Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for October 2019:

What’s Planned

Deprecation of the identityRiskEvent API for Azure AD Identity Protection risk detections

Service category: Identity Protection
Product capability: Identity Security & Protection

In response to developer feedback, admins for tenants with Azure AD Premium P2 subscription licenses in their Azure AD tenants can now perform complex queries on Azure AD Identity Protection’s risk detection data by using the new riskDetection API for Microsoft Graph.

The existing identityRiskEvent API beta version will stop returning data around January 10, 2020. If your organization is using the identityRiskEvent API, you should transition to the new riskDetection API.

Application Proxy support for the SameSite Attribute and Chrome 80

Service category: App Proxy
Product capability: Access Control

A couple of weeks prior to the Chrome 80 browser release, Microsoft plans to update how Application Proxy cookies treat the SameSite attribute. With the release of Chrome 80, any cookie that doesn’t specify the SameSite attribute will be treated as though it was set to SameSite=Lax.

To help avoid potentially negative impacts due to this change, Microsoft is updating Application Proxy access and session cookies by:

• Setting the default value for the Use Secure Cookie setting to Yes.
• Setting the default value for the SameSite attribute to None.

App registrations (legacy) and converged app management from the Application Registration Portal will no longer be available

Service category: N/A
Product capability: Developer Experience

In the near future, users with Azure AD accounts will no longer be able to register and manage converged applications using the Application Registration Portal (apps.dev.microsoft.com), or register and manage applications in the App registrations (legacy) experience in the Azure portal.

What’s New

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Microsoft has added additional capabilities to help admins customizing and sending claims in SAML tokens. These new capabilities include:

• Additional claims transformation functions, helping admins to modify values sent in the claim
• Ability to apply multiple transformations to a single claim
• Ability to specify the claim source, based on the user type and the group to which the user belongs

New My Sign-ins page for end users in Azure AD

Service category: Authentications (Logins)
Product capability: Monitoring & Reporting

Microsoft has added a new My Sign-ins page (https://mysignins.microsoft.com) to users view their recent sign-in history to check for any unusual activity. This new page allows users to see:

• If anyone is attempting to guess their password.
• If an attacker successfully signed in to their account and from what location.
• What apps the attacker tried to access.

Migration of Azure AD Domain Services (Azure AD DS) from classic to Azure Resource Manager virtual networks

Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Admins can now perform a one-time migration of Azure AD Domain Services from a classic virtual network to an existing Resource Manager virtual network. After moving to the Resource Manager virtual network, admins will be able to take advantage of the additional and upgraded features such as, fine-grained password policies, email notifications, and audit logs.

Updates to the Azure AD B2C page contract layout

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Microsoft has introduced some changes to version 1.2.0 of the page contract for Azure AD B2C. In this updated version, admins can now control the load order for elements. This might help to stop the flicker that happens when the style sheet (CSS) is loaded.

Update to the My Apps page along with new Workspaces
Public preview

Service category: My Apps
Product capability: Access Control

Azure AD admins can now customize the way their organization’s users view and access the brand-new My Apps experience, including using the new Workspaces feature to make it easier for them to find apps. The new Workspaces functionality acts as a filter for the apps users already have access to.

Support for the monthly active user-based billing model General availability

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Azure AD B2C now supports monthly active users (MAU) billing. MAU billing is based on the number of unique users with authentication activity during a calendar month. Organizations can switch to this new billing method at any time.

Starting on November 1, 2019, all new organizations will automatically be billed using this method. This billing method benefits organizations through cost benefits and the ability to plan ahead.

What’s Changed

Users are no longer required to re-register during migration from per-user MFA to Conditional Access-based MFA

Service category: Multi-factor Authentication (MFA)
Product capability: Identity Security & Protection

Microsoft has fixed a known issue whereby when users were required to re-register if they were disabled for per-user Multi-Factor Authentication (MFA) and then enabled for MFA through a Conditional Access policy.

To require users to re-register, admins can select the Required re-register MFA option from the user’s authentication methods in the Azure AD portal.

Consolidated Security menu item in the Azure AD portal

Service category: Identity Protection
Product capability: Identity Security & Protection

You can now access all of the available Azure AD security features from the new Security menu item, and from the Search bar in the Azure portal. Additionally, the new Security landing page, called Security – Getting started, provides links to Microsoft’s public documentation, security guidance, and deployment guides.

The new Security menu includes:

• Conditional Access
• Identity Protection
• Security Center
• Identity Secure Score
• Authentication methods
• MFA
• Risk reports – Risky users, Risky sign-ins, Risk detections

Office 365 groups expiration policy enhanced with autorenewal

Service category: Group Management
Product capability: Identity Lifecycle Management

The Office 365 groups expiration policy has been enhanced to automatically renew groups that are actively in use by its members. Groups will be autorenewed based on user activity across all the Office 365 apps, including Outlook, SharePoint, and Teams.

This enhancement helps to reduce group expiration notifications and helps to make sure that active groups continue to be available. If admins already have an active expiration policy for your Office 365 groups, they don’t need to do anything to turn on this new functionality.

Updated Azure AD Domain Services (Azure AD DS) creation experience

Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Microsoft has updated Azure AD Domain Services (Azure AD DS) to include a new and improved creation experience, helping admins to create a managed domain in just three clicks! In addition, admins can now upload and deploy Azure AD DS from a template.

The post What’s New in Azure Active Directory for October 2019 appeared first on The things that are better left unspoken.

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for October 2019:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4524152 October 3, 2019

The October 3, 2019 update for Windows Server 2016 (KB4524152), updating the OS build number to 14393.3243 is an update that fixes an intermittent issue with the print spooler service that may cause print jobs to fail. Some apps may close or generate errors, such as the remote procedure call (RPC) error. This issue was introduced in the KB4522010 update for Internet Explorer on September 23, 2019.

KB4519998 October 8, 2019

The October 8, 2019 update for Windows Server 2016 (KB4519998), updating the OS build number to 14393.3274 is a security update.

Two NTLM authentication vulnerabilities discovered by security firm Preempt are fixed in this update, When abused, these vulnerabilities allow bypassing protections put in place by Microsoft to prevent NTLM relay attacks, including MIC (Message Integrity Code) protection, Enhanced Protection for Authentication (EPA) and target SPN validation. These vulnerabilities were assigned CVE IDs CVE 2019-1166 and CVE-2019-1338.

After applying this update or later (cumulative) updates, Windows Server installations are protected against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. However, Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627).

If your see “The request was aborted: Could not create SSL/TLS secure Channel” errors or events with Event ID 36887 logged in the System event log with the description, “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​”, then this is caused by the behavior in this update. Please refer to KB4528489 for troubleshooting information.

