|
mllaneza posted:And the idiot is in charge of developing licensing schemes for Microsoft. code:
If it's just what we paid for, our VAR seems to have never dealt with anything like this, and we did buy it originally from a different VAR company (but the same team (we stayed with them)), and maybe that's the issue.... And even though I've been working on Windows since the last century, I've never worked with this feature/role ... so I'm a stupid newbie on this. I actually don't think I have ever called M$ support for anything to do with a Server feature issue. So it's a first for me. Pity me or chortle if you like... thanks if you can throw me a bone.
|
# ? Mar 26, 2024 19:33 |
|
|
# ? Mar 29, 2024 14:24 |
|
Where do you get the key and where are you applying it? We have a volume license agreement negotiated with MS and processed through a 3rd party vendor so our keys and downloads are in the m365 admin portal. In there are lots of different keys for different purposes. We used to use KMS but now use AD-based activation where the key is stored in AD and anything that is domain joined is automatically licensed appropriately. If you're trying to activate individual systems in the OS by hand, IIRC you need to use the "MAK" key. That key is good for multiple, but limited activations and that count would show in the admin portal. Also, keep it safe and don't let it leak, that is very bad. I agree it is fairly cursed system even compared to other deep level cursed MS features. The activation hotline tends to be very helpful though they can probably tell you what's wrong but couldn't help with you procuring the correct thing.
|
# ? Mar 26, 2024 19:51 |
|
Just taking stabs because I've stood up a few KMS hosts before. I have never used the GUI for it because it makes me uneasy, mostly because it gives vibes of starting over from scratch each time. I usually just use the various slmgr commands from an elevated command prompt. If the key types are messing you up, make sure you attempt to register the CSVLK on the host and the GVLK on the clients. Also keep in mind you need a fairly new OS version on the host if you are activating server 2022 keys. For the MS Office products which still use keys, those usually need a small support pack installed.
|
# ? Mar 26, 2024 22:43 |
|
What do you all do about employees who refuse to use their personal phones (understandable) for Azure MFA? Do you use some type of hardware fob?
|
# ? Mar 27, 2024 15:03 |
|
At my job management decided it's like wearing shoes to the office. If you want to work remote, using your personal phone for MFA is required. Or you're required to be on site 5 days a week.
|
# ? Mar 27, 2024 15:07 |
|
kiwid posted:What do you all do about employees who refuse to use their personal phones (understandable) for Azure MFA? Do you use some type of hardware fob? We have one user who does not own a smartphone, and she was given a Yubikey.
|
# ? Mar 27, 2024 15:14 |
|
GreenNight posted:At my job management decided it's like wearing shoes to the office. If you want to work remote, using your personal phone for MFA is required. Or you're required to be on site 5 days a week. We're such a relaxed environment, HR would never go for it but I like this idea. Sir Bobert Fishbone posted:We have one user who does not own a smartphone, and she was given a Yubikey. Are Yubikey's reusable, as in if the employee leaves I can somehow reassign it to another user?
|
# ? Mar 27, 2024 15:17 |
|
Yup yup. Also I do vaguely remember there is an upper limit of hardware MFA tokens EntraID will allow for your tenant. Maybe that's out of date knowledge, but I think it was talked about here or maybe the InfoSec thread fairly recently. Doesn't sound like it will be a problem for you, but something to be aware of.
|
# ? Mar 27, 2024 15:20 |
|
Another question I suppose. We have two locations that are in the middle of nowhere and the only ISP available other than Starlink is a PTP wireless provider that does double-nat and doesn't provide static IPs. It's been a nightmare for site-to-site VPN but FortiGate's dial-up VPN has gotten us by. However, this means I can't setup these locations as trusted locations for MFA. What are my options here? Now that you mentioned Yubikey, I'm considering just using these for the general use PCs and leave the Yubikey plugged in 24/7. Is there an alternative?
|
# ? Mar 27, 2024 15:20 |
|
Internet Explorer posted:Yup yup. Also I do vaguely remember there is an upper limit of hardware MFA tokens EntraID will allow for your tenant. Maybe that's out of date knowledge, but I think it was talked about here or maybe the InfoSec thread fairly recently. Doesn't sound like it will be a problem for you, but something to be aware of. Thanks for that tip. We have about ~100 PCs across the company but only like 50 are user PCs while the rest are for plant controls. It kinda sucks to be honest but it is what it is. I'm not worried about MFA for users but rather we can't have MFA prompting for the general use accounts.
|
# ? Mar 27, 2024 15:22 |
|
kiwid posted:Another question I suppose. We have two locations that are in the middle of nowhere and the only ISP available other than Starlink is a PTP wireless provider that does double-nat and doesn't provide static IPs. It's been a nightmare for site-to-site VPN but FortiGate's dial-up VPN has gotten us by. However, this means I can't setup these locations as trusted locations for MFA. What are my options here? Now that you mentioned Yubikey, I'm considering just using these for the general use PCs and leave the Yubikey plugged in 24/7. Is there an alternative? You could route traffic over the tunnel so they present the static IP from whatever office the tunnel terminates at, obviously puts more strain on that connection and adds some latency. that's just the first thing that popped into my head, wouldn't be the best solution but could be a temporary measure.
|
# ? Mar 27, 2024 16:52 |
|
kiwid posted:Are Yubikey's reusable, as in if the employee leaves I can somehow reassign it to another user? They are, yes. But they are also not all that expensive and we treat them as a consumable. If someone get a Yubikey from us, it's theirs forever. You can't stop them from using it for non-work accounts once they have it so it just becomes a personal item for them and we don't want it back. They are also great and I wish I could get more people to take them. I use them for all my daily and admin accounts and it's so much easier to use.
|
# ? Mar 27, 2024 22:05 |
|
The limit was to do with tokens on a Yubikey IIRC and not how many hardware tokens an Entra tenant can support. And yes, they are £30 or something along those lines, you might have a handful of employees who request a token, just treat it as disposable. For your double-NAT site you probably want to tunnel them out to somewhere with real internet service, either as part of a wider SD-WAN project or just these sites on an ad-hoc basis, because otherwise you will struggle with stuff like VoIP in future. There's a provider here that you can buy "ISP" service from without the actual connection part, you build an L2TP tunnel and get to use their static IP ranges, people use it with things like 5G modems. https://www.aa.net.uk/broadband/l2tp-service/ Thanks Ants fucked around with this message at 22:34 on Mar 27, 2024 |
# ? Mar 27, 2024 22:27 |
|
Number19 posted:They are also great and I wish I could get more people to take them. I use them for all my daily and admin accounts and it's so much easier to use. I still prefer to use my fingerprint with hello for business to sign into my devices but the Yubikey is amazing for privileged accounts, especially when sessions constantly glitch out and need a new sign-in the last couple weeks.
|
# ? Mar 27, 2024 22:37 |
|
|
# ? Mar 29, 2024 14:24 |
|
Thanks Ants posted:The limit was to do with tokens on a Yubikey IIRC and not how many hardware tokens an Entra tenant can support. And yes, they are £30 or something along those lines, you might have a handful of employees who request a token, just treat it as disposable. Huh. Maybe I misunderstood on more than one occasion because after briefly looking now I don't see any mention of it online.
|
# ? Mar 27, 2024 22:42 |