Friday, September 5, 2025

How to locate the application that's used for Entra ID application-based authentication?

Standard

What is Entra ID application base authentication? 



Microsoft Entra ID application-based authentication (also known as app-based authentication) is a secure method for authenticating applications or services to Microsoft Entra ID (formerly Azure Active Directory). It leverages an application identity through the OAuth 2.0 client credentials flow, using certificate credentials or client secrets instead of traditional username/password combinations. This approach is ideal for service-to-service interactions, such as those in Microsoft Entra Connect (formerly Azure AD Connect), promoting passwordless security and reducing risks like credential exposure.

Key Concepts

  • Application Identity: An app is registered in Entra ID as a service principal, assigned credentials (e.g., a certificate or client secret) for self-authentication, eliminating the need for user accounts.
  • OAuth 2.0 Client Credentials Flow: The app presents its credentials to Entra ID to acquire an access token, enabling access to resources like Microsoft Graph APIs without user involvement.
  • Passwordless Design: Certificates (preferred) or secrets minimize vulnerabilities associated with passwords, such as theft or rotation issues.
  • Use Cases: Backend integrations (e.g., app-to-app communication), automation scripts, and hybrid identity sync via Microsoft Entra Connect, where it replaces legacy service accounts for syncing on-premises Active Directory with Entra ID.

Prerequisites

  • Entra Connect version 2.5.76.0 or later (download from the Microsoft Entra admin center, not the Download Center).
  • Administrative roles: Global Administrator or Hybrid Identity Administrator.
  • For certificates: Self-signed or CA-issued, with non-exportable private keys (preferably in HSM/TPM); Windows Server 2016+ with TLS 1.2.


Locating the Application in Microsoft Entra ID

After enabling, the app is registered automatically as a single-tenant, non-Microsoft application. It won't appear with names like "Microsoft Entra ID Connect"—instead:

  • Navigate to Microsoft Entra admin center > Enterprise applications > All applications.
  • Search for "ConnectSyncProvisioning" to find it.
  • For multiple servers: Each installation creates a unique app named "ConnectSyncProvisioning_[server name]", where [server name] is the Entra Connect server's hostname (e.g., "ConnectSyncProvisioning_ADConnectServer1").

Viewing via Entra Connect Wizard
  • Launch the wizard and select Tasks > View or export current configuration.
  • Application ID will be visible on the configuration

Benefits

  • Security Boost: Automatic rotations (every 6 months) and hardware protection via TPM/HSM.
  • Ease of Management: Reduces manual interventions; monitor via event logs (e.g., Event ID 1011 for expiration warnings).
  • Alignment with Zero Trust: Supports Microsoft's passwordless initiatives.

Best Practices and Considerations

  • Certificate Management: For BYOC, use RSA 2048-bit keys with SHA256; revoke via admin center if compromised.
  • Monitoring: Use Azure Monitor for auth events; check logs for issues.
  • Limitations: Service-to-service only—not for user sign-ins. Test in staging servers first.
  • Troubleshooting: If not auto-configuring, ensure network access to Entra endpoints; manually rotate certificates via wizard if needed.


Wednesday, June 4, 2025

Stellar Converter for OST – Convert OST files into PSTs

Standard

 

Stellar Converter for OST stands out—a professional-grade tool designed to convert OST files into PSTs with complete integrity and ease. In this review, we'll explore the tool through a real-world scenario, highlight its core features, provide a step-by-step conversion guide, and assess its pros and cons.

Key Features of Stellar Converter for OST

  • Converts Inaccessible OST to PST: Handles orphaned, or inaccessible OST files efficiently.
  • Maintains Original Structure: Retains folder hierarchy, formatting, and metadata during conversion.
  • Previews Mailbox Content: Displays a preview of emails, contacts, calendars, and more before conversion.
  • Selective Conversion: Allows users to choose specific folders or items to convert.
  • Multiple Export Options: Export OST data to PST, EML, MSG, RTF, PDF, or HTML.
  • Supports Encrypted OST Files: Converts encrypted OST files without needing the original profile.
  • Compatibility: Supports Outlook 2021, 2019, 2016, 2013, and earlier versions. Works with Windows 11/10/8/7.

 

Steps to Convert OST to PST Using Stellar Converter for OST

  1. Download and Install
    Install Stellar Converter for OST from the official Stellar website.


  1. Browse or Find OST File
    Use the 'Browse' button to locate the OST file, or use 'Find' if you're unsure of its location.


