I was doing an implementation of Network Device Enrollment Services (NDES) recently to support a client who required unique device certificates on their Intune Managed Windows 10 build to support a 3rd party VPN product.

I’ve implemented NDES in conjunction with Mobile Iron and Intune on various occasions and have not had any issues; the setup was a Windows 2019 NDES server, Windows 2019 PKI including 2019 Issuing CAs, and the NDES URL published to Intune Clients via the Azure Application proxy. The Microsoft documentation around this setup and troubleshooting common errors is fairly comprehensive.

With everything in place, my final step was assigning the Intune SCEP profile to my test devices and forcing along a sync. At almost exactly the same time as the SCEP profile was applied I got the following errors on the NDES server application log (and no device certificate delivered to the device!)

NDES Server:

Application Error: 1000

Faulting application name: w3wp.exe, version: 10.0.17763.1, time stamp: 0xcfdb13d8
Faulting module name: ntdll.dll, version: 10.0.17763.592, time stamp: 0x0f1b8afd
Exception code: 0xc0000374
Fault offset: 0x00000000000fb049
Faulting process id: 0x1134
Faulting application start time: 0x01d563cd543c516c
Faulting application path: c:\windows\system32\inetsrv\w3wp.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: bdb7af74-7eea-4e75-8e4a-22e6230e5760
Faulting package full name:
Faulting package-relative application ID:

And in the Windows 10 client application log, also at exactly the same time a trio of errors:

CertificateServicesClient-Autoenroll 87 Error (Application log)

SCEP Certificate enrollment for Local system via https://scep.client.domain.na,e/certsrv/mscep/mscep.dll/pkiclient.exe failed:

PkiStatus(2): SCEPDispositionFailure
FailInfo(2): SCEPFailBadRequest
EnrollStatus(256): EnrollDenied
Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
ProcessResponseMessage
Submit(Request):
HTTP/1.1 200
Date: Thu, 05 Sep 2019 09:36:01 GMT
Content-Length: 759
Content-Type: application/x-pki-message
Server: Microsoft-IIS/10.0 Microsoft-HTTPAPI/2.0

[some Azure App Proxy Cookie Info-deleted]

Method: POST(4000ms)
Stage: ProcessResponseMessage
Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

And also….

CertificateServicesClient-Autoenroll 87 Error (Application log)

SCEP Certificate enrolment for Local system via https://scep.client.domain.name/certsrv/mscep/mscep.dll/pkiclient.exe failed:

SubmitDone
Submit(Request): Bad Gateway
HTTP/1.1 502 Bad Gateway
Date: Thu, 05 Sep 2019 09:37:03 GMT
Content-Length: 30836
Content-Type: text/html
Server: Microsoft-HTTPAPI/2.0

[some Azure App Proxy Cookie Info-deleted]

path=/; domain=client.domain.name

Method: POST(5515ms)
Stage: SubmitDone
Bad gateway (502). 0x801901f6 (-2145844746 HTTP_E_STATUS_BAD_GATEWAY)

And finally….

CertificateServicesClient-Autoenroll 87 Error (Application log)

SCEP Certificate enrollment for Local system via https://scep.client.domain.name/certsrv/mscep/mscep.dll/pkiclient.exe failed:

SubmitDone
GetCACert:
HTTP/1.1 200
Date: Thu, 05 Sep 2019 10:05:01 GMT
Content-Length: 6107
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/10.0 Microsoft-HTTPAPI/2.0

[some Azure App Proxy Cookie Info-deleted]

Method: POST(4047ms)
Stage: SubmitDone
The supplied variant structure contains invalid data. 0x8007025c (WIN32: 604 ERROR_INVALID_VARIANT)

The fix

I did a bit of research on this and there was a lot of mention of IIS and application issues/bugs; I did however find an MS article which summarised almost exactly the same issue

https://social.technet.microsoft.com/Forums/en-US/14c940dd-f5fb-4d55-9b8b-ff940630a157/ndes-scep-iis-appcrash-win-server-2012r2?forum=winservergen

It implied that deleting any misplaced certificates in the trusted root / intermediate stores on the NDES server would fix the issue. I ran this past our support team who have occasionally seen similar server “appcrash” errors in the event logs of Skype Servers that have IIS components installed who also thought this might well be a fix.

