Set the thumbnailPhoto in Active Directory with PowerShell

For years and years, as @LupoLoopy could probably attest to, I have been a fan of dumping user photos into Active Directory. Even as far back as Exchange 2010 we have been able to light up Outlook with user photos downloaded as part of the Global Address List and today; with the likes of Azure AD, Office 365, and more; the users’ photo is more and more prominent. Over the years, I have relied on a tool from Cjwdev called AD Photo Edit, however, only this week, I discovered that we can actually do this natively with PowerShell negating the need for the tool to be used at all.

The PowerShell for this requires you to have the Active Directory PowerShell Module imported but other than that, there are no complex requirements.

$photo = [byte[]](Get-Content "" -Encoding byte)
Set-ADUser  -Replace @{thumbnailPhoto=$photo}

It really is that simple! I do, however, have a segway here: there still, to this day, does not seem to be a way to reverse the flow of profile pictures with Azure AD Connect. It is possible and always has been to export the thumbnailPhoto attribute from Active Directory to Azure AD for use in Office 365. There does not, however, seem to be a way to have Azure AD and Office 365 act as the image source and have them imported into Active Directory from the cloud. This is a shame because in Azure AD and Office 365 we have native interface elements that allow the user to self-service upload and edit their own user photo but the same tools don’t exist on-premises. One day, I hope, we will have the ability to import to AD from AAD but until that time comes, I am planning on looking into building a really small web application that will execute the PowerShell code behind the scenes and allow users to self-service their images.

Azure Route-based VPN with a Cisco ASA 5505

I haven’t posted here for a while and I have a bit of a success story that I thought I would share and hopefully help somebody else encountering the same issues.

Over the last few weeks, I have been working with a customer: the customer has a Cisco ASA 5505 firewall in a co-lo datacentre operated by a third-party whose name is something like (big metal thing that vertically stores servers)(the place where Jean-Luc Picard travels around). The customer has started to consume some Azure IaaS VMs and wanted to be able to establish a VPN to the co-lo to enable them to hop from one location to the other; a VPN connection from Azure was already in place to the office site which means we needed to use a multi-site VPN to Azure.

With the VPN to the office already working, we knew that the VPN Gateway and Virtual Network in Azure were sound. A multi-site Azure VPN requires a Route-based connection, not the basic Policy-based connection. We got the VPN Gateway all set up for Route-based connections and confirmed that was still working; no dramas. After doing this, we started speaking to the co-lo. The first response from the co-lo was that the ASA 5505 didn’t support a Route-based VPN which put us in dangerous territory. Reading the Azure documentation, there are a few articles that seem to contradict and conflict and having the right documents to hand helped enormously.

The first article you will probably encounter is the generic supported devices list for Azure VPN with caveats around Policy-based only or only supported Route-based in specific circumstances which are at https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices. This article used to state that the ASA 5505 did not support Route-based connections but it no longer does state this. If your vendor is telling you otherwise, direct them to the article in the first instance. For the ASA 5505, we need to ensure that it is running ASA OS 8.4 or above; this added supported to IKEv2 which is a requirement for Route-based connections to Azure.

With the first hump over, we initially struggled to get the connection up and running which is where the next articles come in. Firstly, direct the vendor to https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa. This article is a specific example of the ASA 5505 using IKEv2 without BGP for a Route-based VPN. Once the vendor was on-board, we started to make progress, however, there are changes you will need to make in Azure too! Firstly, the implementation of a Route-based VPN with an ASA 5505 requires the use of Traffic Policy Selectors. When configured, this requires you to define a custom IPSec Policy in Azure for the connection and then apply the policy and the Use Traffic Policy Selectors option to the connection. The second part is that both these features require a Standard VPN Gateway and will not work with a Basic VPN Gateway. For this configuration, follow the guidance of https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#workflow.

By the end of this, hopefully, you have a working VPN connection to an ASA 5505 using a multi-site Route-based Azure VPN, however, if you do not, here are a few things to check:

  1. Verify the pre-shared key at both ends of the connection matches
  2. Verify that the custom IPSec Policy in Azure matches that on the firewall
  3. Verify that the correct Traffic Policy Selectors are applied on the firewall
  4. Verify that the Azure Virtual Network and Azure VPN Connections have the correct address ranges configured

Any of the above will cause the connection to fail. If the connection still refuses to establish, you can enable the Azure Network Watcher feature and enable diagnostics for the VPN Connection. The diagnostic logging will generate a .zip file which contains two files of interest: ConnectionStats.txt and IKEError.txt. Below are the outputs for both files from my real-world scenario. As you will observe, IKEErrors.txt reported a generic authentication failed error and suggests checking the pre-shared key, crypto algorithms and the SA lifetimes, however, the ConnectionStats.txt file shows a more specific “Packets Dropped due to Traffic Selector Mismatch” error.

