Teams couldn’t unmute (SOLVED)

During Teams meetings, I am sometimes unable to unmute my microphone:

It usually occurs when I use the Teams Web app (https://teams.microsoft.com) and Bluetooth headsets that mute when I raise the microphone arm.

If I am on my Lenovo laptop, I can usually solve it by using the function key for microphone mute/unmute:

But on my desktop computer’s keyboard, I do not have that key.

To solve it, I right-click the volume icon in the system tray and select Sounds:

Click on the Recording tab, select the microphone you want to unmute and click Properties:

Click on the Levels tab. Here I can see that my microphone is muted in my computer’s sound settings (just as Teams said):

Click on that icon to unmute:
Remember to lower the microphone arm on your headset if you have automatic mute when it is raised.

The mute symbol is gone, and I am automatically unmuted in the Teams meeting, yay!

You can go directly to the Recording tab in Sound settings using this command:

control.exe mmsys.cpl,,1

I have created a shortcut on my desktop for this for quick access:

Please comment and let me know if this solved it for you or not. I can update this post with other solutions you may have.

Also, let me know if you have more information about why the microphone is muted in Windows in a way so that Teams or my headset cannot unmute it.

Posted in Teams | Tagged , , | 8 Comments

Prevent clickable links with a fake dot

If you want to share a URL without it being clickable (for visual reasons or to avoid accidental clicks), you can use the so-called fake dot.

The fake dot looks like a regular dot but will usually not be recognized as a link and therefore not be converted to a clickable link.

I haven’t found a way to easily type it on the keyboard, so you can copy the fake dot from here  ->    ․

The fake dot is technically the Unicode character called ONE DOT LEADER (U+2024). The regular period is FULL STOP (U+022E) {period, dot, decimal point}.

So, how does it look? Here are two versions of the same URL, the last one is using the fake dots:

https://www.test.com  https://www․test․com

Interestingly enough, WordPress seems to display both as clickable links once the post is published, but in the WordPress editor view, the fake dots work as expected:

When you click the “link” with the fake dots however, it will not take you to the shown URL, in Edge I only get to the page about:blank#blocked.

Right-clicking on them also indicated that the last one is not seen as a link:

The link might be shown differently in different browsers, in Firefox for instance, the link points to https://xn--wwwtestcom-7k10dea/.

Note that some programs may show the fake dot differently:

You can also use fake dots to prevent unwanted link shortening, such as in Twitter. The link will not be clickable, but it will not be shortened by twitter either.

Here is what I entered:

Here is what is shown in the Twitter mobile app:

And here on Twitters website:

The regular link looks like a direct link, in the link-text and in the mouse-over info text, but as you can see in at bottom left it is actually shortened by twitter with the t.co.domain.

The Fake dots link is however untouched.

As always, I hope this helps someone out. Feel free to comment 😊

Posted in Okategoriserade | Leave a comment

How to receive files using OneDrive for Business

If you want to receive files without using email, you can use the Request files feature in OneDrive for Business.

Locate the folder you want the incoming files to end up in, click on the three dots next to it, and select Request files:

clip_image002

Enter a descriptive text. This will be shown to the users sending you the files (as you will see in screenshots later):

clip_image004

You are now presented with two options:

1. A link that you can copy and share with people that are going to send you files

2. Add email addresses to send a file request email to

clip_image006

The link looks something like this:
https://onevinnab-my.sharepoint.com/:f:/g/personal/tom_aafloen_onevinn_se/EmRFfuOt2aFMsheK8XsVz4Qroqv-J7MhU2-cahd-x2b65Q
Note that the link exposes your tenant and UPN (thanks to my colleague Daniel Bugday for clarifying it wasn’t your email address).
If you lose the link, it can be retrieved again, see Managing Access below.

Here I added two email recipients and added a message. Notice the warning that one of them is outside of my organization:

clip_image008

After sending the request, I am shown this message:

clip_image010

The recipients will get an email that looks like this:

clip_image012

You will see the request name and custom message. Notice that I can not see the other recipients of the file request here.