KB4519979 October 15, 2019

The October 15, 2019 update for Windows Server 2016 (KB4519979), updating the OS build number to 14393.3300 is a quality update. It includes the following identity-related improvements:

• It addresses an issue that prevents Computer objects from being added to local groups using the Group Policy Preference “Local Users and Groups”. The Group Policy Editor returns the error message, “The object selected does not match the type of destination source. Select again.”
• It addresses an issue that causes a query request of the Win32_LogonSession class for the StartTime to display the value of the epoch (for example, 1-1-1601 1:00:00) instead of the actual logon time.
• It addresses an issue that prevents netdom.exe from displaying the new ticket-granting ticket (TGT) delegation bit for the display or query mode.
• It addresses an intermittent issue in Active Directory Federation Services (AD FS) that fails to authenticate users. Additionally, AD FS redirects the browser back to the Microsoft Exchange Client Access services (CAS) with the wrong Audience uniform resource identifier (URI). Specifically, AD FS appends a slash to the Audience URI. Users see an error page and cannot access the Outlook Web App (OWA).
• It addresses an issue with Lightweight Directory Access Protocol (LDAP) queries that have a memberof expression in the filter. The queries fail with the error, “000020E6: SvcErr: DSID-0314072D, problem 5012 (DIR_ERROR), data 8996.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4524148 October 3, 2019

The October 3, 2019 update for Windows Server 2016 (KB4524148), updating the OS build number to 17763.775 is an update that expands the out-of-band update dated September 23, 2019. This security update includes the Internet Explorer scripting engine security vulnerability (CVE-2019-1367) mitigation and corrects a recent printing issue some users have experienced since the September 23, 2019 update (KB4522015).

KB4519338 October 8, 2019

The October 8, 2019 update for Windows Server 2016 (KB4519338), updating the OS build number to 17763.805 is a security update.

Two NTLM authentication vulnerabilities discovered by security firm Preempt are fixed in this update, When abused, these vulnerabilities allow bypassing protections put in place by Microsoft to prevent NTLM relay attacks, including MIC (Message Integrity Code) protection, Enhanced Protection for Authentication (EPA) and target SPN validation. These vulnerabilities were assigned CVE IDs CVE 2019-1166 and CVE-2019-1338.

After applying this update or later (cumulative) updates, Windows Server installations are protected against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. However, Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627).

If your see “The request was aborted: Could not create SSL/TLS secure Channel” errors or events with Event ID 36887 logged in the System event log with the description, “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​”, then this is caused by the behavior in this update. Please refer to KB4528489 for troubleshooting information.

KB4520062 October 15, 2019

The October 15, 2019 update for Windows Server 2016 (KB4520062), updating the OS build number to 17763.832 is a quality update. It includes the following identity-related improvements:

• It addresses an issue that prevents Computer objects from being added to local groups using the Group Policy Preference “Local Users and Groups”. The Group Policy Editor returns the error message, “The object selected does not match the type of destination source. Select again.”
• It addresses an issue that causes a query request of the Win32_LogonSession class for the StartTime to display the value of the epoch (for example, 1-1-1601 1:00:00) instead of the actual logon time.
• It addresses an issue that prevents netdom.exe from displaying the new ticket-granting ticket (TGT) delegation bit for the display or query mode.
• It addresses an issue with Lightweight Directory Access Protocol (LDAP) queries that have a memberof expression in the filter. The queries fail with the error, “000020E6: SvcErr: DSID-0314072D, problem 5012 (DIR_ERROR), data 8996.
• It addresses an issue in which an Active Directory Federation Services (AD FS) certificate is renewed and published by default each year. However, the client does not use them, which results in an authentication error.

The post On-premises Identity updates & fixes for October 2019 appeared first on The things that are better left unspoken.

Microsoft’s Identity Division made announcements and released functionality for Azure Active Directory during Microsoft Ignite 2019 (November 4th – November 8th, 2019) in Orlando, Florida:

Security

Azure AD Security Defaults Public Preview

Security Defaults is a set of basic identity security mechanisms, recommended by Microsoft. When enabled, these recommendation will be automatically enforced. Admins and users will be better protected from common identity-related attacks.

Note:
Security defaults are available right now, from the tenant properties blade in the Azure Portal. Security Defaults replace the Baseline Policies in Conditional Access. When you enable Security Defaults, the Baseline Policies disappear.

Azure MFA for free

Microsoft announced that Azure Multi-factor Authentication (MFA) is now free.
Azure MFA will be enabled as part of the new Security Defaults feature for all new Azure Active Directory tenants for Microsoft 365, Office 365, Dynamics, and Azure.

As of November 1, 2019, there will be no charges for using multi-factor authentication or password-less authentication.

Password-less authentication for free

Organizations with any Azure Active Directory plan can now use the Microsoft Authenticator app to securely access their apps without a password. Previously, only customers with a paid plan could use the app for password-less authentication.

Note:
The password-less authentication methods feature in Azure Active Directory launched in Public Preview last year; General Availability is expected in 2020.

Refreshed Azure AD Identity Protection General Availability

The new Azure AD Identity Protection is now generally available. It offers new detections and capabilities. These new User and Entity Behavioral Analytics (UEBA) capabilities and their enhanced signals, massively improved APIs for integration with Security Operations Center (SOC) environments, and a new user interface, make Azure AD admins and their security counterparts more efficient.

Conditional Access Report-only mode Public Preview

Conditional Access Report-only mode allows admins to evaluate the potential impact of new Conditional Access policies before rolling them out. Organization with an Azure Monitor subscription can monitor the impact of Conditional Access policies in report-only mode using the new Conditional Access insights workbook. In combination with the Global Reader role this allows for further visibility into settings and policies without added risk.

Integration

Azure Active Directory Connect cloud provisioning Soon

Microsoft announced Azure Active Directory Connect cloud. It will become available for preview soon.

Azure Active Directory Connect cloud provisioning allows customers to easily consolidate disconnected on-premises Active Directory forests and eliminate the need for on-premises Azure AD Connect installations, all while enabling greater availability of connectivity (such as multiple deployments to disconnected forests for redundancy) and lowering costs.

Azure Active Directory Connect cloud provisioning provides a lightweight, on-premises agent that enables provisioning from multiple, disconnected on-premises Azure Directory forests and move all the synchronization complexity and data transformation logic to the cloud.

Inbound user provisioning from SAP SuccessFactors Public Preview

Microsoft announced the public preview of inbound user provisioning from SAP SuccessFactors. With this feature, admins can implement end-to-end identity lifecycle management covering the entire spectrum of Joiner-Mover-Leaver scenarios using SuccessFactors as the “system of record”. New employees can get up and running on their first day, and admins can modify or revoke access automatically based on the employee’s role and status in SuccessFactors.

