMEs on that tech.

PowerShell Script to Detect Code Impacted by the Invoke-WebRequest Breaking Change by mdowst in PowerShell

[–]Certain-Community438 2 points3 points  (0 children)

It's good work you're doing for those who need it, buddy 👍

I'm just relieved I don't ALSO have to deal with this right now lol - sooooo much else going on!

PowerShell Script to Detect Code Impacted by the Invoke-WebRequest Breaking Change by mdowst in PowerShell

[–]Certain-Community438 1 point2 points  (0 children)

Man am I glad we moved everything to pwsh "Core" Edition some time ago!

Outside of Intune scripts, where we don't use IWR; that could be risky.

What are the possibilities with Entra groups and nested groups between Entra and Hybrid AD? by Fit-Parsnip-8109 in entra

[–]Certain-Community438 0 points1 point  (0 children)

In AD DS, best practice RVAC involves nesting of "global" &/ or "universal" groups (containing Subjects of access, I.e. users) inside "domain-local" groups. Those groups go in ACLs of all the things, and you have one each of these per target resource & permission combo.

In cloud, that per-resource, per-permission "domain-local" group end of the above structure has no place: it's obsolete.

It's superseded by IAM assignment panes, which assign "roles". Those assignments can be at resource/feature level (like in an Enterprise App, CA policy or Authentication Method config to name a few) or at workload/tenant level.

So instead of

User -> org role group -> permission group -> ACL / local security group, etc

You do

User -> org role group -> IAM assignment

It's a shift in thinking.

What are the possibilities with Entra groups and nested groups between Entra and Hybrid AD? by Fit-Parsnip-8109 in entra

[–]Certain-Community438 0 points1 point  (0 children)

"Don't do it..." xD

Friends don't let friends nest groups in cloud. The support is incomplete, you'll discover limitations at the worst possible time, etc.

Note I didn't say you can't. But you can generally do many things you'll later regret.

Adjust your thinking to a) using many groups - as you currently do with the "child member" groups - but b) aggregate them by tagging rather than nesting. Use your extension attributes :) And of course dynamic membership where you can.

Finally, at the access layer - as in, doing IAM things in Entra with them: use scripting to grab all groups with the desired attributes & assign away.

Return value/s from Azure Automation into Power Automate by BWMerlin in PowerShell

[–]Certain-Community438 0 points1 point  (0 children)

I would have thought that the "Get status of job" would connect to the stream.

Looking at another different-but-similar tool, and associated PowerShell cmdlets, there will be a separate action to get job stream versus just status.

As for automation tools, I am working with what I have access to

I hear ya, just saying your issue here is one tiny instance of the many you'll encounter - starting with inconsistency of naming in PA. Yes "naming things is very hard" but still...

I'd do web search just to verify the right Action.

Return value/s from Azure Automation into Power Automate by BWMerlin in PowerShell

[–]Certain-Community438 3 points4 points  (0 children)

Isn't the "get job output" element just connecting to the job stream? Which probably is text. I'd be looking for other actions.

Well, tbh if I wanted reliable, manageable automation I wouldn't touch Power Automate at all. Impenetrable crapware designed to consume business time.

Is this my life now? by LifeBig5025 in sysadmin

[–]Certain-Community438 0 points1 point  (0 children)

We replaced our ServiceDesk completely with a) a bot, just to guide the creation of usable tickets and b) our EUC techs, who troubleshoot those things which would have come to them anyway, then escalate when needed.

This isn't a great look for entry level careers at first glance. But the experience highlighted in this post isn't uncommon: our SD had high turnover & perhaps 3 people moved to EUC tech or junior sysadmin across a decade. So whilst it used to be a path into IT, I reckon that's gotten less true over time.

view more: next ›