Azure App Proxy–How to Fix Login.aspx and Missing File Issues

Joe Kuster


If you are among the awesome many who have begun providing secure access to your internal apps using Microsoft’s Azure App Proxy (Part of Enterprise Mobility & Security / EMS / Azure AD Premium), you may have run into scenarios where the URLs don’t work quite like you need them.

If your app requires pointing to a specific page, or references files in parent directories to where the login is located, you may have been left stumped as to how to make it work. In possibly the most under the radar release I’ve seen, Microsoft added new features to solve the issue, but it isn’t in the GUI. Documentation is spotty at best, so Microsoft Mercenary has your back with the following PowerShell script.

Example scenario: Microsoft Identity Manager (MIM) Portal

URL on Prem:

If you put in the URL login will work, but you’ll still get a wonky experience (that’s a highly technical term).


Why does it do this? The files that are not under the targeted URL, in this case /identitymanagement/ folder cannot be linked to due to App Proxy’s security mechanism that prevents users from browsing outside of their intended app.

How do we fix it? Link a directory higher and assign a custom landing URL. It has side effects, but it’ll resolve the issue.

First, change your app URL, in this case it would be

Make sure you have all logos and customizations like external URL finalized – we’ll get to why in a moment.

Now, copy the following into a .ps1 file and run the following PowerShell script in PowerShell x64 as Administrator. Admin is only required if you do not have AzureAD PowerShell module already installed.


If prompted to install NuGet, go ahead




If prompted to install AzureAD Module, click Yes



If you do not want to run as admin or auto install PowerShell modules, you can install Azure AD PowerShell Module it manually.


Login when prompted



Enter part of the URL to search your tenant (provides a shorter list)

PS C:\WINDOWS\system32> E:\SetCustomAppProxyHomepage.ps1
Search: Please enter part of the Apps existing homepage for the app you wish to modify.: mimportal

Details of the matches will be displayed. Copy the GUID of the one you wish to use and paste it into the prompt.

Example: b220c0d6-7beb-4a08-8cea-232a170eb06c

Next, enter the updated EXTERNAL url that you wish to use, including the extra directory and page if needed. If you need, refer to your application’s “External URL” to figure out what to append here.

Done. Review the information to ensure it looks correct. Log into and test your app. As you can see below, it fixed our app:


Important note about changing an app with a custom URL: Since the GUI doesn’t have this functionality, if you modify your app in any way, this fix will be overwritten. It appears you can change users fine, but you cannot change the external URLs, or other fields on that Configuration page without having to re-run this script. This should be fixed with a later release.

Common Issues:

PowerShell shows errors: You MUST use PowerShell x64. To install NuGet or AzureAD Module, you MUST run as admin.

It didn’t find my Azure AD App: Use part of the external URL that is listed in the App’s page.

It was working great, then I made a change. Now it’s broken: Microsoft hasn’t updated their GUI to support this, so if you open the app and save any changes, it will revert the URL to whatever is in the box at the time. You will need to re-run this script every time the app is modified – or at least until this functionality is put into the GUI.


Going Overboard–International Travel & Enterprise Mobility & Security –Part 1

Joe Kuster

Welcome to a multi-part series covering Enterprise Mobility & Security for International Travel. For those not in the know, I’m currently based in the US and will be spending some time on mainland China this fall. This series of blog posts will cover some of the prep-work ahead of time as well as reports as to what did and did not work well.

I’ll start this off by admitting I’m going overboard on security for my upcoming overseas travel – I realize that most of these steps are simply an exercise in security rather than actually necessary. In honesty, I’m treating it much the way some of my colleagues treat going to DefCon conventions or any other situation where there is a short-term significant tightening of security. Why bother at all though? Well, in short, reading online with the various tech and news sites will have you quickly believing that any use of enterprise tech is simply doomed, from the great firewall blocking access to anything you need to do real work and going so far as accusations of installation of spyware at customs inspections and even installation of hardware level keyloggers/malware. I’m not really going to debate the merits of such threats, at least for everyone who doesn’t need proper Op Sec for other reasons, but either way I’ll be detailing some of the issues and how I’ve mitigated / remediated the issue.

