Blocking Legacy Authentication – Conditional Access vs Authentication Policies

Posted on by Adam Fowler

I’ve already written a post on why Legacy Authentication (Basic) is bad, and Modern Authentication is good. At the time of writing, Authentication Policies were the way to go to block Legacy Authentication methods. Of course, things change and there’s now a better* option to look at – Conditional Access.

I’ve also covered Conditional Access before, and it’s really hard to fault the solution. There are now Baseline policies deployed by default (still in preview though) to Azure AD tenants with recommended best practices:

Conditional Access Baseline Policies

One of these is for blocking legacy authentication – but I’m not going to recommend you turn this on (at least for starters, it’s good at the end when you know you have full modern authentication support), as it’s a tenant wide setting that has no exceptions if you need to allow legacy authentication for an account (unlike Require MFA for admins, which does allow exceptions).

Instead, you can create your own policy that does the same. This means you can gradually roll it out, and put exceptions in place until you either work around them, or live with them. If you have a requirement for an account that requires legacy auth, then you need to consider how else you’ll protect that account – can you use other Conditional Access policies to restrict it to a certain region/locations, certain apps, platforms etc – lock it down as much as you can, and make sure the account has a long unique password.

The single important setting to block legacy auth via a Conditional Access Policy is blocking access to ‘Other clients’ via Client apps:

Microsoft have a full guide on how to set this up on docs.microsoft.com.

So, why is this better than using Authentication Policies? Two main reasons:

If an account has their access or signin blocked due to an Authentication Policy, it’s not logged. You can look at the user in Azure AD and check the sign-ins, but you won’t see anything. However, if it blocked via Conditional Access, you’ll have a nice log entry showing you it was blocked:

Side note: Although in this example I was logging in from Australia, I was trying to connect to Exchange Online via PowerShell. That seems to often be detected as being in the US, so be careful with region blocking.

The other reason is that Authentication Policies can take up to 4 (!) hours to apply, although it’s often more like an hour. That is a long time to wait, and you just have to keep waiting and trying until it works – except if you did it wrong, you won’t know and you’ll keep waiting. Or, if you need to unblock access while rolling out, it’s a long time to roll back.

Authentication Policies do have their place though, they give more granular control over what you want to block or not – say you know you want to block POP3 access company wide, but not IMAP – that’s possible in there, but not via Conditional Access.

Unless you have a good reason to use Authentication Policies, just use Conditional Access (and assuming you have Azure AD Premium P1 or P2 licensing to actually let you use Conditional Access, and if you are using Azure AD you should be on that licensing anyway). It’ll make your life easier!

Oculus Quest Review – Standalone VR Unit

Posted on by Adam Fowler

It’s been two and a half years since I tried the Google Daydream, which I felt was a disappointment. Since then, there had been nothing that sounded like it was much better. Everything was either wired into a PC, or just an incredibly entry level experience with very little reason to bother.

That was, until I heard about the Oculus Quest. A standalone device, but with ‘proper’ controls like the PC connected Oculus Rift, HTC Vive, or any of the various Microsoft Mixed Reality headsets. I started to read up on it, and the more I read – the more it sounded like a winner. It had only just launched in the US, and people were raving about it online.

After a lot of consideration, I decided to order the 64gb Oculus Quest unit for $649AU (there’s a 128GB version for $799 which has no difference beyond the amount of storage doubled). That price point was probably the top I was willing to pay – $700+ just felt too expensive. There was also nowhere in Australia I could go to buy this device or check it out – Oculus has an online store, or via Amazon AU – I had to make the call to buy it unseen and untested.

I am really glad that I did. There’s not much to this – a headset, two controllers, 2 AA batteries and a very long USB-C cable for charging the headset.

What’s in the Oculus Quest box?

This is the first ‘proper’ VR device that really is consumer friendly to the masses. You take the headset and controllers out, put the batteries in, turn on the headset and you’re ready to start setting it up.

The quick tutorials shown are easy to understand – you’ll need to use your phone to set up the Oculus Quest once (like pointing it to a wifi network) but after that, you never have to use your phone again.

Like older VR units, you’ll need to set up your ‘boundary’ – that is, the area you map out in your physical space where you’ll use VR without hitting anything. Older headsets needed you to walk a controller around the room, but the Quest (and I believe the new Oculus Rift S) improves on this greatly.