  1. Scan the OST File
    Click Convert to begin scanning. The time taken depends on the OST file size.
  2. Preview the Mailbox
    Once scanning is complete, preview all mailbox items, including emails, attachments, contacts, calendars, etc.


  1. Save the Converted File
    Select the folders or items you wish to export. Click Save Converted File, choose PST as the output format, and specify the save location.


  1. Import PST to Outlook
    Open Outlook and use the Import/Export Wizard to import the newly created PST file.

 

Pros

  • Intuitive and user-friendly interface
  • Maintains data integrity and folder hierarchy
  • Handles large OST files smoothly
  • Supports conversion of encrypted and orphaned OST files
  • Allows preview before saving
  • Offers selective mailbox conversion
  • Offers additional export options beyond PST

 

Cons

  • The free version only allows previewing mailbox content (doesn’t save)
  • Pricing may be higher for individual users

 

Pricing

Stellar Converter for OST is available in multiple editions tailored to different user needs:

·       Corporate Edition: Priced at $79 per year, this edition is ideal for individual users or small businesses requiring basic OST to PST conversion capabilities.

·       Technician Edition: Available at $149 for a one-year license, the Technician edition offers advanced features such as batch conversion, direct export to Office 365, and the ability to save converted data in multiple formats.

·       Toolkit Edition: Priced at $199 for a one-year license, the Toolkit edition includes all the features of the Technician edition, along with additional tools for comprehensive Outlook data management.




Conclusion

Stellar Converter for OST is a powerful and reliable solution for anyone needing to convert OST files into PST format. Whether you’re an IT admin, consultant, or end-user, this tool simplifies what could otherwise be a frustrating and time-consuming process. Its ability to handle large files, preserve data integrity, and provide multiple export options makes it one of the best OST to PST converters on the market today.

If you're dealing with an inaccessible OST file and need a quick, accurate way to restore your Outlook data, Stellar Converter for OST is absolutely worth considering.

Sunday, March 2, 2025

Entra ID Lifecycle Management: Step-by-Step Deployment Guide

Standard



Overview

 Building a comprehensive demo for Entra ID Lifecycle management is not a straightforward configuration. It requires various backend processes. However, once the configuration is complete, customers will experience a smooth setup through the GUI. Most configuration-related articles are available on Microsoft Learn and GitHub, but they often have missing information and there isn't a single article that covers all necessary configurations. Therefore, I decided to compile everything into one document.

Monday, January 6, 2025

Windows Sandbox - Do you need a Safe Place to practice your Magic?

Standard

Just like in the movie Doctor Strange, we all need a mirror dimension to test our applications. Windows Sandbox offers a lightweight desktop environment that allows you to safely run applications in isolation. Any software installed within the Windows Sandbox remains “sandboxed” and operates separately from your host machine.

A sandbox is temporary. When you close it, all software, files, and the current state are deleted. Each time you open the Windows Sandbox, you get a fresh instance.

Software and applications installed on the host machine are not directly accessible in the sandbox. If you need specific applications within the Windows Sandbox environment, you must explicitly install them there.

These are the windows editions that support Windows sandbox:

  • Windows Pro
  • Windows Enterprise
  • Windows Pro Education/SE
  • Windows Education
Following license will grand the windows sandbox license entitlements

  • Windows Pro/Pro Education/SE
  • Windows Enterprise E3
  • Windows Enterprise E5
  • Windows Education A3
  • Windows Education A5

Prerequisites

  • ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4 GB of RAM (8 GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least two CPU cores (four cores with hyper-threading recommended)

Step to Enable
  1.  Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or Windows 11.
  2. Enable virtualization on the machine.
    • If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
    • If you're using a virtual machine, you need to enable nested virtualization. If needed, also update the VM to support nested virtualization. Run the following PowerShell commands on the host: 
Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true
Update-VMVersion -VMName <VMName>

To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:

Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online

Locate and select Windows Sandbox on the Start menu to run it for the first time.


Just like that we create our Windows mirror dimension. 



This is an excellent option for developers, security engineers, and various testers to evaluate their applications without risking harm to the host machine.

