Connect VPN using Azure MFA NPS extension

Azure MFA have a extension for Microsoft NPS (Network policy server) that can be used to connect on-premise Active Directory to Azure MFA for strong authentication. Today the team that I was working on investigated if this can be used WITHOUT synchronized (hybrid) identities and had a successful result.

The environment and setup

  • Cloud identities only (
  • Local Active Directory with users (
  • NPS server joined to Active Directory
  • NPS extension installed and configured
  • Cloud identity have a license that allows Azure MFA (EMS suite in our case)
  • Cloud user have enrolled and registered for Azure MFA
  • Cloud user have set primary authentication option to either MFA app or Call
    (any option requiring additional input won't work)
Why have a Active Directory with cloud only identities ? 
This is a "fairly" uncommon scenario but happens in large enterprises. They often have a IDM solution managing different identities (same sign on; ID & PWD) for many applications, domains, Azure AD, etc. The Active Directory replaces a internal user directory in the VPN server (or similar).

NPS server & Azure MFA NPS Extension 
The NPS server is a RADIUS server which can be used with any service supporting RADIUS. The Azure MFA NPS extension adds the possibility to do strong authentication using the NPS environment. This creates a good solution for strong authentication using Azure MFA.

The NPS Extension can also be configured to match on another attribute than UPN using NPS extension advanced options.

What happens during logon ?

  1. User / application connects to the VPN gateway
  2. VPN gateway contacts the RADIUS server for authentication
  3. NPS server authenticates the user (ID & PWD) and continues if successful
  4. Fetches the UPN of the authenticated account
  5. Hands off the UPN to Azure MFA server for strong authentication
  6. Azure MFA check primary authentication method and challenges the user
  7. User responds to challenge (in Authenticator App or answers the call + #)
  8. If strong authentication is successful the NPS extension hands off OK to NPS server
  9. NPS server respons back to VPN gateway with successful authentication
  10. VPN gateway connects user to the network


Facebook at Work provisioning using "built-in" Azure SCIM

Facebook at Work ( is the business variant of Facebook. This gives enterprises the possibility to own, manage and use Facebook in a Enterprise context. As Facebook at Work is born in the cloud it comes with modern API's for user manangement and also exists in the Microsoft Azure Marketplace (link).

When integrating Facebook at Work into Azure you get two pre-built options from Microsoft;

  • Single Sing On (using Azure AD)
  • User Provisioning (using a pre-built Azure AD SCIM connector to facebook)

Configure Single Sign On

Below is a short guide for setting up Single Sign On between Facebook and Azure AD:

  1. Create a Azure AD user (with email)
  2. Create a Facebook user with username
    (make this user a global admin)
  3. Logon to Facebook at Work and Azure with your newly created users
    (there will be a match check when setting up
  4. Logon to your Facebook at Work instance
    1. Community Center > Settings
    2. Note down information under SAML configuration
      • Audience URL
      • Recipient URL
      • ACS URL
  5. Open Azure AD
    1. Add Azure application: Facebook  at Work
    2. Assign the Azure as a user to Facebook at Work app
    3. Setup SSO
      1. Sign on URL = Tenant URL for Facebook (
      2. Identifier = Audience URL (from above)
      3. Reply URL = ACS URL (from above)
      4. Certificate; create a new 3 year certificate
      5. Store information from Azuire
        • Download the certificate file
        • Note down the SAML SSO URL
        • Note down the SAML Issure URI
  6. Back to the Facebook at Work
    1. Community > Settings
    2. SSO settings
      1. Change to SSO logon: SSO Only
      2. Expire setting: 3 weeks
      3. Certificate = Open the cert-file downloaded and paste the text
      4. SAML URL = SAML SSO URL from Azure
      5. SAML Issuer URI = SAML Issuer URI from Azure
      6. Click "TEST SSO"
        SSO should now work and be successful. Save settings. Remember that now must all authentication go through the Azure AD (not possible with multiple authentication providers in Facebook at Work at the moment). 
  7. Back to Azure AD (finish the settings)
    1. Add a notification email (for errors on certificate)

SCIM provisioning

It's also easy to setup SCIM provisioning to Facebook. 
  1. Logon to Facebook at Work
    1. Community > Settings
      1. Note down Access token
      2. Note down SCIM URL
      3. Note down Community ID
  2. Azure AD > Applications > Facebook at Work > Configure
    1. Setup provisioning
      1. User Security Token = Facebook Access token
      2. Facebook at Work Tenant URL = SCIM URL
    2. Test the connection
    3. Setup notification email (for errors on provisioning)

Username vs. E-mail address

Facebook as a cloud service provider expects that the users logon name and e-mail address are the same (at the moment). In a standard configuration Azure will create users with [UserPrincipalName] and expect these to work. You can suppressEmail (however not recommended as the service uses e-mail for driving engagement and remind users to check posts in Facebook AtWork).

