Configuring Modern Authentication

January 12, 2021 | by iaur | posted as Adminstration, Microsoft 365

Enable\Disable Modern Authentication for Office 365 Services

A.     Teams, Office Apps, and SharePoint Online is enabled with Modern Authentication by default

B.      Exchange Online

1.      Connect Exchange Online using PowerShell

2.      Run the following cmdlet to verify the Modern Authentication status:

Get-OrganizationConfig | ft OAuth*

3.      To enable the modern authentication for Exchange online, run the following cmdlet:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
C.      Skype for Business

1.      Connect with Skype for Business online using PowerShell 

2.      Run the cmdlet to check the status of Modern Authentication status for Skype for Business online:


3.      To enable modern authentication for Skype for Business online, run the following cmdlet:

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Verify Authentication Prompt Type

A.     Basic Authentication

onr ct 一 to 

B.      Modern Authentication

Sign in 
EmaiL Skype 
NO ECOuM? Create 

Troubleshooting Modern Authentication Issues for Office Clients

Outlook is not accepting password

Outlook keeps asking for password

Office apps keeps asking for credentials

If EXO Modern Auth is False, Account is MFA Enabled, Basic UI

A.     Create an App Password

B.      Use it as the Password

If EXO Modern Auth is True, Account is MFA Enabled, Basic UI

Go to: HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Common\Identity


DisableADALatopWAMOverride= 0

EnableADAL= 1

If EXO Modern Auth is True, Account is MFA Disabled, Modern UI

Go to: HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Common\Identity


DisableADALatopWAMOverride= 1

EnableADAL= 0


In Windows 8, press the Windows key, type Run, and then press Enter.

In Windows 7, click Start, point to All Programs, click Accessories, and then click Run.

In the Run dialog box, type the following switch and hit enter key.

reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Common\Identity /v DisableADALatopWAMOverride /t REG_DWORD /d 1 /f

reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Common\Identity /v EnableADAL /t REG_DWORD /d 0 /f


The 1x.0 placeholder represents your version of Office (16.0 = Office 2016, 15.0 = Office 2013, 14.0 = Office 2010)

0 = Disabled

1 = Enabled


DisableADALatopWAMOverride = disable the web accounts manager in Windows 10

EnableADAL = enable modern authentication for the Office client installed on the machine


Why MFA phone verification fails sometimes?

November 10, 2020 | by iaur | posted as Failure, Microsoft 365


  • If you are having problems in successfully complete the MFA verification calls
Why MFA phone verification fails sometimes?


MFA phone verification fails sometimes or Microsoft 365 did not send me a code?

A U.S. system always produce these calls with a +1 caller ID.

The carrier within this connection likely doesn’t support dual tone multi frequency (DTMF). Therefore, MSFT never receive the # signal back from the user’s phone. As a result, failure of authentication may be encounter.

In other words, calls could get routed through a carrier between the source and target that doesn’t support or pass along the caller ID that MSFT sent.

If you attempt again within 10 minutes,

MSFT will choose a different PSTN provider to ensure a different routing and increase the chances of a successful connection.


If you are on a specific country that are having a number of MFA phone verification fails intermittently,

By logging a support case, MSFT could run a deliberation to see if there’s a need for further fix within your location otherwise choose other methods such as the Authenticator mobile app or text message.

In conclusion, MSFT has given multiple options you can choose from for your best case scenario. More on securing Microsoft 365 here.

Can’t add custom DNS records types after pointing domain’s name servers to O365

August 15, 2020 | by iaur | posted as Failure, Microsoft 365


  • You can’t add A record for your website routing
  • You can’t add custom DNS records type to Admin Center

This normally happened if you have only PartialRedelegation upon adding your domain. We need to change this to FullRedelegation especially if the NameServer is pointed to Microsoft 365 so that we can add other records like records for your website. 


  • Go to M365 portal > Settings > Domains.
  • Select the domain and click manage DNS.
  • Click on more option and choose “Set up my online services for me”.
  • Click continue until you reach to this page.
  • You can now add the IP address of the website during the set up.
  • Complete the set up and go back to manage the domain to see if you have a capability to add custom DNS types

404 Error prompt when accessing home page

August 5, 2020 | by iaur | posted as Failure, SharePoint Online

404 NOT FOUND error when accessing home page of a site**

This issue happens when the home.aspx (or any homepage of the site) is deleted.

**Please note that issue only applies to site collection with Communication or Private or Public Team Site (New Experience) template

Recreate the Home Page

  • Steps
    1. Append this /_layouts/15/viewlsts.aspx on the end of URL (e.g
    2. Once redirected to Site Contents, go to Pages
    3. On the Site Pages, click New > Site Page
    4. Type Home on the “Name your page” and add the necessary information
    5. Publish
    6. Note: If you opt to use different name on Step 4, go back to Pages and right click on the newly created page and select Make homepage.