When you click on the link in the email (or the copied link, if you chose not to send emails), you will end up here:

clip_image014

Clicking on Select files opens a local Open dialog, where you can locate the file you want to send:

clip_image016

You can add more files here, but you can also upload more files later by returning to the same link (as long as the Request file access has not been removed).
When you are done adding files, click on Upload:

clip_image018

In the example above I was already logged in to OneDrive, so you can see that my name was prepopulated (and not editable).

You do not have to be signed-in to OneDrive, or even have a OneDrive account to upload files. In those cases, you must add a name yourself:

clip_image020

Upload progress will be shown:

clip_image022

Then you will see this message:

clip_image024

As the receiver, I will receive a notification email about uploaded files:

clip_image026

Clicking the link takes me to the folder in my OneDrive for Business and I can see the files that have been uploaded. Every file will have a prefix to help you identify who uploaded it:

clip_image028

If two files with the same name are uploaded, OneDrive will automatically add a number to the second file’s name.

To stop the possibility to upload files, click on the three dots next to the folder and select Manage access:

clip_image030

On the Manage Access pane, click on the three dots next to the sharing link:

clip_image032

Click on the X to remove the sharing link.
Notice that the sharing description says Anyone with the file request link can upload only, so you are technically not sharing anything.

clip_image034

Approve the warning about link deletion to complete the removal.

clip_image036

The next time someone uses the link they will see this message:

clip_image038

Maybe a more File request related message would have been better (it is not access to a document that has been removed), but the link stopped working, and that is what is important.

Some important notes:

· Your admin must have enabled Anyone links in OneDrive

· Uploaders cannot see the content of the folder, edit, delete, or download files, or even see who else has uploaded files

· This feature is not available for Office 365 Government, Office 365 operated by 21Vianet, OneDrive for home, or Office 365 Germany

· The maximum file size is 100GB

If you try to upload a larger file you will get this message:

clip_image040

Files prefixed with ~tmp are still uploading or failed attempts. You can see that the file size is not displayed for these:

clip_image042

I hope this was helpful!

Posted in Okategoriserade | Leave a comment

Manage External Identities with Azure AD B2B/B2C

Last week I hosted a webinar together with our partner Condatis, where we talked about how to manage External Identities with Azure AD B2B/B2C.

Thanks to all who attended it live!

You can now watch it anytime on YouTube:

Stay safe!

Posted in azure ad, Password | Tagged , , , , , | Leave a comment

Using FIDO2 security keys with PowerShell

If you are using a FIDO2 Security Key, such as a YubiKey, you may have run into the issue that you cannot use it to authenticate with your Azure AD account using PowerShell:

IEnoFIDO

As you can see, the needed Sign in with a security key option is missing here.

This is because PowerShell still uses the older Active Directory Authentication Library (ADAL) when prompting for Azure AD credentials. That login prompt is actually rendered using Internet Explorer, and IE will likely never have support for WebAuthN, the protocol that FIDO2 logon requires.

So we have four options:

  • Wait until PowerShell moves from ADAL to MSAL, and sign in prompts are rendered by a modern browser that supports WebAuthN.
  • Wait until each PowerShell Module you need starts supporting its own implementation of modern authentication to Azure AD.
  • Use Cloud Shell, where you can run PowerShell directly in your browser:http://shell.azure.com/powershell

    This option works with FIDO2, but a web-based shell has its limitations.

  • Use Device Authorization Grant Flow to login.
  • This post explains the last option.

    What is Device Authorization Grant Flow

    The Device authorization grant flow is usually used when you need to sign in on “input-constrained devices”, such as IoT devices and printers. In this case, we can view PowerShell as a “device”. The sign in flow is initiated on the device, but the user needs to visit a web page (on any device with a browser that hopefully supports WebAuthN) to complete the sign in. Once the user has signed in, the device (or PowerShell window) can get the needed access tokens and refresh tokens.

    Initiate the Device Authorization Grant Flow

    Run this code in the PowerShell window you want to sign in to Azure AD:

    Note: You do not need to register any new app in Azure AD for this to work since we are using the well-known ClientID for Azure AD PowerShell. You do not have to add any custom values for your tenant either, since we use the Common endpoint. This means that you will automatically be redirected to the tenant the user belongs to when signing in.