In short, running the following powershellcommands on the NDES server

Checking the Trusted Root Store:

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Select Issuer, Subject, Thumbprint | fl

Cheking the Intermediate Store:

Get-ChildItem Cert:\localmachine\CA | Where-Object {$_.Issuer -eq $_.Subject} | Select Issuer, Subject, Thumbprint | fl

Using the outputs of these commands allowed me to identify the misplaced certificates in the stores (in this case added as part of the server build) and remove them; some of them were extremely old and out of date. Having simply removed them from the stores, I re-synced my Windows 10 client with Intune and saw no errors on server or client side event logs which was promising – and almost instantly checking in the local Certificates MMC my Windows 10 device had a unique device certificate which I could see had come via the Intune SCEP profile and untimately NDES template on the Internal Issuing CA.

The errors don’t really give much of an idea of the true issue, and there doesn’t seem to be a lot out there on this; hope it helps or saves someone a bit of time if they come up against the same in their NDES implementation.

Recently, one of my clients have been testing the Android Enterprise Fully Managed (preview) for their device rollout and noticed the native device apps, including the camera app, was removed from the device at the time of enrolment with Microsoft Intune and the provided QR code.

If you are wondering how to resolve this, you will need to download the QR code as an image and decode this using one of many online QR decoders.

Once you have the syntax, which should look like the below:

{

android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME:”com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver”,

android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM:”<CHECKSUM>”,

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION :”https://play.google.com/managed/downloadManagingApp?identifier=setup”,

android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE:{“com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN”:”<TOKEN>”}

}

Add in the “android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED:true” statement at the beginning of the code and then reencode the QR using one of the many online QR encoders to produce the new QR code. This should look like this:

{

android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED:true,

android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME:”com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver”,

android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM:”<CHECKSUM>”,

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION :”https://play.google.com/managed/downloadManagingApp?identifier=setup”,

android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE:{“com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN”:”<TOKEN>”}

}

Once you have this new QR code, run through the device enrolment as you have previously and you will find that the native device apps, including the camera, are now available.

I also understand Microsoft are working on a solution to this presently and hopefully we’ll see an option next to the Intune QR code to enable/disable the native device apps before producing the QR code. Watch this space!

Moving users straight over from Skype for Business can be a daunting task, especially if organisations have requirements to continue using the enterprise voice workloads within the server product. Meetings First functionality allows users to retain Skype for Business server for their chat and PSTN calling but start utilising the power of Microsoft Teams with the ability to host meetings online.

With Meetings First assigned to a user, chat, calling and presence are turned off in Teams and are only available with Skype for Business, ensuring no overlap or miscommunication. Use of Teams and Channels can optionally be hidden using an app permission policy to further simplify the Teams client.

Hosting meetings in Microsoft Teams allows users to leverage the power of the Microsoft Cloud, transforming the meeting experience and reducing dependency on corporate resources, participants (whether internal or external) no longer have to connect to corporate datacentres and can instead communicate directly with their nearest Microsoft Point of Presence to reach the Teams meeting.

If users are also enabled with an Audio Conferencing license then PSTN dial-in/dial-out functionality is also possible, providing meetings with dial-in numbers in a range of countries without having to dedicate trunks on the Skype server’s PSTN connection.

Reach out to us for further advice or check out the Microsoft documentation at https://aka.ms/MeetingsFirst

You’ve all heard of Azure, it’s been key buzz-word in all technology conversations in recent years.

The continuous innovation from Microsoft has lead to the platform being able to, successfully, support development and ensure that visions of tomorrow become a reality.

Azure has over 1000+ new capabilities in the last year alone! Building on the latest advancements in AI, and databases to keep our clients ahead of the curve. Azure has been developed from the most comprehensive AI portfolio Microsoft has to offer. In aim to transform businesses and applications with a full set of cognitive services. It infuses apps, websites and bots with intelligent algorithms to see, hear, speak, understand and interpret user needs through natural methods of communication.

Did you know that analytics are 14 times faster and costs 94% less?

We aim to turn data into insights with breakthrough performance, security and speed – all through Azure.

It has enterprise grade analytics solutions and outperforms competition, costs less, and is fully compatible with client’s existing development, BI and data science tools. Azure has a broad IoT (Internet of Things) ecosystem, deploying over 1000+ IoT devices easily with plug and play integrations. It can connect IoT devices to the cloud without anyone having to write a single line of embedded code.