First, you’re able to see the outside world with the headset on, when it’s in passthrough mode. It will show a black and white live footage of what you’re looking at/ In this passthrough mode, you can draw on the ground where your play area is, which then creates a grid wall. The wall only shows up when you get too close to it, and the closer you are, the thicker the grids are.

You can also just set a boundary for sitting experiences, which just creates a circle around you.

Passthrough also kicks in if you go outside the boundary you’ve set up which I think is a great safety feature (or if you just want to go get a drink and can’t be bothered taking the headset off, either way).

Setting up your Oculus Quest

Once set up, there’s the ‘First Steps’ tutorial for using your device. It teaches you how to use the controls, while giving you a sandbox to play around and experiment with what’s possible. This is the app to show anyone who hasn’t used VR properly before – it’s immersive, easy, and actually fun.

The graphics on the Oculus Quest are not going to match what’s possible from a PC, but they are good enough to be immersed and not think the visuals are lacking. If you came from PC VR you’d notice the downgrade in quality of course, but that’s the cost of portability.

Check out this comparison of Robo Recall as an example. It’s quite a fun game and I was more than happy with the graphics:

Most games also support streaming via Chromecast to a TV, so others can see what the headset wearer is doing – I can see this as a great small party device where people take turns, especially with a game like Beat Saber:

The controller quality in my opinion, is great. I’ve seen some online discussion around the magnet-secured battery clips falling off, but I’ve experienced no issues at all. They’re the same controllers that come with the PC powered Oculus Rift S, and have touch-sensitive controllers to know when you’re pressing certain buttons or not – allowing your virtual hand to move around a bit.

The tracking is also great – the 4 cameras on the device are enough to work out where your controllers are and what they’re doing, with a very high level of accuracy and low latency. I don’t notice any lag at all when moving my hands around in a virtual world – it’s as good as instant, while being incredibly smooth.

The biggest negative is the cost. The headset isn’t crazy expensive, but the games are. They’re generally between $20AU and $50AU per game, which is going to make you think long and hard about what you buy. It might not sound that bad, but a lot of the games don’t have huge replayability – you’ll finish once after 1-2 hours then move on. Beat Saber for example is $46.99, but at least that’s the sort of game you’ll want to play again and again while improving. There are some free games, and the store is highly curated so there’s no rubbish apps, but it’s worth being aware of.

Being the tinkerer that I am, I wanted to see what else was possible for free on the Oculus Quest, and wrote up a separate post around some utilities I’ve been using – check it out if you want to sideload apps (including custom Beat Saber songs), stream PC games to the Oculus Quest via Wifi and making Steam think it’s a supported plugged in device, or mirror everything you do on the Quest to a computer, rather than just certain in-game support.

With all of the above in mind, I still strongly recommend the Oculus Quest, as long as you don’t have a PC powered VR unit already. It’s a great all-round experience, with good-enough graphics and a lot of fun to be had. It’s the sort of thing I want to go back and play again and again because it is so different to other gaming experiences. Playing in a virtual world where you need to actually look around and react will both give you a bit of a workout, and make you forget where you are in the real world.

Oculus Quest Free Utilities Guide

Posted on by Adam Fowler

I’ve reviewed the Oculus Quest separately, but in short it’s a really impressive piece of technology that’s ‘good enough’ graphics wise, and great at everything else.

If you’re a tinkerer however, you’ll want to do more than just use whatever is on offer via the Oculus Quest store. Here’s some free 3rd party utilities to get more out of your VR device:

SideQuest – This is an app to install on your PC which lets you sideload (install) apps outside of the Oculus Quest store. As the device is running on Android, if you’ve played around in that space before you’ll be fairly comfortable with this. Follow the Guide to set this up, you can’t break or brick your device but you could make things a bit messy; worst case is a factory reset.

At a very high level, you’re creating an Oculus Quest developer account (incredibly easy), and allowing 3rd party app installs to your device. Any app loaded via SideQuest won’t appear with a nice giant picture in the main screen, they’re found under Library > Unknown Sources.

There’s a bunch of specially built games and apps for the Oculus Quest already, as well as free betas of games that will launch later. If you’re looking for more free content for your device, this is the easiest way to get it installed.

SideQuest also has detailed Beat Saber integration where you can download and sync custom songs to play using bsaber.com as well as the ability to manage existing apps installed on the device – uninstall, clear data etc.

