Single Sign on (SSO)with Chrome & Firefox and ADFS 4.0

This is how to enable SSO with browsers other than IE and Edge using ADFS 4.0. This is done by adding the browser user agents to the ADFS config.

First, confirm the current config:

Get-AdfsProperties | select -ExpandProperty wiasupporteduseragents
MSAuthHost/1.0/In-Domain
MSIE 6.0
MSIE 7.0
MSIE 8.0
MSIE 9.0
MSIE 10.0
Trident/7.0
MSIPC
Windows Rights Management Client
MS_WorkFoldersClient
=~Windows\s*NT.*Edge

Now we add Chrome and Firefox:

Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome" + "Mozilla/5.0")

Check the result:

Get-AdfsProperties | select -ExpandProperty wiasupporteduseragents
MSAuthHost/1.0/In-Domain
MSIE 6.0
MSIE 7.0
MSIE 8.0
MSIE 9.0
MSIE 10.0
Trident/7.0
MSIPC
Windows Rights Management Client
MS_WorkFoldersClient
=~Windows\s*NT.*Edge
Chrome
Mozilla/5.0

Now, restart ADFS:

net stop adfssrv
net start adfssrv

Test using Chrome and Firefox, and you should find that SSO is working properly.

Configuring PowerShell to work behind a proxy server

 

PowerShell won’t update help, or let you connect to online repositories, without configuring it to work with your corporate web proxy servers. Unfortunately it does not use the system settings, so you have to do this manually.

If you try and use an online command such as update-help, you will get an error like this:

PS C:\WINDOWS\system32> update-help
update-help : Failed to update Help for the module(s) 'ActiveDirectory, AppBackgroundTask, AppLocker, AppvClient,
Appx, AssignedAccess, BestPractices, BitLocker, BitsTransfer, BranchCache, CimCmdlets, ClusterAwareUpdating, ….Unable to
connect to Help content. The server on which Help content is stored might not be available. Verify that the server is
available, or wait until the server is back online, and then try the command again.

At line:1 char:1
+ update-help
+ ~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (:) [Update-Help], Exception
+ FullyQualifiedErrorId : UnableToConnect,Microsoft.PowerShell.Commands.UpdateHelpCommand

To fix this, you need to configure your proxy settings in your PowerShell profile as follows (note that this requires local administrator rights):

  • Open an administrator-level PowerShell command prompt
  • Run the following command to register the PSGallery Repository
Register-PSRepository -Default -Verbose

 

  • Then you will be able to edit your profile:
notepad $PROFILE

Note: it will prompt you to create this if it does not exist. Then add the following lines, modifying as you see fit for your environment:
[cc lang="powershell"]
[system.net.webrequest]::defaultwebproxy = new-object system.net.webproxy('http://proxyname:port')

[system.net.webrequest]::defaultwebproxy.credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials

[system.net.webrequest]::defaultwebproxy.BypassProxyOnLocal = $true

 

Restart PowerShell. Note that you will need to have scripts enabled in order to load the profile.

Now, you can run update-help again and it should have no issues.

You can also now connect to Office365 using PowerShell, see https://www.msdonkey.com/office365/connecting-to-office-365-using-powershell/

Connecting to Office 365 using PowerShell

A brief set of instructions to connect to Office 365 online services using PowerShell, including Azure AD, Exchange Online, and Skype for Business Online.

Note: If you are behind a proxy server, you will need to follow this in order for this to work: https://www.msdonkey.com/powershell/configuring-powershell-to-work-behind-a-proxy-server/

1. Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW.
2. Install the Microsoft Azure Active Directory Module for Windows PowerShell with these steps:
○ Open an administrator-level PowerShell command prompt
○ Run the command:

Install-Module MSOnline

Get your credentials and connect:

$creds = Get-Credential
Connect-MsolService -Credential $creds
Get-MsolUser (to test)

Note: If your account is 2FA enabled, just use the command: Connect-MsolService and then enter your credentials and 2FA authentication.

I would also highly recommend changing the window title, especially if you connect to multiple tenants. This reduces the chances of making a change on the wrong tenant!

$host.ui.RawUI.WindowTitle = "CustomerX: Production"

If you also want to manage Skype Online:

Download and install the Skype for Business Online Connector module.

To connect to Skype Online:

Import-Module SkypeOnlineConnector
$SkypeSession = New-CsOnlineSession -Credential $creds
Import-PSSession $SkypeSession
Get-CsExternalUserCommunicationPolicy (to test)

To connect to Exchange Online:

$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $creds -Authentication Basic -AllowRedirection
Import-PSSession $ExchangeSession
get-mailbox (to test)
Get-Organizationconfig (useful)

Note: If you have MFA enabled you need to install the old Exchange PowerShell module, see here: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps

See https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-office-365-powershell and https://docs.microsoft.com/en-us/office365/enterprise/powershell/manage-skype-for-business-online-with-office-365-powershell for more information.

Also https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-all-office-365-services-in-a-single-windows-powershell-window

Script to stop your screen going blank or PC going to sleep

If you have a PC or laptop at work with settings or policies set to turn the screen off, lock the PC, or go to sleep, you may wish to prevent this from time to time. For example you may need to run a display in an office or shop window, or avoid embarrassment during presentations. On a standalone PC you can easily change the power settings to prevent your PC from going to sleep, but this is not ideal because you have to remember to switch it back again.

In a corporate environment you will likely have group policies enforcing these settings that you are unable to change. Having special GPOs applying to groups of machines is one solution, however this will often be time consuming and complicated to setup in a corporate network with security and change control.

PowerPoint does a good job of preventing the screen or PC from turning off during full screen presentation mode, however you may need to run a browser or other application.

As a side note, Presentation View has been around since Windows Vista days, but it is still present even in the latest Windows 10 build, but unfortunately does not work if you have group policies enforcing your settings. This is a shame as it is very easy to use (Right click on the Start menu, Mobility Centre, Turn on presentation view).

Fortunately, there is another easy way of doing this this that work in Windows 10 and earlier versions back to Windows 7 (you may need to alter the script slightly for earlier versions of Powershell). So here is a way of doing it using a simple script:

Create a new text file in a folder called e.g. keep-alive, and call it keep-alive.ps1.

clear host
#
# Script to keep the PC alive, will prevent screen lock and sleep.
# Works by pressing Print Screen every 60 minutes, side effect is that a screenshot will overwrite the clipboard contents
# Change the color of error and warning text
#
# Valid colours: Black, DarkBlue, DarkGreen, DarkCyan, DarkRed, DarkMagenta, DarkYellow, Gray, DarkGray, Blue, Green, Cyan, Red, Magenta, Yellow, White
# To see all colours:
# [enum]::GetValues([System.ConsoleColor]) | Foreach-Object {Write-Host $_ -ForegroundColor $_} 

$opt = (Get-Host).PrivateData
$opt.WarningBackgroundColor = "DarkCyan"
$opt.WarningForegroundColor = "white"

write-warning "Your PC will not go to sleep whilst this window is open..."
Do {
[void][System.Reflection.Assembly]::LoadWithPartialName(‘System.Windows.Forms’)
[System.Windows.Forms.SendKeys]::SendWait(“{PRTSC}”)

Start-Sleep -Seconds 60

} While ($true)

Now create a new file in the same directory called keep-alive.bat and add the following:

powershell.exe -ExecutionPolicy Bypass -File .\keep-alive.ps1

Note that this will work on PCs that have Powershell scripts disabled, since it overrides this setting.

You should now have a folder like this:

 

Run the .bat file and your PC will stay alive whilst the window is open.