Azure AD Entitlement Management Generally Available

34% of security breaches involve inside access, according to a 2019 Verizon report on data breaches. Microsoft is helping organizations manage access to information with entitlements management for Azure Active Directory, now generally available.

Entitlements management simplifies employee and partner access requests, approvals, auditing, and workflows.
Additionally, it allows organizations to create access packages that make it easier for employees and partners to request access to the information they need while ensuring that only the right people have access to the appropriate resources.

Azure Active Directory MyApps portal updates with new look and features Public PReview

A revamped look and more capabilities for the Azure Active Directory MyApps portal give users a simplified experience with all apps in one place.
The new features, now in preview, include a mobile-first launching experience for all enterprise apps, workspaces for administrator-curated apps, and a unified app launching experience with Microsoft 365 surfaces across the Office.com portal, Office 365 search, and Office navigation.

Easier sign-in and better security for firstline workers Soon

Microsoft announced new identity features in Microsoft 365 to help empower firstline workers to access company resources and work securely, whether on a personal or shared device.
The features, in private preview and available later this year, include:

• SMS sign-in that allows workers to sign in with their phone number and an SMS code for authentication, eliminating the need for passwords.
• Global sign-out, rolling out later this year for Android devices, that enables workers to sign out of all their apps with just one click and help ensure that nobody else can use the same devices under their account.
• Delegated user management that will enable scale and reduce stress on IT support by allowing firstline managers to manage users and credentials.

The capabilities will also be available on Teams, which also sees the rollout of off-shift access for firstline workers, which allows companies to grant Teams app access to firstline workers and still comply with designated work hours.

Interoperability

Azure Active Directory secure hybrid access with partners Soon

Microsoft announced secure hybrid access partnerships with Akamai, Citrix, F5 and Zscaler to simplify secure access to applications that use legacy protocols like header-based and Kerberos authentication.

With these new integrations, admins can apply the same risk-based Azure AD Conditional Access policies and Identity Governance processes to legacy authentication-based applications as to the rest of the digital environment.

MSAL for Python and Java Public Preview

Hot on the heels of the General Availability of Microsoft Authentication Libraries (MSAL) for Android, iOS and MacOS, Microsoft announced the Public Preview of the Microsoft Authentication Libraries (MSAL) for Java.

Azure AD Domain Services Resource Forest Public Preview

If you are looking to move your legacy authentication-based applications to the cloud, you can use the new Azure Active Directory Domain Services resource forest functionality, now in public preview.It allows organizations to create an instance of Azure AD DS that has a one-directional trust with the on-premises Active Directory domains and eliminates the need to synchronize password hashes to Azure AD DS.

Microsoft also made several enhancements to Azure AD Domain Services including additional availability zones, improved load balancer, Azure workbooks, audit logs, and a new set up experience.

Future of Identity

Microsoft has developed a Proof of Concept (PoC) for a decentralized identity system with the UK National Health Service (NHS), based on its research for an identity that lets individuals bring a digital identity with verifiable claims through blockchain technology.

NHS sponsors the project to help graduating doctors spend more time with patients, and less time onboarding and managing credentials.

The post What’s new in Azure Active Directory at Microsoft Ignite 2019 appeared first on The things that are better left unspoken.

Deji Akomolafe invited me over to Barcelona last week, to present two sessions with him at VMware’s VMworld Europe 2019 event.

After I had spend Tuesday November 5th at one of my favorite customers, I drove to the airport to take my first flight to Paris Charles de Gaulle airport. I had a short layover, that was truly magnificent to enjoy a French dinner at Air France’s lounge. Then, we flew onward to Barcelona, where we landed shortly before 7 PM.

I took a cab to Fire Gran Via and got there just in time to pick up my VMworld badge. I needed it to get access to my evening activities, so was glad to be there just before registration closed at 7:30 PM.

I headed to my first activity, that was organized by the vExpert program. Near the incredible W Hotel, near the beach, we gathered and had some nice conversations, including conversations with Pat Gelsinger, VMware’s CEO, who joined us.

After the vExpert meeting, I headed to the Benelux party, together with the RedLogic vExperts. It was a busy party at Fabrica Moritz. I talked to my countrymen and -women at this party. Then, I headed for the Veeam party. I talked to Nikola Pejková, as I was interested in how her presentation on the Veeam Vanguard program went at the Community stage.

As the Hotel Catalonia Plaza is just around the corner of the Veeam party, I crawled over and checked in to enjoy a nice warm bed.

The next morning, on Wednesday November 6th, I joined Deji in the speaker room. Deji shared his intention to reintroduce rubber chickens at identity sessions (of DEC origin) so we devised a strategy to share them. We then discussed the session and the flow in the slides.

We walked up to room 32 and were present 30 minutes early. Unfortunately, the keynote went over time, so we had to cut our 60-minute session short by 10 minutes. That’s okay, we were only trying to discuss 70 minutes of Active Directory goodness in 60 minutes anyway…

With feedback like “The best from Monday till now :)” and “very entertaining speakers”, I think we still managed to provide good information on virtualizing Active Directory on top of VMware vSphere.

After the session, I visited the Expo Hall and enjoyed some nice chats with a couple of vendors, including Microsoft. Microsoft brought their proposition to run VMware vSphere on physical servers in Azure datacenters to VMworld. So we had a good chat on that. At 5 PM it was time for the Hall Crawl. It was followed by VMworld Fest. I enjoyed the food, but chose to leave drinks be; there was another session planned for Thursday.

Again, I arrived early at VMworld. This time, I met up with Remko Deenink. We studied together in 2007, so it was about time to get up to speed with what we’re both doing. It was nice seeing Remko again.

At 10:30 AM, Deji and I kicked off the 4-hour workshop on architecting and implementing Active Directory on vSphere. For this session, we had all the time we needed to properly discuss time synchronization, the VM-GenerationID, Virtualization-safer Active Directory, Domain Controller Cloning, Domain Controller scaling, DNS and VM encryption. Sufficient time for me to snap some pictures of Deji, too.

After the session, I had to leave for the airport to catch my flight back to the Netherlands, but not before I recorded a short Identity Guy movie from the roof of the hotel.

Thank you!

Thank you to VMware for organizing VMworld Europe 2019 and to Pat Gelsinger for taking the time to discuss technology, partnerships and the future. Thank you, Deji.  Thank you to all the attendees, especially the people in our sessions.

The post Pictures of VMworld Europe 2019 appeared first on The things that are better left unspoken.

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at properly delegating directory access to Azure AD Connect service accounts.