Azure has an end-to-end mixed reality platform. From industry leading HoloLens devices to breakthrough mixed reality services for developers, Azure is the only cloud that enables end-to-end experiences for mixed reality.

Over twenty years of work by some of Microsoft’s brightest sparks in physics, mathematics, engineering and computer science from around the world have brought the only scalable quantum solution right to Azure.

Do you want to be ready for the future?

Try Azure.

You have choices.

Azure allows you to build how you want, deploy where you want and has support for all languages.

Your language, your tool, your app.

Azure allows you to build, deploy, debug and manage applications with the language or platform of your choice. Allowing you to take advantage of the full-featured integrated development environments with built in support Visual Studio and Visual Studio Code. Azure has the backing of the most popular IDEs trusted by ISM + develops.

Allow limitless scale for your applications. Azure allows dependence on only the Cloud, offering SQL, Postgres and MySQL databases at unlimited scale for all types of applications. Hyperscale – the solution to solve the common cloud scalability limits across computer storage and memory.

Allow AI for everyone!

Azure provides machine learning models and tools that are designed to meet client’s needs across various skill levels; from full-model development and algorithm selection using Python-based environments to zero code automated models for easy learnings. Azure support open source innovation, driving innovation through collaboration and contributing back to the community. Azure enables you to build open source at scale, from developing open technologies like .NET Core to actively contributing to critical projects.

Your choice. Choose right. Choose Azure.

Are you in the cloud? Still on premise? Somewhere in-between?

No matter where you are on your cloud transformation journey, Azure allows risual to meet you where you are. To integrate and manage your environments with tools and services specifically designed for hybrid environments.

The Unified Identity Platform (UIP) is trusted by over 90% of all enterprises worldwide. It allows enhanced security, smart policies and simplified access across all environments.

Have you heard of the Azure Hybrid Benefit? It allows you to save 40% on virtual machines by using your existing SQL Server or Windows Server license investments. Take advantage of this benefit to have Windows Server and SQL Server for less.

Azure Cognitive Services allows real-time insights to be delivered and immersive experiences that are contextually aware and highly responsive. Azure Security Centre allows cloud scale and AI-powered security protections to on-premise virtual machines and IoT devices, all managed centrally along with the security for the cloud resources.

Allow your business to achieve greater flexibility through Azure. Give yourself the opportunity to decide where you want your SQL or PostgreSQL data to live. Get a problem-free database migration with no code changes at an industry leading total cost of ownership (TCO).

No matter where you are in your cloud journey, Azure can help.

Like building the foundations of a house, work from the ground up. You don’t start with the foundations of the house last, so why would you put security at the bottom of your to-do list?

Azure – backed by a team of experts, trusted by enterprises, start-ups and governments. Over 1 billion invested in Azure security and over 3500 cyber security experts on the case.

Security comes first. Test it.

Azure allows you to take advantage of multi-layered security provided across physical datacentres, infrastructure and operations with experts in security. Our experts actively monitor to protect your business so why wouldn’t’ you want Azure?

Proactively protect your data and streamline compliance with the most comprehensive compliance coverage of any cloud service provider. Over 90+ compliance offerings ensuring the protection of your assets and data.

risual and Microsoft have an unwavering commitment to privacy. We want to empower you to control your security, power your experience and manager your data.

Do you currently feel confident about where your data is stored and secured?

Modernise your security operations, make your threat detection faster, make your responses smarter – use Azure.

Over 6.5 trillion threat signals are analysed daily.

Be the people who don’t get a breach.

Be Azure smart.

First open up Outlook and then open the meeting you would like to take notes for. Once in the appointment choose Meeting on the top ribbon then chose Meeting notes. In the Meeting Notes dialog box, do one of the following: To share your meeting notes with others, choose Share notes with the meeting. To [...]

Continue reading Take notes in a scheduled Outlook meeting at risual.

A few months back, we took the decision to re-shape our service portfolio in line with market trends and client insight. Through this process, we juggled with the term ‘Digital Transformation’ and how we, as a trusted advisor to many clients can help frame the digital challenge. As we have seen in recent years, digital transformation means different things to different organisations. Initially, we focused on there only being two transformation types; cloud and digital. As we explored the capabilities of both, it became increasingly apparent that there are three transformation scenarios that organisations can benefit from. Cloud and digital can be augmented by business transformation. So, we took it upon ourselves to define what we mean by the term digital and how we can help our clients drive value through the heart of their business.