 

Error: Authenticated failed. Check keys and auth type offers. 
	 based on log : Peer sent AUTHENTICATION_FAILED notify
Error: Authentication failed. Check shared key. Check crypto. Check lifetimes. 
	 based on log : Peer failed with Windows error 13801(ERROR_IPSEC_IKE_AUTH_FAIL)

 

Connectivity State : Connecting
Remote Tunnel Endpoint : 1.2.3.4
Ingress Bytes (since last connected) : 0 B
Egress Bytes (since last connected) : 0 B
Ingress Packets (since last connected) : 0 Packets
Egress Packets (since last connected) : 0 Packets
Ingress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets
Egress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets
Bandwidth : 0 b/s
Peak Bandwidth : 0 b/s
Connected Since : 1/1/0001 12:00:00 AM

Polycom VVX Phones and UK Daylight Savings Time

This weekend just past, the UK observed the end of daylight savings time for another year, bitterly welcoming in the cold weather and the start of the dark months. With that comes the day that many administrators dread in fear that their devices and equipment will fail to update with the proper time. Suffice to say, I have learnt lessons from previous years and my servers and network equipment all survived to tell the tale, however, I noted this morning that my Polycom VVX 500 desk phone had not.

I was surprised by this as I had all the proper configurations in place to ensure that the phone was using the correct time zone, however, upon investigation, the phone does not link the DST setting to the time zone: DST is configured separately. After a couple of minutes tweaking it via the web interface, I extracted the configuration, made it pretty and here it is.

Please feel free to use this on your own Polycom Provisioning Server configuration file if you have found your own phones now behaving. The configuration does a few things and hopefully, it should be clear enough for you to modify for your own needs in other locales.

  • Forcibly enable DST
  • Forcibly set DST to occur on a fixed schedule
  • Set DST to start on the last Sunday of the third month (March)
  • Set DST to end on the last Sunday of the tenth month (October)
  • Set DST to begin at 1 a.m. and end at 2 a.m.

 

<tcpIpApp.sntp.daylightSavings tcpIpApp.sntp.daylightSavings.enable="1" tcpIpApp.sntp.daylightSavings.fixedDayEnable="1" />
<tcpIpApp.sntp.daylightSavings tcpIpApp.sntp.daylightSavings.start.month="3" tcpIpApp.sntp.daylightSavings.start.dayOfWeek.lastInMonth="1" tcpIpApp.sntp.daylightSavings.start.time="1" />
<tcpIpApp.sntp.daylightSavings tcpIpApp.sntp.daylightSavings.stop.month="10" tcpIpApp.sntp.daylightSavings.stop.dayOfWeek.lastInMonth="1" tcpIpApp.sntp.daylightSavings.stop.time="2" />

Active Directory 2016 Time-Based Group Membership

Group membership control and management is one of the cornerstones of Active Directory Domain Services. In Windows Server 2016, Microsoft introduced a new feature to Active Directory that forms part of the Microsoft Privileged Access Management (PAM) strategy.

When used in conjunction with automation, this can be used to provide Just-In-Time (JIT) access to protected and administratively sensitive services. When used in an environment that is synchronised with Azure Active Directory using Azure AD Connect, this can be used to provide JIT for hybrid solutions in Microsoft Azure (when RBAC has been applied to Azure Resource Manager objects).

In this post, I will briefly explain the processing for implementing time-based group membership in Active Directory.

Read the Full Post

Scouting UK Web Colours

For any regular readers here, this is a pretty off-topic post, however, I decided it was worthy of submission. As some may know, I volunteer with a local Scout group, the 1st Chineham to be specific. As a group, we are exploring getting a website up and running; I will have more to post on this subject in the future.