I have quite a few tools at my disposal, as even my personal email is an Office E3 account with Enterprise Mobility & Security enabled. In addition to EMS (E3 version), I also have Cloud App Security actively monitoring my cloud SaaS accounts including Office 365 and my 3rd party services like AWS, Salesforce, and Dropbox as well as some nifty dedicated hardware at my disposal.


  • Building a Persona – Deep packet inspection is no joke. Neither are keyloggers. For this trip, I acknowledged that my day to day AD accounts tied to my work and personal email simply have far too much access to risk an intrusion by having authentication going over heavily monitored connections. Much like everyone else, I’m pretty used to my credentials being saved on any mobile devices, but that isn’t really an option on mobile devices that I’ll likely be compelled to unlock and hand over at customs. Especially when those email accounts are also Global Admins and Domain Admins. Yes, I am using Privileged Identity Management to mitigate, but I absolutely need to separate my account access. Still though, I need email access during the duration of the trip and will be taking several trips through customs and security checks for air travel throughout my time there. What to do? Simple, make a new Azure AD User (Cloud Only) account with a new Exchange Online mailbox. Once I’m ready to leave, I’ll turn on mail forwarding in Office 365 so the new persona ( will begin getting emails. I did not however set up a reply as, or send as permissions, but instead simply customized the signature on the account to acknowledge that this is my temporary email address for the duration of the trip. Once the trip is done, I’ll convert the email account to a Shared Mailbox so I can simply drag and drop those emails into my day to day account’s inbox.

    Why Cloud Only? Simple, the Azure AD account isn’t written back to on-premises, greatly reducing it’s permissions. It’s not even a member of “Domain Users” so unless I specifically give it permissions, there’s little chance it would inherit any access.

    Why not a free Google account? Given the state of Google Apps in China, as of writing it is currently blocked unless you use a VPN. I’d rather have things work native and not risk a VPN being caught and shut down, leaving me scrambling.

  • Managing Password Reset – As part of Azure AD Premium, I have password reset enabled. For my day to day account, it will not be using the temporary persona to prevent any exploits from intercepted emails. For the temporary persona account, I’ve disabled Self-Service Password Reset.
  • Two-Factor Authentication – I have Multi-Factor Authentication enabled, and so should you. Since I’ll be international and don’t want to pay a fortune for roaming, I’ll not be using SMS or Phone calls as the MFA. In general, SMS has been seen as an OK way of improving your security over only using username / password, but as NIST points out, it isn’t really all that secure. In recent months, several notable hacks have been achieved through social engineering network providers as well as bad security practices on the user make it no where near as secure as an offline soft-token, biometric check or app notification prompts. That said, you can beef up the security of SMS by implementing MFA by SMS+PIN. Since I do have a satellite beacon that has two way SMS capability, it’s tempting to enable as a backup. The jury is still out on that, but I’ll post back the results.
  • Rights Protecting all persona emails – As part of Azure RMS, I can set up Exchange Mail Flow rules that automate protection. For this account, I’ve enabled a Information Rights Management mail flow rule that automatically RMS encrypts all company emails that have been forwarded to the persona account. Looking at the Microsoft docs on this, I realize I need to make some in-depth blog posts on the topic, there’s a lot you can do with Mail Flows (Exchange Online), or Mail Transport Rules (Exchange On-Premises) when you tie it into Azure RMS / Information Rights Management and not all of them are intuitive. As long as I am using Microsoft Outlook for iOS or Android, the experience is pretty seamless, but if I have to, it still works in Outlook Web Access.

I’ll get into Conditional Access, Application Proxy, Checking URLs, and Device Management in the Part 2. Stay tuned.

How to share applications & access between partner companies (Getting Started with Azure B2B)

Joe Kuster

It’s a common need, your company has other organizations that they do business with and they need to allow external access to one or more applications or security groups. Federating between domains is one option, but it’s costly in terms of effort. Wouldn’t it be nice if you could just add just the necessary folks to your AD to give them targeted external only access to just what they need, but not have to manage their accounts? Well, you can – it’s called Azure B2B.