In defining the term digital transformation, we examined what value means to our clients and how they can benefit from firstly transforming IT services through cloud transformation, followed by modernising business applications and services (our definition of business transformation). That left the third aspect to transformation. Thinking back to the word value, we settled on our definition of digital transformation as being;

• Increase insight and outcomes
• Enhance customer engagement
• Create better revenue and growth
• Redefine services

Good outcomes matter to all business leaders who are typically measured on many aspects such as holding down costs, driving increased revenue, understanding and mitigating risk caused by volatility and improving employee morale. Investing in positive outcomes that drive value is therefore vital to continuing the success of any organisation, whether public or private sector. When we think about the digital challenge, our natural reaction is to dive straight to the technology. Whilst this is sometimes useful, it doesn’t always answer the question our clients are seeking to achieve.

So, how do we think and deliver digital? Where do we start?

If we go back to our definition of digital transformation, its fairly easy to see a pattern emerging. Businesses will drive success by understanding and enhancing their customer’s experience. A colleague of mine summed this up perfectly, when he remonstrated about “sitting on the phone for 20 minutes just to order a new bin from the local council”. That might seem a bit innocuous, yet, just asking customers how they want to access the services you offer neatly frames the digital challenge.

Instead of thinking on their behalf (yep, seen those sorts of digital projects), just ask.

So, what happens if you then get swamped by different needs, wondering how to unpick it all, how much it will all cost and how you will even go about it? This is where risual’s unique digital portfolio comes into play. We have redefined our services to cater for any need. Whether you are embarking on wholesale digital transformation of entire services, or wish to drive value incrementally; we can help you shape, understand and determine the road to success. Check out our portfolio on the G-Cloud 11 Framework.

https://risu.al/V6bK

One of the coolest parts of the apprenticeships that risual Education delivers is the fact that we deliver technical training to learners that helps them improve their confidence in their respective job role one day per week.

Through official Microsoft certifications relevant to the appropriate apprenticeship programme, we provide training in HTML, Microsoft Azure, Office 365, Active Directory, computer networking and many other Microsoft related technologies. It’s been amazing to see someone’s learning journey progress from them having very little knowledge of IT to them being confident in using Microsoft Technologies such as Active Directory for example. Many learners have informed me that they or the rest of their IT team uses these technologies at their workplace but they’ve often told me they’ve never used them before, or it’s something that their line manager wants them to become more confident with.

Through the delivery of our sessions, either in the classroom or through Microsoft Teams, we find out what learners want to achieve in regards to increasing their technical skills and we help them learn the critical knowledge they need for their workplace. This then results in learners being more confident at work, with their employers being happier because of how their learners are progressing in regards to personal development.

If you would like training on any technology, please contact education@risual.com.

Thanks,

Recently, I have been made aware of a change Microsoft have released to allow the support of delegate permissions in Exchange Hybrid organisations.

You may be aware that the only supported permissions between the on-premises Exchange and Exchange Online, at the time of writing, are:

• Full Access.
• Send on Behalf.
• Private Items.

All other permissions such as the below are not yet supported:

• Send As.
• Auto-Mapping.
• Folder Permissions.

However, it’s interesting to note that additional steps should now be taken to allow the on-premises Exchange servers to support Hybrid mailbox permissions, as shown in the article dated 23rd August 2019 here.

For my example, I have a customer running Exchange 2016 Hybrid with an Exchange 2010 backend they are using a supported Outlook client. They have migrated less than 100 mailboxes to Exchange Online and have been receiving credential prompts since the mailboxes were moved. It has been found the mailboxes with Full Access permissions were generating the credential prompts.

To fix this, we will do the following:

• Connect to the on-premises Exchange 2016 and using the Exchange Management shell, from an Exchange Administrator account, run:
  Set-OrganizationConfig -ACLableSyncedObjectEnabled $True
  This will allow set the delegate access from any mailboxes migrated from that point.
• On the on-premises Exchange 2016 and using the Exchange Management shell, from an Exchange Administrator account, run:
  Get-RemoteMailbox -ResultSize unlimited | ForEach {Get-AdUser -Identity $_.Guid | Set-ADObject -Replace @{msExchRecipientDisplayType=-1073741818}}
  This will set the delegate access on the already-migrated mailboxes.
• Either wait for the AD replication and Directory Synchronisation process for the changes to update in Exchange Online or force a manual AD replication and a manual directory synchronisation process.
  To run a manual synchronisation process:
  • Connect to the Azure AD Connect server.
  • Ensure you are in the AD Sync Admins Local Group. You may need to logoff and back on again if you have added to the group.
  • Run Windows Powershell as an Administrator, and then run:
    • Import-Module ADSync
    • Start-AdSyncSyncCycle -PolicyType Delta 

There are different fixes for the different supported versions of Exchange Server, so please be sure to visit the article above to ensure you are following the correct procedure.