Why look at Directory Access for Azure AD Connect Service Accounts

Azure AD Connect uses three service accounts:

1. A local account on the Windows Server installation running Azure AD Connect, used to run the he Microsoft Azure AD Sync service. This account can be configured as a group Managed Service Account (gMSA)
2. An account in the Azure Active Directory tenant
3. One account per Active Directory Domain Services environment in scope for Azure AD Connect.

Azure AD Connect offers a choice when creating this third account in the AD forest account dialog screen. You can specify your own service account, or let Azure AD Connect create the service account. The latter option is the default option.

The default Azure AD Connect service account

When you let Azure AD Connect create the account, an account is created that follows the naming convention, resulting in a name starting with MSOL_, followed by the first 8 bytes of the Azure AD Connect installation ID (a version 4 UUID) and the server name. It is placed in the Users container per Active Directory domain in scope.

This account then is delegated the following Directory Services permissions at the root level of the Active Directory domains in scope:

• Replicate changes
• Replicate changes all
• User objects: reset password, change password and read/write all properties
• InetOrgPerson objects: read/write all properties
• Groups: read/write all properties
• Computer objects: read/write all properties

Note:
When you have Device Writeback configured, the service account is also delegated extensive permissions to the RegisteredDevices container. These delegations are created when you configure Device Options in the Azure Active Directory Connect Configuration wizard.

The issue

These permissions are too lenient, when:

• Organizations use Domain and OU Filtering
  These organizations do not synchronize all Organizational Units and containers of their Active Directory domain(s) to Azure AD with Azure AD Connect, and/or
• Organizations use Azure AD App Filtering
  These organizations do not synchronize all attributes for the objects in scope of their Active Directory domain(s) to Azure AD with Azure AD Connect
• Organizations wish to apply least privileges to Azure AD Connect service accounts

In these cases, the permissions mentioned above should be restricted.
Further more, per Microsoft’s own recommended practice, delegation of Directory Services permissions should be per group, not per individual user object.

Possible negative impact (What could go wrong?)

I feel delegated Directory Services permissions should be ‘just right’.

If you have too strict permissions, functionality might break. For instance, Device Writeback may not work.

If you have permissions outside the scope of Azure AD Connect, you might experience a large fall-out when the service account in breached. For instance, the permissions might be used to add people to over 1015 groups in a Denial of Service attack or eventually be used to change the password of admin accounts (although not directly).

If you have delegated Directory Services permissions to a user account, these permissions get orphaned when the user object is deleted. This will result in several unusable permissions referring to the sID of the user object; garbage weighing Active Directory down. This is why we prefer to use groups.

Getting Ready

To properly delegate Directory access to Azure AD Connect service accounts, make sure to meet the following requirements:

System requirements

Make sure you have a clear inventory of the Active Directory OU structure, what OUs and containers are in scope for Azure AD Connect and what type of objects reside per OU and container.

Important!
If you intend to move objects around in another project, postpone or abandon properly delegating Directory Services permissions at a granular level.

You can use the following lines of Windows PowerShell on a Windows Server with an Azure AD Connect installation to achieve this goal:

$c = Get-ADSyncConnector -Name domain.tld
($c).Partitions.ConnectorPartitionScope.ContainerInclusionList | Out-GridView

Important!
The below commands make the assumption that you explicitly enable Organizational Units and containers on the Domain and OU Filtering screen in the Azure Active Directory Configuration wizard. If you enable an OU and then disable a child OU of this OU, remove the /I:S part of the command on the parent OU.

Privilege requirements

Make sure to sign in with an account that has privileges to make changes on the Security tab of OUs and containers. For an Active Directory environment with a single domain, an account that is a member of the Domain Admins group will suffice. For multi-domain Active Directory forests, a member of the Enterprise Admins group is required.

How to do it

Follow these steps to properly and granularly delegate Directory Services permissions for Azure AD Connect service accounts:

Create groups

First off, we create the Active Directory groups to delegate Directory Services permissions to:

1. A group for the base Active Directory permissions
2. A separate group for Password Reset permissions
3. A separate group for Password Writeback
4. A separate group for Group Writeback
5. A separate group for Device Writeback
6. A separate group for Hybrid Exchange

Provide these groups with apt names, following the naming convention within your organization. Place them wherever you like in your Active Directory environment, but preferably outside of the Azure AD Connect synchronization scope.

Delegate base permissions

Use the following line on a Command Prompt (cmd.exe) to properly provision the group for the base Active Directory permissions:

dsacls.exe “dc=domain,dc=tld” /G “DOMAIN\GroupBasePermissions:CA;Replicating Directory Changes;” “DOMAIN\GroupBasePermissions:CA;Replicating Directory Changes All;” 

Delegate Write-back of the ms-DS-ConsistencyGUID source anchor

Recent versions of Azure AD Connect use the mS-DS-ConsistencyGUID attribute as the source anchor for user objects. As this is the new standard, my recommendation is to add the delegated permissions to the base permissions group.

Use the following line on a Command Prompt (cmd.exe) to allow members of the base permissions group to writeback the source anchor attribute.

Tip!
Use this line on each OU in scope for Azure AD Connect with user objects in scope for Azure AD Connect.

dsacls.exe “OU=OrganizationalUnit,dc=domain,dc=tld” /I:S /G “DOMAIN\GroupBasePermissions:WP;mS-DS-ConsistencyGUID;user”

Delegate password reset permissions

Use the following line on a Command Prompt (cmd.exe) to properly provision the separate group for Password Reset permissions:

Tip!
Use this line on each OU in scope for Azure AD Connect with user objects that will be configured with Azure AD Self-service Password Reset.

dsacls.exe “OU=OrganizationalUnit,dc=domain,dc=tld” /I:S /G “DOMAIN\GroupNamePasswordReset:CA;Reset Password;user” “DOMAIN\GroupNamePasswordReset:CA;Change Password;user”

Delegate password Writeback permissions

Use the following line on a Command Prompt (cmd.exe) to properly provision the separate group for Password Writeback permissions:

Tip!
Use this line on each OU in scope for Azure AD Connect with user objects that will be configured with Password Writeback.

dsacls.exe “OU=OrganizationalUnit,dc=domain,dc=tld” /I:S /G “DOMAIN\GroupNamePasswordWriteBack:CA;Reset Password;user” “DOMAIN\GroupNamePasswordWriteBack:CA;Change Password;user” “DOMAIN\GroupNamePasswordWriteBack:WP;lockoutTime;user” “DOMAIN\GroupNamePasswordWriteBack:WP;pwdLastSet;user”