In its simplest form: Azure AD B2B = a csv importable list of users for Azure AD. Once imported, the newly imported end users are now known to Azure AD and can be assigned applications or as security group members. It’s important to note that it’s a cloud mastered account, just as if I made a account. It’s also created via static only exports. It doesn’t fit every scenario to be certain but in many cases it’s a perfect match for providing vendor or external partner access to a couple things without having to onboard accounts in your AD.

Here’s a run through from the Microsoft Garage folks:

Steps to implement Azure B2B with Azure AD Premium Apps (SSO), or Azure AD Security Groups:

First, you have to have your apps or groups created in Azure. They can be internal or external, but there are limitations since the user isn’t written back to on-prem by default (for now, see note below). The basic rule is if the app or security group shows up in then you’re good.

B2B assigns user access to the unique IDs of these applications and security groups. Gather the App IDs or security groups you wish to share by running the following script.

$UserCredential = Get-Credential

Import-Module MsOnline

Connect-MsolService -Credential $UserCredential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic –AllowRedirection

Import-PSSession $Session -DisableNameChecking -AllowClobber

MsolServicePrincipal | fl DisplayName, AppPrincipalId

Remove-PSSession $Session

Build a CSV using those IDs that has the invite text and which groups or apps you wish to add them.



Email,DisplayName,InvitationText,InviteRedirectUrl,InvitedToApplications, InvitedToGroups,CcEmailAddress,Language,Joe Kuster(Contoso),Hi! Here is your external access to Joe’s personal lab.,,f2ee5681-d41b-49a0-ad3f-955154b5b337,,,en,Rich Milburn(contoso),Hi Rich! Here is your external access to Joe’s personal lab Cloud App Security demo.,,01a65629-4c1b-48c1-a78b-804c4abdd4af,,,en,Joe Kuster(contoso),Hi Joe! Here is your external access to Joe’s personal lab Cloud App Security demo.,,03a65629-4c1b-48c1-a78b-804c4abdd4af,,,en,Joe Kuster(contoso),Hi Joe! Here is your external access to Joe’s personal lab AWS demo.,,8b3025e4-1dd2-430b-a150-2ef79cd700f5,,,en,Joe Kuster(contoso),Hi Joe! Here is your external access to Joe’s personal lab Twitter demo.,,230748d5-2c87-45d4-b05a-60d29a40fced,,,en


Log into Azure, navigate to your AD users


Click Add


Choose “Users in partner companies” and point to your CSV file



The batch import will begin. Users will receive an invite email such as:


They will be prompted to accept the invite and log in as their normal domain account.


They will be dropped into the portal and the applications will be displayed.


They can toggle between their native company’s apps and partner apps by clicking on the domain in the upper right:


When clicked on, the application will open, either federated or using password management if that’s already been saved for that group/app. Note, this is my personal AWS account, but being accessed by my Catapult credentials. It still uses SSO, so I only logged in once for my Catapult credentials and I can access internal and external apps for both companies.



Note: This only gives me the ability for cloud apps, what about on-prem? User writeback was in public preview for Azure AD Connect for a short period and then it was retracted. It’s still on the public roadmap and will allow you to sync cloud mastered accounts on prem. For now, this solution cloud specific, but that should change when Azure AD Connect is updated.

Intune Policy causes error: iOS Guided Access Unavailable. Please contact your administrator.

Joe Kuster

Have you run into the following error when using Intune for Mobile Device Management?

iOS Guided Access Unavailable. Please contact your administrator.

Don’t panic. If you’ve run into this, you may be stymied on what to do as the device is essentially unresponsive. Even hard power resets do not resolve it. A full OS wipe will resolve the issue only until it is re-enrolled.

The cause is simple: a Kiosk mode policy has been deployed to manage an app, which is not installed. Upon booting up, the iOS device attempts to load the application and lock it in the foreground as a Kiosk. When the app is not found, it ends up locking the entire device down in a non-responsive state.