Wednesday, August 28, 2024

Exchange Online user to access the on-premises Exchange Control Panel (ECP) - Active Directory attributes

Standard



To ensure that an Exchange Online user can access the on-premises Exchange Control Panel (ECP), you need to configure certain Active Directory attributes correctly. Here are the key attributes and steps to point the user to the right on-premises Exchange server:

Key Attributes to Configure:

  1. msExchHomeServerName: This attribute specifies the Exchange server that hosts the user’s mailbox.
  2. msExchRecipientTypeDetails: Indicates the type of recipient. For a remote user mailbox, this should be set to 2147483648.
  3. msExchRemoteRecipientType: Indicates the type of remote recipient. For a migrated mailbox, this should be set to 4.

Steps to Update Attributes:

  1. Open Active Directory Users and Computers (ADUC):

    • Enable Advanced Features from the View menu to access the Attribute Editor tab.

  2. Locate the User:

    • Find the user account that needs access to the on-premises ECP.

  3. Update Attributes:

    • msExchHomeServerName: Set this attribute to the FQDN of the on-premises Exchange server.
    • msExchRecipientTypeDetails: Set this attribute to 2147483648
    • msExchRemoteRecipientType: Set this attribute to 4

Example PowerShell Command:

You can use PowerShell to update these attributes:

# Replace 'username' with the actual username and 'exchangeServerFQDN' with the FQDN of your on-premises Exchange server
Set-ADUser -Identity username -Add @{
    msExchHomeServerName="exchangeServerFQDN";
    msExchRecipientTypeDetails=2147483648;
    msExchRemoteRecipientType=4
}

Additional Considerations:

These steps should help you point the Exchange Online user to the correct on-premises Exchange server for accessing the ECP. If you need further assistance or have any other questions, feel free to drop me a comment!





Monday, August 5, 2024

Strength the Break glass accounts (Emergency access) with FIDO2

Standard

 


Many organizations create emergency access accounts to prevent being locked out of their Microsoft Entra organization. These accounts ensure that administrators can always sign in or activate another user’s account when needed. Typically, two or more emergency access accounts are created to mitigate the impact of losing administrative access. These accounts are highly privileged and are not assigned to specific individuals.

For detailed guidance on creating an emergency access account, refer to this Microsoft guide. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access?WT.mc_id=%3Fwt.mc_id%3DMVP_328457

Generally, we use lengthy passwords for emergency access accounts. The usernames and passwords are sealed and stored in a very secure location. These accounts are excluded from all security mechanisms, meaning no MFA or similar protections are applied.

To strengthen security, instead of using passwords, we can use FIDO2 keys. There are many FIDO2 security vendors available, offering various technologies. 

Some examples:

  1. Yubico YubiKey 5 NFC: Known for its versatility, this key supports multiple protocols including FIDO2, FIDO U2F, and NFC, making it compatible with a wide range of devices12.
  2. Feitian ePass K9: This key is praised for its robust security features and ease of use. It supports FIDO2 and U2F protocols3.
  3. SoloKeys Solo 1: An open-source security key that supports FIDO2 and U2F. It’s a great choice for those who prefer transparency and community-driven development3.
  4. TrustKey T110: This key offers strong security with FIDO2 support and is known for its durability and reliability3.
  5. GoTrust Idem Key: A compact and reliable key that supports FIDO2 and U2F, making it a solid choice for securing your accounts3.

Tuesday, July 16, 2024

All you want to know about Microsoft 365 new bulk Email Sending method (HVE)

Standard

 High Volume Email for Microsoft 365

Last April, Microsoft released the public preview of Microsoft High Volume Email (HVE) for Microsoft 365. HVE is a new service designed primarily for line-of-business applications and other high-volume SMTP Auth submissions, enabling the sending of internal messages beyond the current limits of Exchange Online.

Many customers are using their on-premises hybrid Exchange environments to send bulk emails through email relay, which has become challenging due to Microsoft’s new restrictions. Exchange servers need to be updated, and many customers are struggling to upgrade their existing servers. If customers do not upgrade, Microsoft will throttle their emails.