Delegate Device Writeback permissions

Use the following line on a Command Prompt (cmd.exe) to properly provision the separate group for Device Write-back on the RegisteredDevices container:

dsacls.exe “CN=RegisteredDevices,CN=System,DC=domain,DC=tld” /I:S /G “DOMAIN\GroupNameDeviceWriteBack:CCDCRPWP;;computer”     

Delegate group writeback permissions

Use the following line on a Command Prompt (cmd.exe) to properly provision the separate group for Group Write-back:

Tip!
Use this line only on the OU you’ve specified for Group write-back when you’ve configured Azure AD Connect.

dsacls.exe “OU=WrittenBackGroups,DC=domain,DC=tld” /I:S /G “DOMAIN\GroupNameGroupWriteBack:WP;members;group”

Delegate Exchange Hybrid permissions

Use the following line on a Command Prompt (cmd.exe) to properly provision the separate group for Hybrid Exchange permissions to write back attributes to user objects:

Tip!
Use this line on each OU in scope for Azure AD Connect with user objects in scope for Azure AD Connect.

dsacls.exe “OU=OrganizationalUnit,dc=domain,dc=tld” /I:S /G “DOMAIN\GroupExchangeHybrid“:WP;”proxyAddresses”;user”
“DOMAIN\GroupExchangeHybrid“:WP;”msExchUserHoldPolicies”;user”
“DOMAIN\GroupExchangeHybrid“:WP;”msExchArchiveStatus”;user”
“DOMAIN\GroupExchangeHybrid“:WP;”msExchBlockedSendersHash”;user”
“DOMAIN\GroupExchangeHybrid“:WP;”msExchSafeRecipientsHash”;user”
“DOMAIN\GroupExchangeHybrid“:WP;”msExchUCVoiceMailSettings”;user”
“DOMAIN\GroupExchangeHybrid“:WP;”publicDelegates”;user”
“DOMAIN\GroupExchangeHybrid“:WP;”msDS-ExternalDirectoryObjectId”;user”

Add service accounts to the groups

With the right permissions in place, we can now add existing Azure AD Connect service accounts to the groups, or create new service accounts.

Azure AD Connect initiates synchronization cycles every 30 minutes, by default. The new group memberships will be automatically effective the next synchronization cycle, unless you run the Azure AD Connect service with the same service account. In this latter case, restart the Azure AD Connect server(s) for the changes to take effect.

Remove legacy permissions

After you’ve properly and granularly delegated Directory Services permissions, you can remove the legacy permissions. You can use the Security tab on the domain level to observe and remove these permissions. Don’t be surprised if you stumble upon even older Azure AD Connect service accounts here.

Optionally: Remove  old Azure AD Connect service accounts

When you choose to start over with new accounts, you can now safely remove the old Azure AD Connect accounts, as they will no longer be used by Azure AD Connect, and will no longer have any delegated permissions associated to them in Active Directory.

Concluding

Having a Microsoft product use default settings does not always result in the most securely configured environment. Having Azure AD Connect create its service account doesn’t result in a desired environment from  a security perspective.

Further reading

AADSync – AD Service Account Delegated Permissions
DSACLS command to Grant Domain Groups Password Reset and Unlock Account
Active Directory Delegation with DSACLS
HOWTO: Properly set and manage Azure AD Connect’s Export Deletion Threshold
HOWTO: Use Domain and OU Filtering to limit objects in scope for Azure AD Connect
HOWTO: Use Azure AD App Filtering to limit attributes for the objects in scope for Azure AD Connect

The post HOWTO: Properly delegate Directory permissions to Azure AD Connect service accounts appeared first on The things that are better left unspoken.

It’s time for a new version of Azure AD Connect to incorporate Microsoft’s lessons learned and distribute the fixes Microsoft made to the larger public. Last Friday, Microsoft released the first version in the 1.4 branch of Azure AD Connect: v1.4.32.0.

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

Highlights

Fixed Azure AD-joined device synchronization

This version fixes an issue with existing Hybrid Azure AD-joined devices.
Release 1.4.32.0 contains a new device sync rule that corrects this issue.

Note:
This rule change may cause deletion of obsolete devices from Azure AD. This is not a cause for concern, as these device objects are not used by Azure AD during Conditional Access authorization. For some customers, the number of devices that will be deleted through this rule change can exceed the deletion threshold. If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it is advised to allow the deletions to go through. How to allow deletes to flow when they exceed the deletion threshold.

Schema change requiring MSOnline Module 1.1.183.57, or up

Versions 1.4.x of Azure AD Connect add several URLs to the AdditionalWSFedEndpoint property of the ‘Microsoft Office 365 Identity Platform’ relying party trust between your AD FS Farm and Azure AD. Due to an internal schema change in version 1.4.32.0 of Azure AD Connect, if you manage this relying party trust’z relationship configuration settings in AD FS through Azure AD Connect using the MSOnline PowerShell, then you must update to version 1.1.183.57 of the MSOnline PowerShell module, or to a newer version when it becomes available.

Version information

This is version 1.4.32.0 of Azure AD Connect.
The first release in the 1.4 branch for Azure AD Connect was made available for download on November 8, 2019.

Download information

You can download Azure AD Connect here.
The download weighs 91.0 MB.

Note

After the upgrade to Azure AD Connect version 1.4.32.0 completes, a full Synchronization cycle is automatically triggered, followed by a full import for the Azure AD connector and a full sync for the AD connector. Since this may take some time, depending on the number of objects in scope of your Azure AD Connect environment and the connectivity to both Active Directory and Azure AD, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

The post Azure AD Connect v1.4.32.0 fixes Azure AD Join challenges appeared first on The things that are better left unspoken.

It’s time to take a look at the Azure Workbooks and get started with monitoring Azure Active Directory the new way.

In the overview of What’s New in Azure Active Directory for August 2019, Microsoft announced the deprecation of the Azure AD Power BI content packs in favor of Azure Monitor Workbooks. Microsoft also made announcements for Azure Active Directory at Microsoft Ignite 2019, indicating new and enhanced Azure Monitor Workbooks for Azure AD.

About the Azure AD Power BI content packs

For years, Azure AD admins could gain insights in Power BI, based on the Azure Active Directory Activity Logs content pack in Power BI on the Web:

Especially when combined with the Azure Audit Logs, Azure Backup, Azure Security Center Security Insights and Azure Security Center Policy Management, Power BI provides a great overview of the health of the organization’s cloud services.

About Azure Monitor workbooks

Azure Monitor Workbooks replace Power BI content packs.

For Azure Monitor workbooks, log data is stored in a Log Analytics workspace and is collected and analyzed by the Log Analytics service. Azure Monitor is then used to view the data in comprehensive reports. Compared to the Power BI content packs, this method improves speed and allows for alerts, all without the need for Power BI licenses throughout the organization.