To resolve it, simply remove the Kiosk policy for the device.

This situation only applies if:

  • The iOS device is in Supervised Mode
  • A Kiosk policy is deployed
  • The Kiosk app is not installed

The error may also occur do misconfiguration of other Accessibility related settings, but will typically not fully lock the device down in a non-responsive state. In that case, just navigate to settings > accessibility and turn off guided access.

Automating Hyper-V Host VMs Startup / Shutdown

Joe Kuster

Depending on your situation, you may want to shutdown all or certain VMs on your host for maintenance, updates, backups or just recover resources from non-production VMs. You may also want to schedule times to ensure that only certain VMs are started back up. This is where PowerShell is our friend.

To shutdown all VMs on a Hyper-V host, the script is very simple:

Simply save the above code as a .ps1 file and execute via PowerShell (or better yet, Task Scheduler) and any running VM will be shut down. The AsJob parameter means each task will run in the background silently. This can easily be adapted with the notes field mentioned below to shut down a subset of your VMs, such as all non-production VMs.

The result: All running VMs immediately begin shutting down.


For the startup scenario, it’s only slightly different. In my case, I almost never want every VM started up, but instead want only certain VMs like my gateway, domain controller and SQL to start back up automatically on a schedule. One simple way of doing that is to use the “Notes” field in the VM properties. In my case, I added the word “Prod” as a trigger word, but you can use anything here.


Once I’ve tagged all of my “Prod” VMs, I’m able to look that Notes field up in my startup script.

The Result: The desired VMs begin starting up.

You CAD! Cloud App Discovery–Part 2

Joe Kuster

As I had blogged about previously, Microsoft’s Cloud App Discovery tool is an interesting way of collecting great telemetry data from your environment with a minimal investment of time and no on-prem infrastructure. As I mentioned in my prior article:

Cloud App Discovery–Cool tool, but is it ready for Primetime?, CAD was incredibly problematic, causing network connection issues and even BSODs. Last week, Microsoft released a new version of CAD claiming significant stability enhancements as well as better privacy notifications. To put it to the test, I installed it on my production desktop, where it had previously had issues with both OneDrive for Business and CrashPlan.

After installing the app and rebooting, I updated a single file in OneDrive for Business and kept an eye on CrashPlan over the next two days. After 48 hours, OneDrive for Business still had not synchronized the text file I updated.


CrashPlan fared no better, being unable to connect to cloud storage since the install.


After uninstalling the app, the situation immediately resolved itself, no reboot required:


Testing on two other systems shows no changes in stability from the prior release. On the plus side, I do have better terms and agreement controls for privacy concerns, but disabling line of business applications is a complete show stopper.

Summary: As I mentioned before, I really wanted to like CAD. It would solve a large number of issues my clients have, but for the time being, test carefully.

OneDrive for Business–Incompatible Office Products error

Joe Kuster

If you have received the following OneDrive for Business error and you are using Office Pro Plus (the downloadable Click to Run install), you probably haven’t found much useful information. So I’ve outlined the cause and potential resolution below:


“Sorry, we can’t perform this action. Incompatible Office products are installed on your machine. If you have an administrator, please contact them for help.”



This may happen at any point, even with no other office products open. This is due to the fact that the OneDrive for Business services are running into issues when they try to start in the background. For me, this mysteriously started on 9/12/15, with no hint as to what triggered it. The dialog box itself offers a hint, but tells you nothing about how to solve it.

At first, I was under the impression OneDrive was having issues as it was no longer running in the status bar on the bottom right. Rebooting did not resolve the issue. So, assuming my Office ProPlus install was corrupt, I downloaded the installer from to reinstall. Upon running the installer however, I received the following error.


Despite Visio 2013 and Project 2013 standard installs co-existing peacefully with ProPlus, it seems a recent Office update has begun pushing the issue to pick one method or the other, but not both installation methods for Office.

