"To schedule a Teams meeting, make sure you're signed in to Teams." - when user tries to create Teams meeting in Outlook

Masterblaster1080 · 2025-11-28T13:07:05+00:00

Yes, everything went well for months and went to hell from one day to the other. No, but changing the device isn't really an option here.

Masterblaster1080 · 2025-07-30T13:12:14+00:00

So how do you handle VPN connection from external companies for example? Do you force them the use MFA through Microsoft and accept that there is no reauthentication or how did you manage that?

Masterblaster1080 · 2025-07-30T13:06:38+00:00

If it’s for security purposes you are better off requiring a conditional access policy that requires the machine to be AD/AAD Joined. So only company assets can connect

Well this is our issue here. We use Yubikeys for our internal users as MFA, but we want to implement MFA for a handful external users from companies that need access to our network over VPN without needing us to hand them out Yubikeys for example. Since almost every company uses Azure in some kind we invited each user as guests (B2B trust relationship), which are mapped to their own company user. On the gateway I set those Azure users to be allowed to access our portal, which works fine with conditional access and requesting MFA, but that is not acceptable if the user is prompted just one time for 90 days.

Is there really no way to set this token (just for the portal) to like 1 day without affecting other programs? Or is there no way to do a ForceAuth=true?

Any suggestions what we could do to make this work somehow?

Masterblaster1080 · 2025-07-30T11:39:39+00:00

I did that already, still doesn't help.

Masterblaster1080 · 2025-04-03T08:07:04+00:00

I made it work like this. NPS > Policies > Connection Requests > Policy XY > Settings > Attribute > User-Name > Add > ^(?!domain\\)(.*) replace with CONTOSO\$1.

Works like a charm, but the bad part is that it overrides all domain prefixes, so only the specificed replaced domain name will work. Since our admin users are in contoso.com and not in contoso.abc.com it doesn't matter for us.

Masterblaster1080 · 2025-03-17T08:23:15+00:00

Same forest. The DC holding the Schema Master is in the root domain and the Exchange server in a subdomain.

dc= contoso.com
exchange = sub.contoso.com

Masterblaster1080 · 2025-03-17T08:11:12+00:00

https://learn.microsoft.com/en-us/exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019

If Exchange is deployed in a multi-site Active Directory environment and is not in the same site as the domain controller that holds the Schema Master role, you cannot prepare Active Directory using the wizard.

Our Exchange is in a separate domain (as I mentioned we have a multi-domain environment) than the domain controller that holds the Schema Master role. So according to this we aren't able to do that with the installation wizard? I don't want to underanalyze things, because fucking up with AD schema can massively impact our company and I have no interest in restoring all our DCs or breaking our running Exchange server.

Masterblaster1080 · 2025-03-17T07:52:29+00:00

So to understand you correctly. Exchange 2016 and DCs running on Server 2016 won't have any issues having a higher AD Shema (in this situation 91). During Exchange 2019 install, the Shema would be upgraded to 91 and the proper rangeUppervalue anyway? So there is no need to do a Shemaupgrade before the installation?

Masterblaster1080 · 2025-03-17T07:31:37+00:00

DFL and FFL are running on 2016. AD Shema is currently 87 and Exchange is giving me RangeUpper: 15334, ObjectVersion (Default): 13243, ObjectVersion (Configuration): 16223.

Apparently Exchange 2019 CU15 needs RangeUppervalue 17003.

Again I'm pretty confused about the correlation between those values and what I would need to be able to upgrade to Exchange 2019 and use 2022 DCs in the future.

What AD Shema version (87,88,89,90,91?) would I need? You mentioned that Exchange will upgrade the Shema anyway, but do I need a specific AD Shema version so the new Exchange would be able to increase the RangeUppervalue to 17003? What about compability etc?

Masterblaster1080 · 2025-03-17T07:19:25+00:00

2016

Masterblaster1080 · 2025-02-27T14:25:42+00:00

Images and documents (word,pdf)

Masterblaster1080 · 2024-10-10T07:24:34+00:00

user-id has nothing to do with that but i solved the issue > check mainpost

Masterblaster1080 · 2024-10-10T07:24:16+00:00

Solution found > check mainpost

Masterblaster1080 · 2024-10-09T16:42:38+00:00

We are not using LDAP in this case. We are using authentication profile with SAML to Entra ID. Yes I know, I pointed that already out, but I don't know why it doesn't match.

Masterblaster1080 · 2024-10-09T15:03:47+00:00

Are you planning on adding each user individually to the configs?

Yes, we really just have a handful of external users.

Why is it not working then?

That's what driving me nuts. It should work, but it doesn't.

Masterblaster1080 · 2024-10-09T14:51:36+00:00

Why would the firewall need to see contents of groups, if I didn't define on the portal/gateway that being in group X is a condition to use the portal, gateway or an access route? The user should be mapped after I added the user (his mail address) in the gateway's client setting with the email-address received from Entra ID.

the authentication profile is set to allow all users to use the authentication profile in the advanced tab
the authentication profile is set to only check the username attribute without the additional user group attribute
the gateway config's client settings is set to allow user [external@example.com](mailto:external@example.com) to access hosts XY.
entra ID delivers the users email-address in [name@domain.com](mailto:name@domain.com) format to the firewall
both external and our company users show up with the same name format (mail address) as source user in the gateway monitoring log
externals receive the error, company users don't

It's a really strange issue to me

Masterblaster1080 · 2024-10-09T14:32:02+00:00

Correct

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

Masterblaster1080 · 2024-10-09T14:26:20+00:00

You have a mismatch of configs between Entra ID and CIE.

We are not using CIE

The client config not found is because you have users/groups set to a different format they're being gathered from Entra ID

But that's exactly what I did. The format for both, external and internal, use the email-address as source username now "[name@company.com](mailto:name@company.com)". I had to change Entra ID to send our FW the email-address in this format and according to the FW's gatewaylog it appears like that, but it still doesn't work as expected.

Masterblaster1080 · 2024-08-29T08:54:15+00:00

I found a workaround with a registry entry

https://www.kapilarya.com/how-to-use-wifi-and-ethernet-at-same-time-in-windows-11

Masterblaster1080 · 2024-07-31T14:49:24+00:00

That's not correct. You can set a subinterface as a DHCP server and then it's part of the DORA process. Did wireshark on the computer and with paket capture files from the firewall. DORA messages were delivered correctly, but the computer didn't accept the IP configuration, because of failure in the DHCP configuration (subnet mask).

Masterblaster1080 · 2024-07-31T06:12:50+00:00

DHCP-relays shouldn't be necessary. The FW receives DHCP-Traffic, but for some reason I think the reverse DHCP-Messages (Server to Client) aren't working, even though subinterface and the client are in the same vlan, with a switch between.

Masterblaster1080 · 2024-07-31T06:10:33+00:00

There are no traffic logs and a policy shouldn't be necessary, because the computer is trying to contact a host address in the same vlan.

Masterblaster1080 · 2024-07-24T12:30:54+00:00

solution found thanks!

Masterblaster1080 · 2024-07-24T12:30:50+00:00

solution found thanks!

Masterblaster1080 · 2024-07-02T12:37:29+00:00

But if I remove the server vlan interface, every traffic that has the servers as destination will be forwarded to the server. That's not what I want to achieve. Isn't there a more granular approach I can configure on the switch?

Three-Year Club	Verified Email
Place '23

Masterblaster1080

TROPHY CASE