It’s National Coding Week!

If you haven’t seen already we’ve been bringing you daily facts about coding on our risual Twitter so we thought we’d give you a summary of what we’ve been learning this week.

Let’s kick it off with the first ever programmer. Do you know who it is?

Ada Lovelace was the daughter of the English Poet Lord Byron, she is considered to be the first computer programme. In 1843, she worked with Charles Babbage and created the first ever program for one of his machines, The Analytical Engine. Ada was also the first person to realize that a computer had the potential to do more than just straight maths.

Changing the tune slightly….

We have all heard of viruses but do you know their definition?

Some programs are designed to steal your data or damage your computer (or at worst both!). These programs are called malware; viruses, worms and trojans are all types of malware.

Another coding history fact for you!

Did you know that the Enigma Machine is an encription device developed and used in the earl-to-mid 20th century to protect commercial, diplomatic and military communication? It was employed extensively by Nazi Germany during World War II in all branches of the German military.

Alan Turing cracked the Enigma…

Alan Turing was a British mathematician, logician, cryptanalyst and computer scientist, widely regarded as the #’father of computer science and artificial intelligence’. He worked at the code-breaking centre Bletchley Park during World War II and was the primary person responsible for breaking the Enigma code.

On September 4th 1939, the day after the UK declared war on Germany, Turing reported to Bletchley Park, the wartime station of the Government Code and Cypher School. It is estimated his contribution to the war shortened it by two to four years.

And to wrap this up a final coding fact!

Coders who study and write malware are known as hackers. Those who write malware to commit crimes or bad deeds are known as ‘black-hat’ hackers, and those who write programmes to protect against malware are called ‘white-hat’ hackers.

How many of these facts did you know already?

risual are excited to announce that we have been shortlisted for the UK IT Industry Awards – Best Place to Work in IT!

The British Computer Society (BCS) has been running since the 1950s, they work in over 150 countries through a wider community of business leaders, educators and practitioners; working to ensure that the road people take on their digital transformation journey is safe and positive for everyone involved. This is done through raising standards, competence and conduct across the IT industry and tackling ethical challenges that are faced along the way.

We owe a big congratulations to everyone in the company for making us the place we are, for supporting our one risual culture and for creating this positive risual family vibe!

We look forward to sharing out results with you, so keep your eyes peeled for more news and updates around our placing!

In the meantime, you can find out more information and see who else has been shortlisted by following this link:

https://risu.al/Fv2u

We will be sharing all information about the UK IT Industry Awards on our social channels so be sure to go and follow us on Twitter, Instagram, LinkedIn, and Facebook.

Thanks for reading!

We recently encountered an issue where an SCCM task sequence would randomly get stuck on a custom step we had added to a build task sequence. The custom steps job was to remove some Windows 10 Default Apps such as xbox which were not needed on a corporate build. We could have removed them as part of a build and capture sequence but to keep the process lightweight we included this step as part of the build sequence. You could build the same machine several times and maybe 1 in 5 times you would get the issue so was a real annoyance and pain to troubleshoot.

The task sequence step basically ran a PowerShell script containing the command Remove-AppxProvisionedPackage , you may find several of these scripts online but they all run this command to remove the default apps.

After trying several fixes we eventually came across the update notes for a MS update released in August 2019
This contained the following: Addresses an issue that causes Deployment Image Servicing and Management (DISM) to intermittently stop responding while deprovisioning some preinstalled apps using the Microsoft System Center Configuration Manager (SCCM).