Sadly, at this time, there is no workaround to maintain both a traditional installer for Visio or Project and Office ProPlus. You must uninstall Visio or Project to solve the issue. You can however add Visio or Project to your Office Subscription.

Other users have reported the same behavior with the OneDrive stand alone installer. This only applies to Windows 7 or older as it is built in for Windows 8 and Windows 10, but if you have this error and the above does not apply to you, go to the Control Panel, Programs and Features and remove all versions of OneDrive.

Integrate Azure RMS Protection for SharePoint On Prem (Step by Step video)

Joe Kuster

Azure Rights Management (RMS) can protect your on-premises servers using the free RMS Connector app. Basically the RMS Connector is a tiny application that provides an RMS Proxy rather than having to deal with the complexity and limitations of a real RMS server. The RMS Connector basically allows  SharePoint, Exchange and/or a File Classification Infrastructure (FCI) enabled Windows File Server to connect to it the exact same as a local RMS server.

The utility is a couple fold, first, it extends the same templates and RMS Authority beyond your local on-prem environment, allowing for better mobile or BYOD consumption of protected data while still respecting the security. Secondly, native RMS servers are hard to setup, hard to manage and really limited…

By using Azure RMS to do the heavy lifting, Microsoft does all of the high availability, crossing of domains, federation, manages the encryption keys, certificates, auditing, revocation of permissions, reporting and other complexities for you. All you have to do is tell one of the supported servers/applications is “Hey, I’ve got an RMS Authority in Azure, you can connect to it via this RMS connector server” and immediately everything starts working.

As a word of caution, this example is not high availability. For production, you should have two servers with the RMS Connector and load balance them behind a load balancer.


  • Azure RMS must be configured
  • SharePoint server must be 2010+
  • The RMS Connector cannot be installed on any servers that it is protecting

Step by Step below:

Why bother doing this? Well for starters thanks to Azure Application Proxy my on-prem SharePoint serves are now easily available outside of my firewall. Integrating RMS ensures my data is protected, audited and easily secured even on BYOD devices. This lets me be more productive without releasing my control of my data, even if it’s shared outside of my environment.

Questions or comments? Hit me up at @Joe_Kuster on twitter.

SSO Fix for using AWS with Azure AD Premium

Joe Kuster

If you are trying to use the Microsoft provided step by step for AWS SSO, there are several major issues or omissions with the document. The original can be found here: 


First as an omission or potential change since the document was written, when assigning a Role, it will also ask you to assign a policy. Just pick the policy which matches the permissions you wish to give users who care connecting this way.

Second, when you complete the step by step, you will most likely encounter one of the following errors:

  • Error: RoleSessionName in AuthnResponse must match [a-zA-Z_0-9+=,.@-]{2,32} (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)


  • Error: RoleSessionName is required in AuthnResponse (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)


While the first issue is pretty minor and you would probably be able to figure out what you need to do, the second issue is pretty big. The reason for this error is that the instructions tell you to copy and paste in unique IDs which won’t be valid for your environment. In this case, your connection strings are dependent on your role name and provider naming as well as the unique ID. You’ll have to look this up in your AWS portal under: IAM > Roles > [Whatever you named your Role]


In this case, I called my Role “AWS_Administrator”



As a unique ID, pretty much everything in AWS’s IAM pages have a ARN. You need to point to the unique ARNs of your environment. Look up your ARN as shown.



Next, look at the bottom of that page to find your Provider ARN



Merge those two ARNs in the following format:

arn:aws:iam::[Unique ID]:role/[RoleName],arn:aws:iam::[Unique ID]:saml-provider/[ProviderName]


That merged string should be used as the “” role attribute value



Lastly, as another error, the author recommends configuring the “” Attributes with “User:Email” which is just invalid and would be passed as a literal constant. Instead, use User.Email or UserPrincipalName.



If this isn’t enough to resolve your issue, AWS does have a SAML troubleshooting page, but it’s extremely general and may not be of much help if you are using the Azure AD Application Gallery:

Wrangling your Corporate Identity

Joe Kuster


Your Corporate Identity is no longer in control, as a matter of fact, it’s stampeding towards a cliff.