E-mail invitation 

When new users are provisioned by Azure (using the SCIM integration) the service will send a invite e-mail to the newly provisioned user. This is to quickly get the user onboarded and active on the Facebook AtWork social platform.

Prevent e-mail invitation (and e-mail communication): Facebook at Work have a property suppressEmail that will stop Facebook from sending e-mails to the user. 


This is possible to configure using the Azure provisioning engine. The settings are changed in the Azure > Applications > Facebook AtWork > Attributes > Provisioning:

To add the "SuppressEmail" click on "add attribute mapping", choose "suppressEmail" (in the Facebook AtWork attribute) and then you have two options.

  • Suppress all email communications for all users (using Constant = true)
  • Suppress email communications for e-mail less users - no mail attribute in Azure AD(and allow for users with mail)

    This will check the mail attribute on the users in Azure AD, if present set suppressEmail to "false" and if blank set it to "true". My little piece of magic! 

Office 365 Clutter stuff

What is Clutter ?
Clutter is an email filtering option available to Office 365 customers.  It is similar to an anti-spam filter as it moves less important email (based on your reading habits) into a 'Clutter' folder where they can be ignored or reviewed later.  Most of the mail going into the folder should be bulk mail (advertisements) and messages from mailing lists.  However, you will want to periodically check the Clutter folder as it may move legitimate email into this folder.

When is Clutter applied ? 
Messages are handled in the following way in Exchange online:

  1. Message are scanned by Exchange online protection (EOP)
  2. Message rules in the tennant/Exchange online
  3. If the mail gets to the user mailbox
    1. Junk e-mail filtering
    2. Mailbox rules (if a message is handled by a rule clutter processing will not happen)
    3. Clutter processing

Disable Clutter (as a user)
It's possible to disable Clutter per user. Just follow the guide below:

  1. Log into OWA
  2. Click on the Gear > Options > Automatic Processing > Clutter
  3. Select Don't separate items identified as Clutter 
  4. Click Save.

Disable Clutter for the company (using a transport rule) ?
Create a new transport rule and use the following header/vaule to bypass Clutter for that e-mail:

  • HeaderName X-MS-Exchange-Organization-BypassClutter
  • Value true


Remove "orphaned" meetings in RoomMailboxes

When users are leaving the company there should be a "phase out" routine to be followed with different IT tasks to be perfomed (below is just an example);
  • Log and revoke system access and permissions
  • Hand over data to manager and/or other owners
  • Delete all other data (mail, home folders, etc)
  • Cancel meetings (and/or transfer them to other responsible organizers)
However sometimes users that have left the company haven't canceled meetings and you need to remove the bookings from the RoomMailboxes (or EquipmentMailboxes) in Exchange.
Powershell to the rescure:
# Define email to search for
# Requirements
# Connection to Exchange (online) using Powershell
# Administrator account with "Mailbox Import Export" role in Exchange (online)

# Task flow
# Lookup primary email address for user
# Search meetingrooms for meetings (if needed)
# Delete meetings from meetingrooms (backup if needed)

#Search in Powershell (output in console)                               
get-mailbox -recipienttype roommailbox | search-Mailbox  -SearchQuery ' AND kind:meetings' -EstimateResultOnly -Verbose | ft identity,success,resultitemscount

#Search in Powershell (output to targetmailbox)                               
get-mailbox -recipienttype roommailbox | foreach { search-Mailbox $_.alias -SearchQuery ' AND kind:meetings' -Verbose -TargetMailbox Administrator -TargetFolder "SearchAndDeleteLog" -LogOnly -LogLevel Full }

get-mailbox -recipienttype roommailbox | search-Mailbox  -SearchQuery ' AND kind:meetings' -DeleteContent -Force -Verbose

