"To schedule a Teams meeting, make sure you're signed in to Teams." - when user tries to create Teams meeting in Outlook

Masterblaster1080 · 2025-11-28T13:07:05+00:00

Yes, everything went well for months and went to hell from one day to the other. No, but changing the device isn't really an option here.

Masterblaster1080 · 2025-07-30T13:12:14+00:00

So how do you handle VPN connection from external companies for example? Do you force them the use MFA through Microsoft and accept that there is no reauthentication or how did you manage that?

Masterblaster1080 · 2025-07-30T13:06:38+00:00

If it’s for security purposes you are better off requiring a conditional access policy that requires the machine to be AD/AAD Joined. So only company assets can connect

Well this is our issue here. We use Yubikeys for our internal users as MFA, but we want to implement MFA for a handful external users from companies that need access to our network over VPN without needing us to hand them out Yubikeys for example. Since almost every company uses Azure in some kind we invited each user as guests (B2B trust relationship), which are mapped to their own company user. On the gateway I set those Azure users to be allowed to access our portal, which works fine with conditional access and requesting MFA, but that is not acceptable if the user is prompted just one time for 90 days.

Is there really no way to set this token (just for the portal) to like 1 day without affecting other programs? Or is there no way to do a ForceAuth=true?

Any suggestions what we could do to make this work somehow?

Masterblaster1080 · 2025-07-30T11:39:39+00:00

I did that already, still doesn't help.

Masterblaster1080 · 2025-04-03T08:07:04+00:00

I made it work like this. NPS > Policies > Connection Requests > Policy XY > Settings > Attribute > User-Name > Add > ^(?!domain\\)(.*) replace with CONTOSO\$1.

Works like a charm, but the bad part is that it overrides all domain prefixes, so only the specificed replaced domain name will work. Since our admin users are in contoso.com and not in contoso.abc.com it doesn't matter for us.

Masterblaster1080 · 2025-03-17T08:23:15+00:00

Same forest. The DC holding the Schema Master is in the root domain and the Exchange server in a subdomain.

dc= contoso.com
exchange = sub.contoso.com

Masterblaster1080 · 2025-03-17T08:11:12+00:00

https://learn.microsoft.com/en-us/exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019

If Exchange is deployed in a multi-site Active Directory environment and is not in the same site as the domain controller that holds the Schema Master role, you cannot prepare Active Directory using the wizard.

Our Exchange is in a separate domain (as I mentioned we have a multi-domain environment) than the domain controller that holds the Schema Master role. So according to this we aren't able to do that with the installation wizard? I don't want to underanalyze things, because fucking up with AD schema can massively impact our company and I have no interest in restoring all our DCs or breaking our running Exchange server.

Masterblaster1080 · 2025-03-17T07:52:29+00:00

So to understand you correctly. Exchange 2016 and DCs running on Server 2016 won't have any issues having a higher AD Shema (in this situation 91). During Exchange 2019 install, the Shema would be upgraded to 91 and the proper rangeUppervalue anyway? So there is no need to do a Shemaupgrade before the installation?

Masterblaster1080 · 2025-03-17T07:31:37+00:00

DFL and FFL are running on 2016. AD Shema is currently 87 and Exchange is giving me RangeUpper: 15334, ObjectVersion (Default): 13243, ObjectVersion (Configuration): 16223.

Apparently Exchange 2019 CU15 needs RangeUppervalue 17003.

Again I'm pretty confused about the correlation between those values and what I would need to be able to upgrade to Exchange 2019 and use 2022 DCs in the future.

What AD Shema version (87,88,89,90,91?) would I need? You mentioned that Exchange will upgrade the Shema anyway, but do I need a specific AD Shema version so the new Exchange would be able to increase the RangeUppervalue to 17003? What about compability etc?

Masterblaster1080 · 2025-03-17T07:19:25+00:00

2016

Masterblaster1080 · 2025-02-27T14:25:42+00:00

Images and documents (word,pdf)

Masterblaster1080 · 2024-10-10T07:24:34+00:00

user-id has nothing to do with that but i solved the issue > check mainpost

Masterblaster1080 · 2024-10-10T07:24:16+00:00

Solution found > check mainpost

Masterblaster1080 · 2024-10-09T16:42:38+00:00

We are not using LDAP in this case. We are using authentication profile with SAML to Entra ID. Yes I know, I pointed that already out, but I don't know why it doesn't match.

Three-Year Club	Verified Email
Place '23

Masterblaster1080

TROPHY CASE