No, I am not referring to branding, viral marketing or even the advent of social media snafus, instead, I’m talking about accounts for your users and using that as a benchmark, IT no longer has direct control of the accounts users use to do their jobs, plain and simple. Blasphemy you might cry, my users are all in Active Directory! Well, yes, but that is not their corporate identity any more. Instead, in this cloud based, web friendly world, a user now has part of the corporate identity in dozens of places that aren’t under IT’s control. The HR department has unique logins to submit employee data to the government, the Marketing Team has a login for dozens of off-prem tools from LinkedIn, Glassdoor, company Facebook, and Twitter. Purchasing has a unique shopping account everywhere they shop, from Amazon to TigerDirect. An employee might have dozens if not hundreds of accounts just to do their job. On top of that, we expect them to have unique complex passwords for each service but when they need help, IT doesn’t own the system to even reset a password. How did this happen? Well, let’s back up a bit.

In those heady days of the early 1990’s, users had one password to log into their PC, and all that the user accessed was local on their system. Anything that they needed to share, was usually on a floppy disk. That was it. Later, the need to collaborate led to file servers and email, which was initially disconnected from their PC login. Thankfully, that was quickly absorbed into Active Directory in the days of NT, and things were good again. The same login to access a computer was also used for email and file server access, often automatically. IT thought things were going pretty well.

Then the web came and users started using external services, from hiring employees, buying paper, sending documents to partners and filing tax forms. These were legitimate business needs; so of course, they happened whether or not IT was involved. Sometimes they shared these accounts on Post-It notes with co-workers. Most re-used simple passwords. Then the inevitable happened and security concerns popped up, so in response we asked them to stop reusing those accounts and passwords. More recently, the SaaS/Cloud movement took hold and even on premises systems were moved outside of the firewall and into the cloud. It wasn’t long before users would have a different password for, SalesForce, Jira, Kronos, PeopleSoft, Oracle apps, Google Apps in addition to their AD account.

This quiet revolution snuck up on IT, which was just happy when Single Sign On worked for resources like email, file servers, SharePoint and maybe a couple 3rd party apps that live on-premises like their ERP solution. We often weren’t involved as new services were spun up by “shadow IT” and if we didn’t know about it, how were we supposed to manage it?

So just how deep of a hole are you in? Ask yourself the following questions:

· If an employee lost a password due to phishing, how would you even know? How long would it take to lock it back down? Could you ever guarantee that all of the services they re-used their password with were updated before your data was leaked?

· How many cloud apps do your users access? Zero is not a valid answer here. Now times that by 10 for the actual number. (Hint, IT usually guesses 8, reality puts the average north of 80)

· How many login prompts does an average user see daily in the course of business?

· Can my users download corporate data from the cloud to untrusted devices like phones or home systems?

· Who manages your corporate social media, and what would stop them from resetting the password and going rogue?

· How many hours and tickets does it take to onboard new users with every system they need access to?

· How many extra SaaS licenses (SalesForce, Box, GoToMeeting, etc.) are you wasting due to employee churn?

· How do you know the user logging in, really is the user you think they are?

· Would you even know if an employee started offloading all of their data outside of your company for malicious use?

· How long would it take you to block access to every service a soon-to-be-fired employee uses?

· Can you see who accessed what data, when regardless of where they saved it? Can you revoke their permissions to view it after they’ve downloaded it?

Tools like a good Single Sign on, only scratch the surface of the above. Without securing the device, applications and data, an Identity Management tool is an incomplete solution. If only there was an umbrella solution that covered all of the above? Well, thankfully there is, enter Microsoft Enterprise Mobility Suite (EMS).


The Enterprise Mobility Suite license includes Microsoft Intune, Azure AD Premium, Azure Rights Management, Microsoft Identity Manager, Microsoft Forefront Identity Manager and as a fresh addition, Microsoft Advanced Threat Analytics.

EMS is an impressive platform of tools, often poised to fill the gaps in and around other products. It is also your new best hope at wrangling control of your corporate identity!