Recently, I got a question from a customer to list all users that already enrolled in Azure MFA (through, for example, the url https://aka.ms/mfasetup.
The following PowerShell code lists all non-disabled users that already enrolled in Azure MFA:
When logging in to a customers Exchange Server 2013 environment recently, a pop up caught my eye, indicating the following errror:
An expired certificate as such obviously isn’t such a weird event. However, when zooming into the error, the server that the error referred to was an old, already decommissioned, Exchange Server!
The following locations were checked, to no avail:
Get-ExchangeServer
Get-ExchangeCertificate
ADSI Edit
Certificate store on all Exchange Servers
After some googling searching the web with Bing, I found a solution on the web.
Keep in mind, to run the command, specific permissions are required. A management role needs to be created with Mailbox Import Export assigned role. Assigning the Discovery Management role is not enough!
When configuring this on my home tenant, I received the following error:
All usual suspects were covered: the correct licenses were assigned, password writeback was configured and showed up in the portal as working, so no issues there. When opening the SSPR section in the Azure Portal, the following error was shown:
Digging into the Event Viewer on the Azure AD Connect Server revealed the error: The password could not be updated because the management agent credentials were denied access.
Following best practices from Microsoft, the account that was configured in the Azure AD Connect management agent did not have elevated permissions, and therefore did not have the possiblity to reset passwords.
Assigning delegated permissions to reset the password of the OU containing the synced users, solved the issue.