Requirements

To use Azure Monitor workbooks, you need:

• An Active Directory tenant with at least one Azure AD Premium (P1 or P2) subscription license.
• A Log Analytics workspace
• Access to the log analytics workspace
• Sign in with one of the following roles in Azure Active Directory, if you are accessing Log Analytics through Azure Active Directory portal:
  • Security administrator
  • Security reader
  • Report reader
  • Global administrator
  • Global reader
• Sign in with one of the following roles to gain access to underlying Log Analytics workspace to manage the Azure Monitor Workbooks:
  • Global administrator
  • Global reader
  • Security administrator
  • Security reader
  • Report reader
  • Application administrator

How to get it working

Here’s how to get Azure Monitor Workbooks for your Azure AD tenant working:

Step 1: Set up a Log Analytics workspace

Azure Monitor Workbooks require a Log Analytics Workspace. As Azure subscriptions, by default, do not get configured with a Log Analytics workspace, the first step is to create a Log Analytics Workspace. Perform these steps:

• Sign into the Azure Portal with an account that has one or more of the roles mentioned in the above requirements paragraph.
• In the Azure portal, click All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces from the list.
• Click + Add.
  The Log Analytics workspace blade appears.
• Fill in the required information to add a Log Analytics workspace.
• Click OK on the bottom of the blade to create the Log Analytics workspace.

The pricing model for Log Analytics is per ingested GB per month. However, the first 5 GB per month is free. Data ingestion beyond 5 GB is priced at € 2,52 per GB per month. Ingesting Azure AD with Log Analytics will mostly result in free workspace usage, except for large busy Azure AD tenants.

Step 2: Integrate Azure AD logs into Log Analytics

Perform the following steps to route audit activity logs and sign-in activity logs from Azure Active Directory to the Log Analytics Workspace:

• While still logged on in the Azure AD Portal, click on Azure Active Directory in the left navigation menu.
• Select Diagnostic settings in Azure AD’s navigation menu.
• In the main pane, click Add diagnostic setting.
  The Diagnostic settings blade appears.
• On the Diagnostic settings blade, provide a name for the diagnostic settings.
• Select the Send to Log Analytics workspace check box.
• Select the Log Analytics workspace you want to send the logs to, or create a new workspace in the provided dialog box.
• Do either or both of the following:
  • To send audit logs to the Log Analytics workspace, select the AuditLogs check box.
  • To send sign-in logs to the Log Analytics workspace, select the SignInLogs check box.
• Select Save on top of the blade to save the diagnostic settings.

Allow for ample time for the diagnostic settings to apply and the data to be streamed to the Log Analytics workspace.

Step 3: Enjoy the Azure Monitor Workbooks

Perform the following steps to view the information in the Azure AD Workbooks:

• While still logged on in the Azure AD Portal, click on Azure Active Directory in the left navigation menu.
• Select Workbooks in Azure AD’s navigation menu.
  The Workbooks main page appears:

• Make your own workbook, starting from an empty report, or choose your favorite workbook from the readily available workbooks in the categories Usage, Conditional access and Troubleshoot:
  • Sign-ins
  • Sign-ins using Legacy Authentication
  • App Consent Audit
  • Conditional Access Insights (Preview)
  • Sign-ins by Conditional Access policies
  • Sign-ins by Grant Controls
  • Sign-ins Failure Analysis

Since I was missing the default sign-ins maps, that I used the Power BI content packs for a lot, I decided to create a new report, based on the Kusto Query Language (KQL).

Concluding

While Azure AD’s workbooks don’t provide the functionality of the Power BI content pack, yet, it is a very powerful solution to get acquainted with what’s going on in the organization’s Azure AD tenant.

I believe what we’re seeing today in Azure AD’s workbooks is the start of something that answers the big questions organizations have today, and will grow into a solution that organizations with Azure AD Premium licenses love to use to keep tabs on their Azure AD tenant(s).

Further reading

Azure Monitor overview
How to use Azure Monitor workbooks for Azure Active Directory reports
Create a Log Analytics workspace in the Azure portal

The post Getting Started with Azure Monitor Workbooks for Azure Active Directory appeared first on The things that are better left unspoken.

During Microsoft Ignite 2019, (November 4th – November 8th, 2019) in Orlando, Florida, several sessions on Azure Active Directory were available to attendees to attend. These Azure AD-related sessions are now available on demand, when you sign-in with a free Microsoft TechCommunity account.

In this blogpost, I’ve categorized the sessions using Microsoft’s Standard Level Definitions, so you can step in at the level that best suits you. I’ve sorted the sessions on session code:

Level 100 session

The below session provides an overview of Azure Active Directory. This session assume little or no expertise with Azure AD and cover concepts, functions, features, and benefits. It’s perfect to get started with Azure AD:

BRK013 Identity: The control plane for your digital transformation, now and into the future

As provider of the world’s largest identity platform, Microsoft takes accountability for building greater security and mobility into enterprise technologies that billions of people rely on every day. Microsoft co-develops their identity products and services with customers to ensure Microsoft helps you secure access to any app or service—on-premises or in any cloud. Microsoft is pioneering ways to make identity-driven security more intuitive and automated, and Microsoft is architecting solutions using blockchain technology to give people back control over their privacy. Using real customer stories, this session shares Microsoft’s vision for Azure Active Directory, the latest product innovations, and concrete examples of how Microsoft is making it easier for you to manage and secure identities now and into the future.

Level 200 sessions

The below sessions offer intermediate material. These sessions assume 100-level knowledge and provide specific details about Azure Active Directory:

BRK2080 Simplify sign in and authorization with the Microsoft identity platform

Building a secure and usable authentication experience has been difficult and time-consuming. Whether you’re building an app to reach consumers or enterprises, the Microsoft identity platform is here to help. In this session, you’ll learn how to authenticate personal Microsoft or Azure AD accounts, and securely access APIs in your apps. Once integrated with the Microsoft identity platform, see how you can start accessing data in Microsoft Graph to build richer applications.

BRK2130 Azure Active Directory: New features and roadmap

For anyone working on or looking in to identity and access management in the cloud, this can’t-miss session provides updates on Azure Active Directory and Microsoft’s vision and roadmap areas for identity in the next year. You’ll hear about the newest features and experiences that provide seamless access for any identity, protect your organization from breaches, and use the latest open standards.

BRK2132 How Microsoft uses Azure Active Directory Identity Protection and Conditional Access to protect its assets

Identity security is one of the most critical measures you can take for your organization today. To continually strengthen your identity security, you must be able to identify and protect against attacks on your users.
Learn how Microsoft has done this in their own IT environment. First, by using Azure Active Directory Identity Protection to gain crystal clear visibility into the frequency and types of attacks on users, then protecting the user accounts with Conditional Access policies to require MFA and block legacy apps. We’ll take you along our journey, discuss pitfalls, best practices, and resulting product improvements.