#Delete (with moving messages) - enter correct targetmailbox and folder
get-mailbox -recipienttype roommailbox  |  foreach { search-Mailbox $_.alias -SearchQuery ' AND kind:meetings' -DeleteContent -Force -Verbose -TargetMailbox Administrator -TargetFolder "BackupFolder" -loglevel Full }

Find erroneous AD Connect sync object (cannot sync object)

Today I was faced with an error in ADConnect. It couldn't sync one of the contact objects from on premise AD to Azure AD (Office 365). The error was on the AADConnect log:

  • Error in Connector operations
    • Status:completed-export-error
  • In error log (on the object)
    • Error:
      Object TypeMismatch
    • Connected data source error code:
    • Detailed data source error:
      A object with same proxyaddress does already exist in Azure Active Directory, but have a objecttype that is not compatible (objectclasses: contact, group or user). Solve this issie in the local catalog services or in Azure Active Directory, and try again. 
After a lot of trouble shooting I found that it was a guest account in Azure AD that caused the error. A guest account is normally created when a user is inviting/sharing a Sharepoint site or document with a external user. These users show up as

TO actually find objects with a specific email address in Azure AD and/or Exchange online you can do the following with PowerShell:
  1. Start PowerShell
  2. Connect to connect-msolservice
  3. Connect to Exchange online
  4. Run the script below (change the mail address)
# Define email to search for
$mail = ""

# Do the different searches (requires connect-msolservice)
Get-MsolGroup -All | where {$_.ProxyAddresses -match $mail } 
Get-Msoluser -All | where {$_.ProxyAddresses -match $mail } 
Get-Msoluser -ReturnDeletedUsers -All | where {$_.ProxyAddresses -match $mail } 
Get-MsolContact -All | where {$_.EmailAddress -match $mail } 

# Do the different searches (requires connection to Exchange online)
Get-Group -ResultSize Unlimited | where {$_.WindowsEmailAddress -match $mail } 
Get-DistributionGroup | where {$_.EmailAddresses -match $mail } 
Get-Mailbox -ResultSize unlimited | where {$_.EmailAddresses -match $mail } 
Get-Mailbox -SoftDeletedMailbox | where {$_.EmailAddresses -match $mail } 
Get-MailUser -ResultSize unlimited | where {$_.EmailAddresses -match $mail } 
Get-User -ResultSize unlimited | where {$_.UserPrincipalName -match $mail } 
Get-User -ResultSize unlimited | where {$_.WindowsEmailAddress -match $mail } 
Get-MailContact -ResultSize Unlimited | where {$_.EmailAddresses -match $mail } 
Get-Recipient -ResultSize Unlimited | where {$_.EmailAddresses -match $mail } 
Get-MailPublicFolder -ResultSize unlimited | where {$_.EmailAddresses -match $mail } 

Office 365 - convert a deleted mailbox to a inactive mailbox

In Office 365 you can convert mailboxes for old employees to inactive mailboxes. This will preserver the mailbox in Office 365 (and can later be connected and/or searched with eDiscovery).
  • Put an active mailbox on LitigationHold
    Set-Mailbox rikardst -LitigationHoldEnabled $true
  • Remove LitigationHold
    Set-Mailbox rikardst -LitigationHoldEnabled $false
  • Convert a deleted mailbox to inactive (put it on LitigationHold)
    • First assign a license to the user
    • Then put it on LitigationHold
      Set-Mailbox rikardst -LitigationHoldEnabled $true
    • Wait 60 minutes
    • Remove license
You cannot place LitigationHold on a deleted object (thats why you need to assign a license first).


OneDrive for Business (web interface)

Just a quick reminder for the old and new interface URL's:

  • OLD interface
  • NEW interface

Remember that soon will the new OneDrive for Business sync client be available. Get in line for the preview: 

Microsoft Edge browsers crashes directly after start [FIX]

Today I had problems with my Microsoft EDGE browser (the new and cool browser in Windows 10). Directly after launch the application crashed:
Activation of app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge failed with error: The remote procedure call failed. See the Microsoft-Windows-TWinUI/Operational log for additional information.
Steps to solve:

  1. Open a powershell with admin permissions (run as administrator)
  2. Find the installationfolder
    Get-AppxPackage *edge* | fl name,*location*
  3. Navigate to the installation folder (see location from command above)
    set-location C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
  4. Repair the Edge browser
    Add-AppxPackage -DisableDevelopmentMode -Register ".\appxmanifest.xml"