Monthly Archives: November 2023

Office 365: Changing password length on auto generated passwords…

In the Microsoft 365 Admin Center administrators may provision new user accounts. The password for the account created may be auto generated during the account creation.

 

 

At the conclusion of creating the account the password is displayed along with the relevant account information.

 

 

The password generated in this instance is 16-character complex password. In the previous version of the M365 Admin Center the password created was only an 8-character complex password.

 

The change in password length is due to a migration of the method that users are provisioned within the M365 Admin Center. New versions of the M365 Admin Center utilize graph interfaces to provision user identities. The new graph interfaces utilize a default 16-character complex password. The password length cannot be specified or changed.

 

As of the time of publishing this post the reset password option on the user account still provides an 8-character complex password. It is expected that as all features are migrated to the new graph interfaces this will also change. When creating account or resetting password if a shorter password length is desired the administrator may specify the option to provide the password rather than letting the password be automatically managed.

EntraID Connect: Export operation DataValidationFailed and CertificateUserIDs

When EntraID Connect exports user attributes to Entra ID validations occur on the data submitted. If the validations fail for any reason a DataValidationFailed error message will be present in EntraID Connect Synchronization Manager. Here is a sample of a DataValidationFailure:

 

 

When selecting one of the objects in a DataValidationFailed state and reviewing the export errors tab details regarding the number and timing of failures is present.

 

 

When selecting the Details button further information regarding the error is provided.

 

Unable to update this object in Azure Active Directory, because the attribute [None], is not valid. Update the value in your local directory services.

 

Tracking Id: 8f0b1067-a691-4832-b9fe-9e18f35d835a

ExtraErrorDetails:

[{“Key”:”ObjectId”,”Value”:[“504bd7a2-78bc-4dd8-a795-be93a7d67bf4”]},{“Key”:”InvalidAttributeName”,”Value”:[“None”]}]

 

In this instance the details are not extremely helpful. They do not point to a specific attribute that is invalid nor to the data contained within an attribute would have violated the validation rules. How do we isolate where the potential problem lies? On the pending export tab the attributes that are being added or modified may be reviewed. In the case of this user there were three attributes that were being added to Entra ID.

 


 

Two of the attributes, description and extensinoAttribute1, are standard attributes synchronized on a user object. The third, certificateUserIds, is not a standard attribute and would be calculated by a custom rule.

 

In order to determine how this attribute is being calculated the preview button in the lower left hand corner will allow us to manually execute a synchronization on an object.

 


 

When the preview window opens selecting generate preview will run the synchronization operation. In the left hand column, under connector updates will be the attribute representation for the Active Directory connector and the Entra ID connector.

 


 

Expanding connector updates will show the Entra ID object (specified by CN=) and the Active Directory object (specified by the distinguished name). Expanding the Entra ID connector and selecting export attribute flow shows the attribute values calculated and the rule responsible for the value.

 


 

The rule name is in the left column.

 


 

The certificateUserIDs value was calculated by the rule Out to AAD – certificateUserTypes. Selecting the … button allows the review of the initial value and final value. Here are the final calculated values that are being submitted to Entra ID:

 


 

When reviewing the properties of the rule this is the syntax that stamps the value.

 

 

x509:<PN>”&[userPrincipalName] is the source expression syntax.

 

When comparing the value being exported to the rule expression the calculated values match the rule expression. The following article contains the acceptable values for certificateUserIDs:

 

Certificate user IDs for Microsoft Entra certificate-based authentication | Microsoft Learn

 

Certificate mapping Field

Examples of values in CertificateUserIds

PrincipalName

“X509:<PN>bob@woodgrove.com”

PrincipalName

“X509:<PN>bob@woodgrove”

RFC822Name

“X509:<RFC822>user@woodgrove.com”

X509SKI

“X509:<SKI>123456789abcdef”

X509SHA1PublicKey

“X509:<SHA1-PUKEY>123456789abcdef”

 

In this case the desired value is using the PrincipalName formatting. Briefly looking at the two values they look the same and look formatted correctly. There is one very minor difference between the two values – the table details an upper case X in the X509 syntax where the rule is utilizing a lower case x in the x509 syntax. Using the rules editor the expression syntax is updated:

 

“X509:<PN>”&[userPrincipalName]

 

Updating the rule will cause full synchronization to be performed on the Entra ID connector. At the conclusion of the synchronization operation the exports are now successful.

 

In this case the DataValidationFailed was due to the attribute being case sensitive and the expression not including the correct case.