As we were using Windows 10 1809 we immediately set to work applying this fix to our image WIM, there are several methods of doing this but we used the built in SCCM Offline Servicing tool. By this time it was September so we included the September cumulative update (as this contains all the previous months fixes). Note we first manually copied the existing wim to a separate folder as a backup as we have had bad experiences in the past with the offline servicing tool, then made sure the updates we needed had been downloaded to a deployment package (otherwise they wont show up in the offline servicing list of updates). It took a while for our image to apply the updates so we left this running overnight, once finished it was a case of distributing the image (or updating the DP) then making sure the right image was selected in our task sequence as we had added it as a fresh image to SCCM.

We then tested the build again and things were looking a lot more promising after several retries.

Hope this helps!

For the average Joe not involved in anything IT, Azure can be confusing, and it can be hard to wrap your head around this invaluable business tool. In a nutshell, Microsoft Azure is an open platform designed to help improve your business’ efficiency and productivity whilst also reducing costs at the same time. Many businesses are opting to use this product to drive down the costs of paper-based filing and other costly admin processes and to move towards more automation in every aspect of their business.

In a more detailed description, Microsoft Azure is an open platform consisting of an ever-growing collection of integrated cloud services including computing, database, storage and analytics to name a few. Azure lets you add these cloud capabilities to your existing network through its platform as a service, or you can entrust Microsoft with all of your computing and network needs with infrastructure as a service. Due to the flexible nature of this platform, Azure can be easily scaled up or down to meet the varying requirements of businesses of different sizes, meaning that it can be adopted by a multimillion-pound law firm, or a small high street shop.

As a developer, Azure can assist in building web and mobile apps thanks to its integrated tools and built-in templates which support the same technologies that millions of developers are already using and trust. Once apps are published, they can be run on any of the Microsoft datacentres worldwide allowing a global footprint for you to have plenty of options for running applications.

Another great feature of MS Azure is its storage capabilities. Microsoft’s global infrastructure can provide safe, highly accessible data storage with massive scalability and an intelligent pricing structure that lets you store infrequently accessed data at huge savings. This ensures cost-effective storage plans that are simple in Microsoft Azure.

The combination of Microsoft’s vast infrastructure, constant application and services development, and powerful presence in the global IT marketplace has made Microsoft Azure solutions the choice of two-thirds of the world’s Fortune 500 companies. But the infinite scalability of Azure can make it just as right for any business.

So, you will have seen a lot of social noise across our media channels recently about the NHS SBS (Shared Business Services) Framework and you may be wondering what exactly is it and what does it mean for you?

The NHS SBS drive procurement and commercial efficiency across the health sector in the UK, striving to deliver high quality patient and social care. This is done by improving the quality of goods and services through world-class procurement and commercial services, providing project management support that meets the requirements of clients, partners and stakeholders.

All done with the primary goal of delivering the maximum value possible to its clients.

The newly launched framework is to identify a small number of competent, pre-selected suppliers to help the NHS SBS’s members simplify and accelerate their transformation programmes. risual are proud to announce that we have a position on all four lots released by the framework, including the following:

• Lot 1 – Solution Design and Consultancy
• Lot 2 – Infrastructure, Software and Platform as a Service (IaaS, PaaS and SaaS) offerings
• Lot 3 – Cloud Support Services
• Lot 4 – End to end cloud solutions

This framework will allow risual to deliver value and positive outcomes to over 60 NHS Trusts, 30 Care Commissioning Groups and NHS England along with many more associate members across the UK public sector.

Hi All!

As you know we recently had the risual Summit and all I can say is what a day!

We spent the morning listening to our colleagues discuss data, tech and people in some really insightful sessions! (One of the sessions even had cake!)

Then we pottered down to Rowley Park for the afternoon to undergo the first risual Olympics!

Keep reading to find out which team won…

We spent our afternoon running, catching, throwing, jumping and all other kinds of things whilst all trying to go for gold! Unfortunately, only one team won and this team although not gold in colour certainly smashed the leader board!

A big congratulations to Team Silver! They won the day!

But lets not forget the rest of the teams who all put in lots of effort, determination and teamwork!

The morning also saw a special announcements…

Kate, our Operations Director, celebrated her 10 year anniversary with risual so of course this meant lots of embarrassing photos and a few wild stories! But most of all we wanted to thank Kate for her service of now over 10 years here at risual, she’s been kind, thoughtful and the first to offer help when needed. Thank you Kate!

And another big announcement mentioned in the keynote was the long awaited date of the risual Christmas Party!

With less than 100 days to go until Christmas we can now book our Christmas Party in! On the 7th December keep your eyes peeled for lots of festive fun!