BRK2232 Zero Hype – Taking practical steps to Zero Trust

Over the past several years, there has been a lot of hype around Zero Trust with a focus around vendor-specific implementation. Products emerged that were Zero Trust even before the concept became cool and well known, but what does this abstract and buzzy word really mean for your organization? In this session, the speakers focus on the principles and foundation pillars of Zero Trust, and dive into their impact on the threat landscape to understand how threat shifts when Zero Trust principles are widely applied.

BRK2261 Empower firstline worker productivity from day one

Digitally empower your firstline workers through seamless and secure access to the tools they need to be productive on day one. Learn about Microsoft’s current and upcoming investments in the firstline worker identity management space and how you can drive end-to-end transformation in your organization.

BRK3112 Love all your identities – Building digital relationships with your customers and partners

Modern organizations are looking for new ways to engage and collaborate with their customers and partners, which requires a secure and seamless way to manage these external identities. Learn how to provide seamless and secure digital experiences for partners, customers, citizens, and others with the level of customization and control your business requires. Learn about how our customers are using Azure Active Directory to provide a customized authentication experience for their customers, seamlessly govern external access to first-party apps, and effectively collaborate with partners.

BRK4007 Microsoft identity platform best practices for developers

This session walks through the details of how the Microsoft identity platform works for Authentication and Authorization. The speakers cover how developers can architect their solutions for the best user experience, best practices for working permissions and consent, and debugging techniques for authentication and authorization.

SECO10 Secure your enterprise with a strong identity foundation

The three identity and access management needs Microsoft hears most often from its customers are to reduce costs, improve security, and enhance user productivity. This session provides stories of how Azure Active Directory has delivered these benefits to customers and grants greater visibility and control over users, apps, devices, and data.

This Learning Path session is primarily targeted at organizations considering modernizing their identity and security solutions and have not yet adopted Azure AD widely, or existing customers that would like a refresher on the customer scenarios addressed.

TK03 Microsoft’s roadmap for security, compliance, and identity

This session covers how Microsoft can help you with your security, identity, and compliance needs. Hear Kirk Koenigsbauer share Microsoft’s strategy and investments with special guests including Ann Johnson, from Microsoft’s Cybersecurity Solutions Group, and Bret Arsenault, Microsoft’s CISO.

THR2002 Authentication without passwords in 20 minutes

Password are complex – though usually they are not, and that is the problem! Users forget them and hackers don’t. So it’s time to move away from this pain point and to utilize stronger authentication. In this 20-minute session, Brian Reid looks at how you go password-less using hardware security devices and mobile apps.

THR2047 Real-world hybrid Active Directory join and compliance in 20 minutes

One of the easy ways to secure your cloud journey is to ensure that the end user is on a company device. In this session, Brian Reid looks at how this works for Active Directory domain-joined workstations. The steps to get there and what you can do once your devices and your users are synced to Azure Active Directory. He also looks at how to troubleshoot AAD Hybrid Join and take real customer examples so you can avoid common issues.

THR2200 Lift and shift your legacy applications using Azure Active Directory Domain Services

Do you have hundreds of on-premises, legacy applications slowing your acceleration to the cloud? Learn how Azure Active Directory can help you lift-and-shift your legacy apps, secure legacy authentication, and see Microsoft’s roadmap of exciting new features and capabilities to lighten your on-premises server and application footprint.

THR2201 Reduce IT friction with seamless identity end-user experiences

In a world where every employee needs a sea of applications and tools to do their job, and your end-users are getting increasingly mobile, so much productivity is lost on simply finding the right app, remembering the right password, and reaching out to IT to retrieve lost credentials. Learn how you can become your organization’s hero by eliminating access friction and deliver a seamless and secure user experience.

THR3136 Streamline your business processes and development with Azure Active Directory APIs in Microsoft Graph

The availability of Azure AD APIs in Microsoft Graph has grown over the past year to help developers build out scenarios in Azure Active Directory. In fact, all Azure AD Graph APIs are now available in Microsoft Graph, which includes even more functionality across all Office 365 workloads. In this session, learn how to use Azure AD APIs in Microsoft Graph for user onboarding and dynamic group provisioning, enabling governance with Privileged Identity Management and enabling more granular access control with Azure AD RBAC.

Level 300 sessions

The below sessions offer advanced material. These sessions assume 200-level knowledge, in-depth understanding of features in a real-world environment, and strong coding skills. These sessions aim to provide detailed technical overviews of only a subset of the products and technology features, covering architecture, performance, migration, deployment, and development:

THR3080 Gain fine-grained access controls of your administrative roles with Azure Active Directory custom roles

Learn how to control access to Azure Active Directory using Azure AD administrative roles, including capabilities like custom RBAC controls, and see what’s coming for future role and access control capabilities.

BRK3110 Winning strategies for identity security and governance

Cybersecurity incidents make news regularly, and the attacks have become more sophisticated and complicated for organizations to keep up with. This increase is in spite of high spending on security solutions and resources. The key to successful identity management is moving towards an identity-centric security strategy. Think like a bad actor and work out the attacks you’re most likely to face, and guard against them to the best of your ability. In this session, the speakers discuss some of the winning strategies for effective identity management.

BRK3113 New frontiers in identity standards

Interested in the future evolution of the identity industry? Join Pamela Dingle for an entertaining tour through the work currently occurring in standards bodies like IETF, W3C, ISO, and the OpenID Foundation. Pamela explains the efforts that are underway as well as describe what future impact this work might have on enterprises and the internet. If part of your job is to future proof your organization, this overview may give you useful insight into areas you need to monitor or perhaps links to technologies that your organization might want to help shape.

BRK3114 Building trust into digital experiences with decentralized identities

Organizations are exploring ways to improving the trust of digital experiences. This effort can be accelerated by empowering people to own, control and verify their identity. Learn how Decentralized Identity can enable use of portable claims based on the Verified Credentials standard, see a proof of concept to compare with existing account-based systems, learn about known challenges and most importantly how you can get involved.

BRK3194 Azure Active Directory cloud authentication doesn’t just mean “sign-in”

When you sign-in to the Azure AD, cloud fault tolerance, scalability, and enhanced security are built-in. Through the Azure AD management portal, it is simple to enable a plethora of technologies, enhancing both your organization’s security posture and user experience. In this session, John Craddock shares his real-world experience and insight into reaping the rewards and benefits of Azure AD. Learn how to choose the best sign-in options for both your cloud and hybrid-users. Also, learn how to mitigate risk through the use of conditional access policies. Combine this with Windows Hello or FIDO, and you are building secure sign-in for the future. The session is packed with demos and definitely should not be missed.