Restore deleted Home Page

Website redirection to Domain Broker Service Ads

August 2, 2020 | by iaur | posted as Failure, WordPress


  • You are getting a message about a Domain Broker Service advertisement
Domain Broker Service Ads
  • Your website intermittently redirect to a different webpage and sometimes on your website

Your domain is parked

Firstly, you must investigate your DNS entries and look for A record with the value named “Parked“. This is designed by GoDaddy to let the internet know that your domain is taken and at the same time does not have an existing website.

Moreover, domain Broker Service Ads campaign is then use by the domain broker service and advertise it to people that has interest to your domain name. In other words, your domain is up for a bidding.

DNS Checker- x 
(G) Domain Manag x 
Last updated 7/21/20 1:14 PM 
1 Hour 
600 seconds 
1 Hour


This may be applicable to other domain service provider since mine is with GoDaddy I followed the steps below to resolved it.

Importantly, after adding your A records for your website’s IP address make sure to remove the entry for another record for “Park”, otherwise the you’ll be broadcasting two records (depending on the load balancer) and a redirection to your web server or GoDaddy’s Domain Broker Service Ads as a result.

- SNa • • •
  1. Log in to your GoDaddy DNS Control.
  2. Select your domain name from the list to access the Domain Settings page.
  3. Scroll down to Additional Settings and select Manage DNS.
  4. On the DNS Management page, next to the record you wish to delete (in our case is the A record with “Parked” value), click the pencil icon.
  5. To the right of the entry fields, select the trash can icon.
  6. Confirm deletion by selecting Delete in the new window.
  7. Confirm the DNS propagation using this link and check for multiple A record entry.

In conclusion, you will know that your redirection issue is resolved once you no longer see multiple A record entries for your domain except for your website’s IP address.

Looking for more WordPress content? Click here.


Search AD object with specific ms-DS-ConsistencyGUID

July 31, 2020 | by iaur | posted as Active Directory, Azure AD

Scenario: Got two MSOL user they are both sync, looking to see if we can merge it.

 You don’t have to really merge this and there’s no way to really do that. Both msol user are synced with AD. So the question is who’s to retain and obviously it would be the licensed account.

For this you just need to find the equivalent AD object of the unlicensed msol user and move it away from the syncing OU. This will delete it from O365 hence will not show ung Admin center active user.

On O365 PowerShell

Get-MSOLuser -UserPrincipalName | fl name,immutableID

# run this to find the immutableID of the unlicensed user

Take note of the immutable ID.

On Local AD power-shell, below will search for the AD object that match the immutableID value

$hex = -join ($string | %{$_.tostring(“X”).padleft(2,”0″)})
$search = $hex -replace ‘(..)’,’\$1′
$adUser = Get-AdUser -LDAPFilter “(ms-ds-consistencyguid=$search)”

Once you’ve retrieve it, all you need to do is locate the OU where the object is and move it to a not-synced OU with o365 the perform AD-sync


Machine generated alternative text:
Connect-MS01 servi ce 
-Credential Scredenti al 
Facere Sionem> Set-MSOLuser 
Facere Sionem> Get—MSOLuser 
Windows PowerShell 
Sstr. system. convert : ;From8ase64Str1ng 
S hex 
= —join astring I 
$ s ear ch 
= Shex -replace , '\$I' 
$ aduser 
= Get—AdUser —LDAPFi Iter " 
PS C: \Users\rootvm\OneDrive 
PS C: \Users\rootvm\OneDrive 
-Userprincipa1Name ron( 
-Userprincipa1Name ron( 
Immutabl eld 
C : users \ rootvm> 
C : \ Users 
Di ngui shedNæne 
Enabl ed 
Gi venName 
b j ectCl ass 
bj ectGUID 
PS C : 
: CV=Ron pugoy , OU=0365 Users , 
: True 
. Ron 
: Ron Pugoy 
: 23498326-3843-4f09-bf24-ce50722910ü 
. ron 
: s-1-5-21-1324791489-3160699361-1173794010-1105 
User-principalNæne : com 
File Action View 
PS C: \Users\rootvm\OneDrive 
Facere Sionem> 
Active Directo 
Users and Computers 
Bernie Ferna„. Contact 
Domain Controllers 
Managed Service Ac 
0365 Users 
Program Data 
P,cn Pugoy 
test bin 
Distribution Gr... 