And for those who say it’s too soon for Christmas we say Ba-Humbug!

But all in all the risual Summit 2019 was a great success! And the whole risual family can’t wait to see what’s in store for us next year!

Recently I was working with a customer that had been using Microsoft’s Azure MFA server solution for multi-factor authentication, they were looking at decommissioning the server running it and moving to purely cloud based Azure MFA. Since Azure MFA can natively integrate with AD FS 4.0 as well as Network Policy Server (NPS) on Windows Server (using a plugin) it looked like a straight forward task.

I configured their existing AD FS deployment and installed the Windows NPS plugin following the instructions available on docs.microsoft.com and everything seemed to go according to the notes, new certificates for authentication were generated in the local certificate store and expected entries created in Azure AD.

However when it came to testing, authentication would fail, both on ADFS and NPS when attempting to request MFA authorisation from Azure.

On ADFS server had the following error message in Windows Event viewer:

Exception details:
System.Exception: Exception calling SAS. —> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)
— End of inner exception stack trace —

And on the NPS, it had the following error message:

NPS Extension for Azure MFA: CID: 6da75e38-6bbf-4616-84df-fa65b4c7905c :Exception in Authentication Ext for User Domain\username :: ErrorCode:: CID :6da75e38-6bbf-4616-84df-fa65b4c7905c ESTS_TOKEN_ERROR Msg:: Verify the client certificate is properly enrolled in Azure against your tenant and the server can access URL in Registry STS_URL. Error authenticating to eSTS: ErrorCode:: ESTS_TOKEN_ERROR Msg:: Error in retreiving token details from request handle: -895352831 AADSTS7000112: Application ‘981f26a1-7f43-403b-a875-f8b09b8cd720′(Azure Multi-Factor Auth Client) is disabled.

After some checks and a little internet search I found a script https://gallery.technet.microsoft.com/Azure-MFA-NPS-Extension-648de6bb kindly made by someone that performed a series of checks against the local machine and the tenant. The script suggested there was a problem within Azure Active Directory > Enterprise applications, and in there I found two MFA related ones, with one matching the text in the event message:

Azure Multi-factor Auth Client
Azure Multi-factor Auth Connector

Both of these applications had within their properties “enabled for users to sign-in” set to no, changing this to Yes then allowed both ADFS and NPS to use Azure MFA with the licensed users.

Hope this helps.

Microsoft Teams provide a great platform for collaboration. Depending on organisational requirements or even phase of MS Teams’ implementation we often come across a requirement to limit MS Teams creation potential and, instead of giving everyone within organisation permission to freely create MS Teams, we’re asked to provide a request and approval process. In this blog, I’ll outline one of the option for implementing such a process.

The idea is simple – use SharePoint list to record user’s request, configure MS Flow to act on this request. Put an Approval process in the middle.

Step 1. SharePoint List

Create a SharePoint list and add columns to capture required information. In my example, I ask for Team name, Description, Public or Private and Team Owner.

I also configured the list with the following settings – “Read items that were created by the user” and “Create items and edit items that were created by the user”

Step 2. Accounts, Licenses and Permissions

In my example I used a “Service Account” to build the flow and granted this account access to SharePoint site. I also gave the account “Override List Behaviors” permission and assigned Flow Plan 1 license (required for HTTP premium action). Lastly, I created a new app registration, a corresponding secret in Azure AD and granted the app the following permissions: Directory.ReadWrite.All, Group.ReadWrite.All, User.Read.All. Copied Tenant ID, Client ID and Secret for further use with the Flow.

Step 3. MS Flow

For the purpose of this demonstration, I created the following Flow. It has all the basic elements and can be further enhanced with logging steps back to the list, additional notifications etc.

A few things to mention:

• The account used to build the Flow needs Flow Plan 1 license
• The account used to access the data in SharePoint List needs “Override List Behaviors” permission
• I used a beta Graph request in the http action, the endpoint is likely to change when in GA

To summarise the process – user requests a new MS Team by submitting a request via SharePoint list; approval process is started, notification to the approver is sent. Depending on the approver’s decision the process either notifies the requestor that the request is rejected or if approved, Graph API is used to provision MS Team; notification is sent to the requestor. Done.

This simple implementation can be further enhanced by using PowerApps instead of a list form, adding additional validation and notification processes, auto-approval in certain scenarios and much more.