Scrcpy– This is a utility to run on a computer, that lets you mirror the view from inside the headset. Natively, the Oculus Quest can do some screen sharing via Chromecast, or mirroring to a mobile device, but it’s app dependent, and in beta.

Scrcpy has the ‘negative’ point of giving you the actual view from the headset, as in two giant round circles of graphics rather than a single rectangle view, but it’ll work in all scenarios. It’s really handy when you are trying to talk someone else through how to do something. You can reduce the view to a single circle with certain parameters when running (more below).

It’s possible to do this wirelessly and works quite well. Here’s a batch file you can run that’ll connect the Oculus Quest and launch the viewer. Note you will just see a black screen in the program until the Quest’s sensor starts displaying something.

Questview.txt (download, rename to Questview.Bat, and place in your folder where scrcpy is installed)
Download

@echo off
echo Plug in the Oculus Quest via USB-C
pause
for /f "tokens=9" %%a in ('adb shell ip route') do (echo IP of Oculus GO: %%a&set ipaddr=%%a)
adb tcpip 5678
echo Unplug the Oculus Quest's USB-C Cable
pause
adb connect %ipaddr%:5679
echo Connected! Launching scrcpy...
scrcpy.exe -c 1440:1600:0:0

ALVR (Air Light VR)- This is a utility to run on a computer to be able to use the Oculus Quest like any other VR device that would be plugged directly in (such as an Oculus Rift S).

This opens up a huge library of games and programs to run. You can play any Steam VR game this way – but really fast moving games like Beat Saber can be a bit sensitive to the latency added by wireless – but another game like Rick and Morty: Virtual Rick-ality works perfectly. A 5GHz router is recommended for this for higher throughput, and the Oculus Quest supports this too.

You’ll need to install the ALVR APK onto your headset (SideQuest can do that!), and install the ALVR Server software on the PC and run the ‘alvr.exe’ program.

Side note: Virtual Desktop does the same as ALVR, but it’s a paid product. Early on they were about the same, but Virtual Desktop seems to be a better and smoother experience now, so could be worth considering if you like ALVR.

With these three free solutions, you can get a lot more out of your Oculus Quest. Opening up the Steam library, being able to see what the wearer of the headset is seeing, and being able to add apps outside the Oculus ecosystem all add a lot of extra value to this already impressive (in my opinion) device.

How To Check What Files Are In Use On A Remote Windows Computer

Posted on by Adam Fowler

This one had me stumped for a while, and I even asked on Twitter with a large amount of replies (thanks everyone who did!) but none that I could get to work, or that weren’t overly complicated requiring the compiling of code.

It’s easy locally to find out what files are open, and here’s a great article covering several free ways: https://www.winhelponline.com/blog/find-process-locked-file-openfiles-utility/

None of those worked remotely for me in a Windows 10 environment – but I thought Handle from the SysInternals Suite would be the best bet. Running locally, it did exactly what I wanted – a giant list of every file open, and say what process had it open (like WinWord.exe).

Using PSExec with Handle however, causes it to forever wait for something. On the remote PC, it definitely launches handle.exe and handle64.exe, but they have no activity. I thought it might be the EULA prompt getting stuck somewhere, but there’s a registry setting that will autoaccept that prompt, and putting that in place didn’t help (but I did check locally and it was skipping the EULA agree prompt. Thanks to this blog post explaining the reg key required https://peter.hahndorf.eu/blog/post/2010/03/07/WorkAroundSysinternalsLicensePopups which was:

reg.exe ADD HKCU\Software\Sysinternals /v EulaAccepted /t REG_DWORD /d 1 /f

I added this to the remote machine under both the user logged on to the remote device, and the user I was connecting as, with no luck.

After a bunch of Googling and trying solutions, I ended up finding this thread on stackoverflow. One of the answers with 0 votes (which can be easily overlooked) was a PowerShell script, invoking the command remotely, from a user called A.D – thank you A.D!

I’ve barely modified it for my purposes, but if this helps you please go vote his post up on stackoverflow (I did but don’t have enough rep for it to show):

$computerName = 'computername'
 $stringtoCheck = 'test' # String you want to search for, can be blank by removing text between '' quotes
 $pathtoHandle = 'c:\temp\handle.exe' #location of handle.exe on the remote server.
 Invoke-command -ComputerName $computerName -Scriptblock {
     param(
     [string]$handles,
     [string]$stringToCheck
     )
      "$handles /accepteula $stringToCheck" | Invoke-Expression 
     } -ArgumentList $pathtoHandle,$stringtoCheck

The script requires handle.exe to be on the remote computer under C:\Temp, and that of course you have admin rights to the remote PC with the account this script is being run. Beyond that, it’ll show back all open files that match the variable set in $stringtocheck across any of the results – it could be the path, the process that has the file open etc.

