Azure Conditional Access Rules break AAD Connect setup and configuration

Today I came across an interesting issue in my lab when trying to setup and configure Azure Active Directory Connect.

Errors Message:

AAD Connect Error Message

Checking the log is no help either, it just points me to the same error

Error Message:

[ERROR] Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.

 

Hmm what’s this about?

Let me google that for you – http://bfy.tw/BIv0

Not very helpful either.

After many painstaking searches I found reference to an issue where conditional access rules may be the root cause.

Started digging into the rule enabled.

 

In detail

 

Controls selected

 

I disabled the rule and hit retry in AAD Connect to check if it was the cause.

 

Progress!

Bingo

 

Now I’ve found part of the problem, I still needed to solve the other piece of the puzzle, after all I wanted this rule in place even it if means some compromise.

What is it inside my policy that is causing this error to appear?

Well it looks like I didn’t exclude an important account from the conditional access policy

My On-Premises Directory Sync account

 

Added the account to the rule and we are through

 

Hope this helps someone save some time when encountering this issue.

 

Windows 10 Version 1703 – First Run Experience

Windows 10 version 1703 just dropped into Current Branch April 11 and there is some significant changes during the first run experience to take note of. The GUI has been given a facelift!

Here is a run-through of what to expect during setup with an Enterprise edition

Most wizards remain the same until you reach the First Run Setup Wizard.

Lets start with the basics

One little gripe I have here, keyboard entry wont work when entering the letter A and scroll me up automatically. Instead I have to scroll up through every region between United States and Australia! This is not cool for us Aussies, Austrians, Argentinians you get the drift…..

 

 

Luckily in Australia we use the US keyboard layout

This is very neat, I know a lot of people that use two keyboard layouts will appreciate this. Take Japan for example.

Network

As this PC is a Hyper V-VM it’s automatically skipped the setup a wifi network wizard.

Account (the fork in the road)

This is the most important change during the first run experience, what I enter here defines which path I want to go down specially when using a MDM solution such as Intune or using a work or school account.

 

Selecting the option ‘domain join instead’ asks me to enter a name to create a local account

 

 

 

 

Please note selecting the option “Or, even better, use an online account” brings me back to the first account screen

Cortana

Privacy Settings

Now I’m lead to the desktop with my local account (not exactly a domain join)

 

Back to the old method of domain join we have all become accustomed with over the years.

Correction: Decades

Ok so that’s one path covered, now another installation and lets see where we go

For curiosity sake I chose the time and currency format to English (Australia), will this impact what we see for selecting the region?

 

Wohoo – Australia is selected! Kudos to the product team, that’s very clever…

Round 2

Sure is

I’m only fluent in US keyboard….

 

Again, network is connected

Lets not bother with selecting Domain join as we know where that goes, this time I’ll add my work account

Ah no! I entered a Microsoft personal account – computer says no, at least Windows 10 Enterprise does. Lets try again with a work account.

meraviglioso, for those of you that don’t know

 

I now see my company logo

 

MFA authentication is enabled and linked to my Microsoft Authenticator App

My authenticator app is not working so I guess I have to choose another option

I’m through

As we have an Intune MDM policy applied in our environment I’m presented with the following

 

Look I’m joined with Azure AD!

 

 

Intune MDM has taken over and is now deploying applications and polices to my PC.

 

One key thing to note is that we have automatic enrolment enabled in Azure Active Directory.

Azure Replication Status Report – Email Notification

Recently I was given the task to monitor the replication status of a large number of servers, I really didn’t want to be going via the classic console and clicking inside every replication group just to make sure things were rolling smoothly. It got me thinking about how I could automate this task using Azure Automation Run books.

I started digging around and came across a post where a gentleman had written a Powershell script to deliver the daily backup jobs via email. It was not exactly what I wanted so I took that script and modified it to deliver the information I required.

First step is to create a runbook in Azure

Give the runbook a useful name and choose the powershell option as the runbook type

For the runbook to create a connection you will need to add the following code at the start of your script, if you have not setup an Azure RunasAccount you can follow these instructions – Authenticate runbooks with an Azure Run As account

Be sure to populate your runas account next to $connectionName

Next Add the code below

This is the workhorse that produces the report, you will need to populate your SMTP settings

You are now ready to test the runbook works

Select Test pane

Select edit and start the test, the runbook will be queue for an automation worker to pick it up


Wait for the runbook to complete.

A new email should arrive with a table of results like below

Now you just need to publish the runbook and add a schedule

You can set the schedule for an hourly drop into your inbox or drop the results into a group inbox.