Current Exchange throttle enforcement stages:


All you need to know about exchange throttling -  https://techcommunity.microsoft.com/t5/exchange-team-blog/throttling-and-blocking-email-from-persistently-vulnerable/ba-p/3815328?WT.mc_id=%3Fwt.mc_id%3DMVP_328457

HVE Current limits

  • Pricing has not been release yet but as public preview customer can try on non critical application for email sent. 
  • Only 20 HVE account can be create per tenant
  • Recipient rate limits is set to 100,000 per day ( per tenant)
  • External recipient 2000 per day (Per account)

How to create

  1. login to https://admin.exchange.microsoft.com/#/highvolumeemail
  2. select "Add an HVE account
  3. Provide the basic information and next to finished


Application setting

  • Server/Endpoint: smtp-hve.office365.com
  • Port: 587
  • TLS: STARTTLS
  • TLS 1.2 and TLS 1.3 are supported
  • Authentication: Username and password

Authentication

During the Preview, High Volume Email (HVE) for Microsoft 365 requires SMTP Basic Authentication. Once it reaches General Availability, OAuth authentication is expected to be supported.
Follow below method to enable basic authentication for HVE account.
1. Connect to Exchange online though PowerShell and run below commend
New-AuthenticationPolicy -Name "allowed basic auth"
Set-AuthenticationPolicy -Identity "allowed basic auth" -AllowBasicAuthSmtp
2. assign to new auth policy to HVE account
Set-User -Identity "HVEaccountName" -AuthenticationPolicy "allowed basic auth"

3. To immediately apply the authentication changes to HVE account run below commend. otherwise it will take up to 24 hours. once you run the commend you can check the within 30 mins.
Set-User -Identity "HVEaccountName" -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

Usage Reports

Navigate to https://admin.exchange.microsoft.com/#/reports/highvolumeemaildetails







Monday, July 15, 2024

Microsoft Entra Internet Access and Microsoft Entra Private Access have been announced

Standard

 The pricing details for Microsoft Entra Internet Access and Microsoft Entra Private Access have been announced.

Microsoft Entra Private Access, often referred to as the VPN Killer, offers a modern alternative to traditional VPN solutions. It enables access to on-premises or private networks through the Global Secure Access Client. 



Microsoft Entra Internet Access offers web content filtering and the option to secure Microsoft 365 using new Conditional Access policies such as "Compliant Networks". This includes networks and endpoints linked to the Global Secure Access service, providing robust defense against Attacker-in-the-Middle scenarios. 



The bundle solution, Microsoft Entra Suite, includes several components such as

- Microsoft Entra ID P2

- Microsoft Entra ID Governance

- Microsoft Entra Verified Credentials Premium

- Microsoft Entra Private Access

- Microsoft Entra Internet Access

The pricing is set at $12 per month or $144 annually.

Read more: https://techcommunity.microsoft.com/t5/microsoft-entra-blog/microsoft-entra-expands-into-security-service-edge-with-two-new/ba-p/3847829?WT.mc_id=%3Fwt.mc_id%3DMVP_328457



https://techcommunity.microsoft.com/t5/microsoft-entra-blog/microsoft-entra-suite-now-generally-available/ba-p/2520427?WT.mc_id=%3Fwt.mc_id%3DMVP_328457

Saturday, April 20, 2024

Tenant attach vs Co-management

Standard

 Let’s delve into the comparison between tenant attach and co-management:

  1. Tenant Attach:

    • Definition: Tenant Attach is a feature that allows you to connect your Configuration Manager (ConfigMgr) hierarchy to your Microsoft Intune tenant.
    • Purpose: It enables synchronization between ConfigMgr and Intune, allowing you to manage devices using either solution.
    • Visibility: You can view Configuration Manager devices in the Intune admin center.
    • Use Case: Useful when you want to gradually transition from ConfigMgr to Intune or need a hybrid management approach.
    • Flexibility: You can choose to manage devices purely with ConfigMgr or Intune, based on your requirements.

  2. Co-management:

    • Definition: Co-management occurs when a device is simultaneously managed by both ConfigMgr and Intune.
    • Purpose: It allows organizations to leverage the strengths of both solutions.
    • Scenarios: Co-management is beneficial for scenarios where you want to:
      • Gradually move workloads from ConfigMgr to Intune.
      • Use Intune for modern management while maintaining existing ConfigMgr infrastructure.
    • Features: Co-management provides features like conditional access, compliance policies, and Windows Update management.
    • Device State: Devices can be in a co-managed state, where both ConfigMgr and Intune policies apply.

In summary, tenant attach establishes a connection between ConfigMgr and Intune, while co-management enables dual management of devices. The choice depends on your organization’s needs and migration strategy


Tuesday, January 16, 2024

Subscribe to: Posts (Atom)