    $ClientID = '1b730954-1685-4b74-9bfd-dac224a7b894'
    $TenantID = 'common'
    $Resource = 'https://graph.windows.net/' #Service Endpoint for Azure AD Graph
    
    $DeviceCodeParameters = @{
        Method = 'POST'
        Uri    = "https://login.microsoftonline.com/$TenantID/oauth2/devicecode"
        Body   = @{
            client_id = $ClientId
            resource  = $Resource
        }
    }
    
    $DeviceCodeRequest = Invoke-RestMethod @DeviceCodeParameters
    Write-Host $DeviceCodeRequest.message -ForegroundColor Green
    

    A code will be shown that you need to enter at the following web page to continue the sign in:

    initiate

    Besides https://microsoft.com/devicelogin, you can also use http://aka.ms/devicelogin. Both will redirect you to https://login.microsoftonline.com/common/oauth2/deviceauth.

    Enter the code in the prompt:

    DeviceAuth

    As you can see, we are now signing in on a remote device or service.

    Be aware that this sign in method can be misused in phishing attempts. Only enter codes you generated yourself!

    You can sign in using your regular account name and password, but to sign in using a FIDO2 key, click on Sign-in options:

    Sign-in

    Now we can use our FIDO2 key to authenticate:

    FIDO2

    Once authentication is successful, you can close the page in the web browser. The next step (obtaining tokens) will happen in the PowerShell window:

    close

    Obtain the tokens

    Again, no customization is needed for this script block. We are re-using the device_code from the DeviceCodeRequest we made earlier.

    
    $TokenParameters = @{
        Method = 'POST'
        Uri    = "https://login.microsoftonline.com/$TenantId/oauth2/token"
        Body   = @{
            grant_type = "urn:ietf:params:oauth:grant-type:device_code"
            code       = $DeviceCodeRequest.device_code
            client_id  = $ClientId
        }
    }
    
    $TokenRequest = Invoke-RestMethod @TokenParameters
    $Token = $TokenRequest.access_token
    

    You now have a valid access token in the variable $Token that can be used to authenticate when using Connect-AzureAD. Note that the variable $TokenRequest also contains refresh_token and id_token, if you want to use them.

    Connect to Azure AD

    When using the Connect-AzureAD cmdlet with an access token, you also need to specify the username you used to authenticate and the TenantId. You can find your TenantID using PowerShell:

    
    $TenantDomain = "tomdemo.se"
    (Invoke-WebRequest https://login.windows.net/$TenantDomain/.well-known/openid-configuration|ConvertFrom-Json).token_endpoint.Split('/')[3]
    

    or by going to :

    https://www.whatismytenantid.com/

    Now we are ready to connect to Azure AD:

    Connect-AzureAD -AadAccessToken $Token -AccountId admin@tomdemo.se -TenantId <insert-tenant-id-here>
    

    Now you should be able to run commands from that module, like this one to get the first group:

    
    Get-AzureADGroup -Top 1
    

    What if I need to use the Microsoft Graph?

    That will also work, but you need to change $Resource variable in the first script block to the Service Endpoint of Microsoft Graph (https://graph.microsoft.com/&#8221;) and repeat the process.

    Then you should be able to run queries against the Microsoft Graph, like this one to get the first group:

    $GroupsParameters = @{
        Method  = 'GET'
        Uri     = 'https://graph.microsoft.com/v1.0/groups?$top=1'
        Headers = @{
            'Authorization' = "Bearer $Token" 
        }
    }
    
    $GroupRequest = Invoke-RestMethod @GroupsParameters
    $GroupRequest.value  
    

    How about Exchange Online?