Why would you want to do this remotely at all? You might be troubleshooting something to do with open files and not want to interrupt the user. You might have a reason to see what files the user has open, or maybe it’s a locked PC and the user left.

Hope this helps others as it was a much harder task to accomplish than I assumed.

Converting a user mailbox to shared in Exchange Online Hybrid

Posted on by Adam Fowler

This is a useful process a lot of companies follow when an employee departs: Instead of deleting the mailbox, or continue to leave the mailbox in place and pay for licensing, it’s possible to instead set it as a shared mailbox and keep the data there for free.

There are some catches to this, such as the maximum amount of data is 50gb. You also can’t delete the user’s account, but it can be disabled and moved.

Setting the mailbox from User to Shared in Exchange Online is easy (from docs.microsoft.com):

In the admin center, go to the Users > Active users page.

Choose the user whose mailbox you want to convert.

In the right pane, choose Mail. Under More actions, choose Convert to shared mailbox.

…but there’s two tricks I’ve found when doing this in a hybrid environment. First, docs.microsoft.com says to update the status of the mailbox for Exchange On-Premises:

If this shared mailbox is in a hybrid environment, we strongly recommend (almost require!) that you move the user mailbox back to on-premises, convert the user mailbox to a shared mailbox, and then move the shared mailbox back to the cloud.

That’s a tedious process to do just to make it shared. As they point out, you can change some AD attributes locally to get around this, but there’s still some scenarios where it might get set back as a user, have no license, and end up getting deleted.

This other article on support.microsoft.com however, mentions the main way of getting around this: by setting the account’s msExchRemoteRecipientType and msExchRemoteRecipientTypeDetails attributes to the corresponding values that would match it’s state in Exchange Online:

Set-ADUser -Identity ((Get-Recipient PrimarySmtpAddress).samaccountname) -Replace @{msExchRemoteRecipientType=100;msExchRecipientTypeDetails=34359738368}

This 1 line command will set the attributes correctly, you can check via PowerShell or the Exchange Management Console to see that the mailbox will now show as ‘Shared’.

Update 3rd March 2020: Last time I tried the above, it didn’t work. The good news is that as long as you’re on Exchange 2013 CU21 or later and Exchange 2016 CU10 or later, you can just use the command:

Set-RemoteMailbox -Identity user -Type Regular

This fixed the on-premises status of the mailbox, even though I’d already moved it online. So, worth trying first before doing anything, as it should correctly do both if you Thanks Arttu Astila for the tip! /End of update

The other problem I’ve seen is if a mailbox is Unified Messaging (UM) Enabled, and converted to Shared. You’d think that it would either just lose it’s UM status, or let you configure the UM settings after the fact; but neither are correct. If it’s holding onto an extension number as part of UM, even in it’s Shared Mailbox state it will continue to hold it, and block any other account from using the extension in the future.

To get around this issue, the account will need to both be changed back to a user account from shared, and given a license that supports UM. If you try to disable UM on the account with either of these requirements, you’ll see an error like these:

User [email protected] is already disabled for Unified Messaging.

License validation error: the action ‘Disable-UMMailbox’, ‘Identity’, can’t be performed on the user ‘Test User’ with license ‘BPOS_S_Standard’.

With all of the above, changing a user to a departed mailbox in a hybrid environment with Unified Messaging should be:

  1. Disable Unified Messaging on the user
  2. Set the attributes of the AD account as shared
  3. Set the Exchange Online mailbox as shared

It should work well if you do things in the right order, but it’s easy to not be aware of this and get things into a mess.

There’s also the scenario where you might create an account, give it Office 365 licenses and have a mailbox automatically created before you did it on-premises, or used Exchange On-premises to create the mailbox remotely.

You can fix that by using this script from Adaxes (doesn’t need their software!) which will tell on-premises Exchange about the mailbox and create the record.

I’ve come across another blog that goes into some of this http://jetzemellema.blogspot.com/2016/02/convert-user-mailbox-to-shared-in.html but I haven’t needed to change the license status, but it’s worth mentioning in case there’s a scenario you hit where you do.