Basic security for web servers (Linux Ubuntu)

July 28, 2020 | by iaur | posted as LAMP, WordPress


# limit how many time something connects


sudo apt-get update  

# update apache # to poke holes before enabling firewall
sudo apt-get install ufw  

# install firewall
sudo ufw limit 22/tcp  

# limit udp\tcp port
sudo ufw allow 80/tcp sudo ufw allow 443/tcp  

# allow web ports
sudo ufw enable  

# enable firewall
sudo ufw status  

# verify firewall status
case — — SSh bern 
-S sudO install ufw 
Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
ufw is already the newest version (Ø.36-ØLbunu.18.Ø4.1). 
upgraded, newly installed, to and not upgraded. 
Ibernie. -S sudO ufw status 
Status: active 
22/tcp (v6) 
80/tcp (v6) 
443/tcp (v6) 
Anywhere 06) 

Global Blocks

sudo ufw default deny incoming  

# deny all incoming traffic aside from ssh/443/80
sudo ufw default allow outgoing  

# allow all outgoing traffic aside from ssh/443/80
 sudo ufw reload  

# reload firewall if you have updated the rule
case — — ssh 
Ibemie. S sudo ufw default deny incoming 
Default incming policy changed to 'deny' 
(be sure to update your rules accordingly) 
Ibemie. $ sudo ufw default allow outgoing 
Default outgoing policy changed to 'allow' 
(be sure to update your rules accordingly) 
Ibemie. $ sudo ufw reload

Disabling password auth of ssh

# this will deny other ssh auth make sure to back up private key (id_rsa)

# you can use

# or generate other key from another machine before advancing


 sudo nano /etc/ssh/sshd_config  

#  modify below line
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no PermitRootLogin no

sudo systemctl restart sshd  

# refreshes sshd_config

Prevent IP Spoof



  • Since GCP already prevent IP spoofing on a CSP-level this is deemed unnecessary but still a good practice
  • Updated versions of LAMP has this feature in some reiteration


# the useful scenario would be banning IP address, you don’t want that bad actor to use another IP to get in to your web server
 sudo nano /etc/host.conf  

# note this are system files so be cautious
# change the order and mirror below  

order bind,hosts
nospoof on  

ase — Bern* 
is only by old OF C library. 
m somf

Install Fail2Ban


# read incoming request and ban it if found malicious, example are DDOS attacks  

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo systemctl status

  case — word ress 
[ bernie. 1 
sudo Qt install fai12ban 
Reading package lists. 
Building dependency tree 
Reading state information... Done 
fai12ban is already the newest version (0.1Ø.2-2). 
upgraded, newly 
S sudo systemctl enable fai12ban 
Synchronizing state 
e script with /lib/: 
Executing: /lib/sys 
S suü) systemctl start fai12ban 
[bernie. : 
S sudo s stemctl status fai12ban 
[bernie. : 
• fai12ban.service - 
at an erwtce 
Loaded : 
loaded (/1ib/systemd/system/fai12ban.service; enabled; vendor pn 
active since Sat 2020-07-25 UTC; Ih 54min ago 
Docs: man: fai12ban(1) 
Main PID: 
2981 (fai12ban-server) 
Tasks : 
3 (limit: 638) 
CGroup: /system.s1ice/fai12ban.service  

Enable security feature via sysctl.conf


 sudo nano /etc/sysctl.conf  

# uncomment the ff  

net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# prevent “Man in the Middle” (MITM) attack  

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0  

# prevent traffic request address for routers (as you are a web server!)  

net.ipv4.conf.all.log_martians = 1

# log Martian packets
GNU nano 2.9.3 
SSI 7 
/etc/sysctl . conf 
# See 
# Note: This may impact IPv6 TCP sessions too 
#net. ipv4. 
# Unccyment the next line to enable packet forwarding for IPv4 
#net. ipv4. 
# Uncament the next line to enable packet forwarding for IPv6 
# Enabling this option disables Stateless Address Autoconfiguration 
# based on Router Advertisements for this host 
#net. ipv6. conf. all. forwarding—I 
# Additional settings - these settings can irnprove the netnork 
# security of the host and prevent against sane network attacks 
# including spoofing attacks and man in the middle attacks through 
# redi rection. Same network envi roments, however, require that these 
set tngs are I sao 
so review a ena e 
as neea 
Do not accept ICMP redi rects (prevent MI TM attacks) 
. ipv4. conf-all. accept—redirects ø 
.ipv6.conf.at1.accept—redirects — ø 
Accept ICMP redirects only for gateways listed in our default 
gateway list (enabled by default) 
net. ipv4.conf .all.secure_redirects 1 
Do not 
send ICMP redirects (we are not a router) 
. ipv4.conf.a11.send-redirects 
accept IP source route packets (we are not a router) 
Do not 
. ipv4.conf Ø 
. ipv6.conf ø    

sudo sysctl -p  

# refresh or display changes made to sysctl.conf