    For this to work, you need to change both the $Resource and the $ClientID variables in the first script block to:

    ClientID = 'a0c73c16-a7e3-4564-9a95-2bdf47383716' # Exchange Online PowerShell Azure Active Directory
    $TenantID = 'common'
    $Resource = 'https://outlook.office365.com/' # Service Endpoint for Exchange Online
    

    When you sign in, you will see that you are signing in to Microsoft Exchange Online Remote PowerShell:

    image

    After you obtain the token you need to create a new credential object based on your username and the token:

    
    $upn = 'admin@tomdemo.se'
    $TokenAsSecString = ConvertTo-SecureString "Bearer $($token)" -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential($upn,$TokenAsSecString
    

    Now you can connect to Exchange Online using these commands:

    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid?BasicAuthToOAuthConversion=true" -Credential $credential -Authentication Basic -AllowRedirection
    Import-PSSession $session
    

    Thanks

    Big thanks to Stefan Schörling (@stefanschorling) for pointing me in the right direction and to Simon Wahlin for his writeup about Device login flow for MS Graph access.

    Posted in Okategoriserade | 1 Comment

    Highlight custom text on any Microsoft Docs page

    Sometimes I want to highlight specific text when I’m sharing a Microsoft Docs-page to someone, like in this example:

    clip_image002

    You can do this yourself by appending the following text after the Docs-link:

    ?view=o365-worldwide#:~:text=Text To highlight

    Unfortunately, this only works in Edge and Chrome, not in Firefox or IE.

    Here’s an example:

    Original Docs-link:
    https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis

    Appended text:
    https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis?view=o365-worldwide#:~:text=cloud-based identity

    Result:

    clip_image004

    The yellow highlighting goes away when you click anywhere on the page or reload it.

    If you want to highlight more text, you can add start text and end text. Everything in-between will be highlighted:

    ?view=o365-worldwide#:~:text=Start of highlight,End of Highlight

    Example:
    https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis?view=o365-worldwide#:~:text=Azure Active Directory (,Microsoft 365.

    Result:

    clip_image006

    I needed to add the ”(” there since the text Azure Active Directory existed many times on the page. Without it, it looked like this:

    clip_image008

    In other words, you will have to test your link to make sure it looks as expected.

    Note that any spaces need to be converted to %20 for the entire link to be clickable:

    https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis?view=o365-worldwide#:~:text=Azure Active Directory (,Microsoft 365.  <- Missed

    https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis?view=o365-worldwide#:~:text=Azure%20Active%20Directory%20(,Microsoft%20365.

    You don’t have to add them all manually. If you copy/paste the entire link into a web browser, it will convert %20 (and any other special characters according to standard HTML URL Encoding) wherever needed.

    I hope this was a helpful tip!

    Posted in Okategoriserade | Tagged , | Leave a comment

    The consequence of not renewing ATA certificate in time

    A customer who uses Microsoft Advanced Threat Analytics (ATA) recently had severe issues with their ATA implementation. At first, the portal started to behave strangely, not showing all information in alerts and some configuration settings were missing. After a restart of the ATA servers, the services failed to start at all.

    The Microsoft.Tri.Center-Errors.log file contained many errors like this:

    2020-01-09 12:34:27.9920 1140 98 Error [CertificateExtension] Microsoft.Tri.Infrastructure.Utils.ExtendedException: There are no matching certificates [StoreLocation=LocalMachine StoreName=My thumbprint=89E1C9790B175D2E6B716CFDDABA3D9F444829F6]

    It turned out that their internal PKI had automatically renewed the certificate that ATA was configured to use. In general, this is what you want from a PKI (auto-renewed certificates), but unfortunately, ATA does not support renewing an existing certificate.

    The reason is that some ATA data is encrypted using the configured certificate, and during certificate renewal, the old certificate is removed, so you lose the ability to decrypt that data.

    So you need to create a new certificate before the old one expires and manually configure ATA to use the new certificate.

    This requirement is clearly stated in the Microsoft ATA-documentation:

    clip_image001

    Source: https://docs.microsoft.com/en-us/advanced-threat-analytics/modifying-ata-center-configuration#the-ata-center-certificate

    You will even get alerts in ATA Health Center about upcoming certificate expiration:

    clip_image003

    Source: https://docs.microsoft.com/en-us/advanced-threat-analytics/monitoring-alerts

    Replacing the certificate is not really that difficult or time-consuming. But if you do not replace the certificate before it expires you will get this alert:

    clip_image005

    Source: https://docs.microsoft.com/en-us/advanced-threat-analytics/monitoring-alerts

    You can see that that when this happens, the only resolution is to redeploy your ATA, and you will lose all your configuration, alerts, and behavior analysis history.