Whilst navigating the branding guidelines and documentation for Scouting UK at http://members.scouts.org.uk/comms_centre/zip/Brand_Guidelines.pdf, I discovered that the official colour palette for Scouting UK is only advertised in RGB and CMYK and Pantone. This is great for working in Office apps (RGB) or print (CMYK) but does not help for web implementation. Using an online RGB to Hex converter, I have pulled together all of the colours. If you are struggling to find them yourself, please feel free to use this as a reference:

  • Scout Purple #4d2177
  • Scout Green #84a40b
  • Scout Mauve #8b0066
  • Scout Orange #ed7703
  • Scout Blue #006990
  • Scout Brown #9d552d
  • Scout Grey #415a68
  • Scout Black #001323

Introducing Microsoft Forms

In the ever expanding world of Office 365, Microsoft has introduced another, new, compelling product to the lineup. As with a number of the recent releases, Microsoft Forms is a free product, available to customers with a compatible license for existing services. Microsoft Forms is still in preview and is not production yet; this does not mean that it is viable to be used in anger though. We are all accustomed to Microsoft releasing features in preview with Office 365 and Azure.

Next, do not be fooled by the name as I was when I saw it. My first reaction was that Microsoft Forms is a replacement for InfoPath. InfoPath is a form filing application from the Office desktop suite which has long been marked for the end of life. Microsoft Forms is not an InfoPath replacement. Microsoft Forms offers two key pieces of functionality:

  • Surveys and Questionnaires
  • Quizzes and Test Taking

Each of these two areas offers slightly different modalities for client use and slightly different features that can be consumed which we will look at next. Read past the break to find out more.

Read the Full Post

Using Mentions in Outlook 2016

In what feels like a long time ago, Microsoft released Office 2016 which includes the Outlook client. In the 2016 release of Outlook, Microsoft introduced a new feature called Mentions.

For anyone who is a user of Twitter, Facebook or other social media platforms, the notion of a mention will not be something new. For those two are not familiar with these platforms, a mention is the process of name-dropping somebody within a message. The objective of a mention is to draw the attention of somebody to something. An example of this could be during an email exchange between two parties, introducing a third party to the conversation. This could be to ask the third party to respond to a specific question.

One of the reasons I really like mentions is due to the misuse of To and CC fields in an email today. In an idyllic world, messages sent to you require your action or consultation. Messages which you are copied on (CC) are sent for informational purposes. In theory, you should be able to delete any message you have ever been copied on and nothing would be lost. The CC field takes its name from traditional carbon copy paper where writing on one piece of paper would press through multiple layers; these were very useful for sales order paperwork or contracts where multiple parties need a copy of one document.

Read the Full Post

Sending Email to Office 365 Group Members

Office 365 Groups is a feature of Office 365, designed to provide a modern alternative to Distribution Groups in Microsoft Exchange. Distribution Groups still exist; Office 365 Groups offer a lot more features. Features lit up by Office 365 include group-based calendars, task lists, team mailbox and more. One could argue they behave more like a shared mailbox than a traditional Distribution Group.

When Office 365 Groups were first introduced, an email sent to the group would be sent to both the group mailbox and the group members. This duality was welcome for existing distribution list users who wanted to maintain legacy behaviour and confusing for modernists who wanted to dispel bulk email from their inbox and focus areas for specific group communication. Back in April 2017, Microsoft introduced a change to the behaviour of Office 365 Groups to disable the legacy behaviour. In changing the behaviour, an option was introduced to allow administrators to control the behaviour.

Read the Full Post

Failed Azure Web App Auto Restart Runbook

Let me start by painting a picture. You are using Azure. You have an App Service configured with a Web App that is hosting a website; this website for example. The website could be single-instanced or it could be multi-instanced using Azure Load Balancer, Azure Traffic Manager, Azure Application Gateway, or any other number of load balancing and traffic distribution technologies. One day, your web application fails to respond and you get a dreaded HTTP 500 or another error code. As a dedicated Azure consumer, you use Azure Application Insights to monitor your website. Application Insights not only gives you user metrics akin to Google Analytics but also gives you performance and availability metrics.

The picture I painted just then explains my scenario. I use Azure App Service with an Azure Web App to host this blog. I use Azure Application Insights to provide me with all of the metrics and data I need to understand the site. The availability monitoring feature is quite excellent. It allows me to monitor the website availability from up to five locations around the world with performance data for each region so I can see how the site performs for each geography. If the site goes down for any reason, I get an email notification to warn me.

Read the Full Post