    Other services that use certificates can usually be recovered really easy from issues caused by expired certificates by simply getting a new certificate and pointing the service to the new certificate, but since the “certificate pointing” in ATA is done in the ATA Configuration, which is encrypted by the previous certificate, there is a catch 22 situation here.

    Some people have tried to manually add the thumbprint of a new certificate in the SystemProfile_date.json configuration file, and they have gotten the ATA up and running again. However, they could not edit all ATA settings after that, so they eventually ended up redeploying from scratch.

    Restoring from backup after redeployment will not work either since the backup still points to the old removed certificate. You can still use that backup configuration file as a manual reference on how to configure ATA again , since it is in cleartext.

    So go ahead and make sure that your ATA implementation does not use a certificate that will be automatically renewed, and/or put a reminder in your calendar to renew it before it expires. And monitor those health alerts!

    Update 2020-09-14

    In the newly released ATA version 1.9.3, Microsoft has updated the functionality around certificate renewal notifications:

    Increased advance notice for Center certificate expiration to three months prior to expiration (previously three weeks). Additionally, the notice now provides a clearer description of the severity of failing to renew the certificate.

    You can get the new version by using Windows Update or downloading it here::
    https://www.microsoft.com/download/details.aspx?id=56725

    Posted in ATA, Certificates, PKI, SSL | Tagged , | 1 Comment

    Teams on iOS now supports Sensitivity Labels

    In the newly released version 1.0.91 of Teams for iOS it was announced that it now supports Sensitivity Labels for your Teams:

    (Sorry that the screenshots are in Swedish, you’ll have to trust me or translate it 😀)

    I first tried to create a Team before I upgraded the Teams app, and I did not see any option to select Sensitivity Labels:

    I then updated Teams to the new version, and sure enough, I could now select the Sensitivity of my new Team:

    Always great to see Microsoft Information Protection getting adopted in more and more places.

    Posted in Okategoriserade | Leave a comment

    Copy your AIP Polices to the Security & Compliance Center

    You have for a while been able to copy your AIP Labels to the Security & Compliance Center from the Azure Information Protection Portal.

    But you can now also copy your AIP Policies (in Preview)!

    clip_image002

    You get a warning that any existing policies with the same name will be overwritten.
    Click Yes to proceed:

    clip_image004

    It just takes a moment until you see the completion notification:

    clip_image006

    You will see a summary of the polices that was copied:

    clip_image008
    (I only had one policy in this tenant)

    And sure enough, the new policy appeared right away in the Security & Compliance Center:

    clip_image010

    The policy settings I had configured was also copied:

    clip_image002[4]

    Remember that this feature is still in Preview, so use with caution in production. And as always: test first!

    /Tom

    Posted in AIP, encryption, information protection | Leave a comment

    Using PowerShell to get wildcard certificate from Let’s Encrypt

    This is a guide that shows you how to get a publicly trusted wildcard certificate at no cost from Let’s Encrypt using PowerShell.

    Requirements:

    • Windows PowerShell 5.1
    • .NET Framework 4.7.2 (link to check)
    • Possibility to add CNAME in DNS

    Step by step

    Start PowerShell as admin (see information below for non-admin steps)

    Verify that PowerShell’s ExecutionPolicy allows running scripts (i.e. RemoteSigned or less)

    clip_image002

    Otherwise: Set-ExecutionPolicy RemoteSigned

    Run:

    Install-Module -Name Posh-ACME

    Accept warnings about untrusted repositories (that is, if you accept PSGallery, a common module repository):

    clip_image003

    Run:

    New-PACertificate *.tomdemo.se -AcceptTOS -Contact <your-email> -DnsPlugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'} -Install

    clip_image004

    Explanation of the options used:

    *.tomdemo.se The name you want in the certificate. You can add additional comma-separated names
    AcceptTOS Indicates that you accept the Let’s Encrypt Terms of Service (see https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf)
    Contact Email for expiration notification (optional)
    DnsPlugin Which DNS plugin should be used for automatic domain ownership validation. Since my DNS provider Loopia isn’t natively supported by Posh-ACME, I used the ACMEDns option, which requires you to manually add a CNAME record in your DNS provider once, and that can be reused when updating the certificate. Here is a list of DNS providers supported by Posh-ACME: https://github.com/rmbolger/Posh-ACME/wiki/List-of-Supported-DNS-Providers
    PluginArgs Options that depends on chosen DNSPlugin
    Install This option will install the certificate in the computer’s Certificate Store (requires admin permission, see Getting certificate without admin permission below)

    Do not close the PowerShell window!

    Add the CNAME record shown in the output of the command you just ran in the DNS registrar for the domain.
    Here is an example from Swedish DNS registrar Loopia, but your DNS registrar interface may look different:

    clip_image006

    Go back to the PowerShell window and press enter to continue.
    The script will wait 2 minutes for DNS to propagate:

    clip_image007

    After that, you should get the certificate:

    clip_image008

    To see more information about the certificate, you can use the following command:

    Get-PACertificate | Format-List

    clip_image009

    Here you can see basic information about the certificate and that all the relevant files are stored in %LOCALAPPDATA%\Posh-ACME folder, and that it includes a PFX-file if you want to install the certificate on another machine. The default PFX-password is “poshacme”. You can specify your own with the option -PfxPass when running the New-PACertificate command.

    Go to the Local Computer certificate store (run certlm.msc) and verify that the certificate has been installed correctly:

    clip_image011

    clip_image012 clip_image013

    Depending on what service you are using the certificate for, you may need to make extra configuration steps in the service to start using the certificate.

    You can manually renew the certificate by running the following command:
    Submit-Renewal
    clip_image014

    As you can see, it will not renew certificates that are not about to expire yet (I believe it uses 30 days or less validity time). You can override this by running:

    Submit-Renewal -Force

    To automate the renewal, you can create a scheduled task that runs this command daily:

    Create a file called C:\Cert\AutoRenewal.ps1, containing the command “Submit-Renewal” (not the -Fore option, since you don’t want to renew at every check).

    Run the following commands, but first change <password> to your own password
    Note: The scheduled task must run in the context of the user requesting the certificate since validation information is stored in that user’s profile.

    $Trigger = New-ScheduledTaskTrigger -At 10:00am -Daily
    $Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:\Cert\AutoRenewal.ps1"
    Register-ScheduledTask -TaskName "Certificate AutoRenewal" -Trigger $Trigger -User "$env:USERDOMAIN\$env:USERNAME" -Password '<password>' -Action $Action -RunLevel Highest –Force

    Test certificates

    For testing, you can switch the Let’s Encrypt server you send your requests to. The test server does not create a publicly trusted certificate but has no rate limiting.

    Read more about rate limiting here: https://letsencrypt.org/docs/rate-limits/

    To use test server:

    Set-PAServer LE_STAGE

    To use production server:

    Set-PAServer LE_PROD

    It will keep using the specified server until you change it again.

    Getting certificate without admin permission

    Most steps above work without admin permission, with the exception of installing the certificate in the Computer certificate store.

    You might need to restrict the scoop of these commands as well:

    Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
    
    Install-Module -Name Posh-ACME -Scope CurrentUser

    Then exclude the -Install option in the New-PACertificate command example above.

    You will still get a valid publicly trusted certificate, and you can move the created pfx-file to a computer where you want to install it (where you are admin).

    Custom Acme-DNS instance

    In my example above, I use the public ACME-Dns service. The advantage of that is that your DNS provider does not have to support API access for the Domain Verification part. Instead, you manually create a CNAME record in your DNS provider once that redirects the DNS validation to ACME-Dns.

    To increase security, you should use your own instance of Acme-DNS, see here: https://github.com/joohoi/acme-dns

    Posted in Okategoriserade | 2 Comments