SECI10 Identity and access management best practices from around the world

Join the Azure Active Directory customer success team and learn how they have helped hundreds of customers around the world accelerate digital transformation with identity and access management. Find out how you can quickly and easily get Azure Active Directory up and running and be the hero of your organization.

SECI20 Shut the door to cybercrime with identity-driven security

Today, in most organizations, there exists an abundance of security solutions and yet what will actually make you secure remains obscure. Watch this session to get your much needed answers on the steps you can quickly take to protect yourself against the most prevalent current and emerging threats!

BRK3105 Connect your workforce to all the apps they need with Azure Active Directory

Azure AD is the place for all your apps, but do you know how to take full advantage of the rich ecosystem Microsoft offers? Watch this session to learn about what Microsoft is doing to enrich their apps ecosystem with the apps you care about, to make it easy for you to connect and build the apps your organization needs, and all the cool stuff you can with those apps once you join the party!

BRK3106 Eliminate your weakest link with password-less authentication

The new standard for authentication is password-less. Learn about how to start using and deploying the Microsoft suite of password-less solutions that can help you provide secure options for your users and protect your company from password spray, phishing and other attacks. Join the millions of users of FIDO2, Windows Hello, and Microsoft Authenticator in conjunction with Azure Active Directory that have made passwords a relic of the past.

BRK3108 Modernize your on-premises application security with Azure Active Directory

Watch this session to learn how to extend modern cloud-driven security and scalability to your on-premises apps using Azure Active Directory. When you have your users operating under a common identity across your hybrid identity environment, you can securely connect and protect all your applications to Azure AD including classic applications that use protocols such as Kerberos and header-based authentication or on-premises LOB apps. The speakers show you how you can do this from Azure AD-native solutions or through integrations with partner infrastructure that you may already be using in your organization.

BRK3109 Govern your workforce and guest user access with Azure Active Directory

Organizations are faced with an explosion of new, collaboration-focused SaaS apps and services, where it is increasingly becoming as easy to share resources with business partners as with employees. It is more challenging than ever to ensure timely access and productive collaboration while maintaining data security and access compliance. Watch this session to learn how Azure Active Directory can deliver Identity Governance and Administration for both your employees and guest users, empowering the entire organization while balancing security and productivity.

BRK3154 Integrating CASB into IAM for a comprehensive identity security strategy

Standalone, identity and access management solutions protect access to your apps, and a Cloud Access Security Broker (CASB) provides discovery, threat, and information protection across them. Combining these two powerful solutions enables a deeper level of visibility and the ability to control user sessions in real-time. In this session the speakers share how Azure Active Directory Conditional Access and Microsoft Cloud App Security uniquely integrate to provide actionable insights, an improved security posture, better threat detection, and adaptive access control to all apps, Microsoft and third-party, in your organization. The speakers discuss some of the top use cases and demo how easy it is to deploy them.

BRK3195 Azure Active Directory B2B versus multi-tenant apps: Notes from the field

John Craddock has created this session as the result of a real-world scenario. A forms-authenticated app, running in Azure, was providing services to several enterprise customers. These enterprise customers were requesting that they should have SSO using their on-premises AD credentials. How can the solution be built? We have to start by selecting a federated authentication protocol for the app. Allowing partners and other organizations to access the application requires either the creation of an Azure AD multi-tenant app or providing access to the app via Azure AD B2B services. Watch this session and learn about the pros and cons of each solution. Don’t miss the demos showing the results.

BRK3257 Leverage the cloud to strengthen your on-premises Active Directory security

As you traverse your digital transformation journey to the cloud, you will likely find yourself in a state with on-premises and cloud identity systems working in tandem as a hybrid identity infrastructure. This not only provides a single identity for users to access resources, but also cloud security enhancements can be extended to on-premises. Watch this session to learn how the scalability and advanced security of Azure Active Directory can be leveraged to protect your Windows Server Active Directory infrastructure. This session focuses on a few quick wins and some key strategies you should be focusing on with your Active Directory.

BRK3267 Increase M&A agility by integrating quickly and securely with Azure Active Directory

M&A is an increasingly important growth driver for modern enterprises but with the increasing complexity of technology solutions, it can be a major challenge for IT and Security teams. Join us to learn how to consolidate directories and enable access to resources from day one, simplify collaboration, and eliminate cybersecurity threats with identity as the control plane.

BRK4017 The science behind Azure Active Directory Identity Protection

Azure AD Identity Protection detects and prevents identity attacks in the cloud and on-premises. It also enables identity admins to understand their risk standing with insights and advanced risk reports. Using this information, identity admins can setup risk-based policies for a handsfree security experience – achieving both security and productivity. At the core of Identity Protection is it’s risk engine, which uses machine learning, UEBA, and anomaly detection to detect the compromised users in your organization. Watch this session to learn about the new features available in the refreshed Identity Protection. The speakers show the new capabilities and they go deep into the science that powers Identity Protection.

THR3076 Get the most out of password-less authentication and avoid pitfalls

Learn about Microsoft’s password-less strategy and tangible next steps on taking your enterprise password-less. Watch this session to gain tips for a seamless deployment and user adoption with Microsoft-supported authentication tools like Windows Hello, Microsoft Authenticator, and FIDO security keys.

THR3079 Govern access for employees and partners with Azure Active Directory Identity Governance

Azure Active Directory has new identity governance and administration capabilities to help scale and govern access management for your entire workforce including partners. Check out the latest news and demos around Access Reviews and Entitlement Management.

THR3135 Secure customer identity and access management using Azure Active Directory B2C

How can you help your customers create seamless sign-up or sign-in experiences for their consumer-facing applications? Learn about Azure Active Directory B2C, an enterprise-grade customer identity and access management service, and how it allows you to easily secure consumer-facing (or citizen-facing) web and mobile applications and to create user friendly, frictionless experiences while protecting user data.

THR3078 Migrate to modern authentication with Azure Active Directory

Embrace modern authentication for your users and their single sign-on into apps with Azure Active Directory. See the latest tools that can help you plan and deploy a rollout of cloud authentication and also migrate your apps to cloud management and security.

WRK 3029 Secure and manage your identities with Azure Active Directory

With identity as the control plane, you can have greater visibility and control over who is accessing your organization’s applications and data and under which conditions. This workshop gives you hands-on experience with Azure Active Directory, a universal identity platform for you to keep your employees and external users productive and secure, while staying compliant and protecting against threats. Learn how to build and deploy risk-based access policies, seamlessly connect users to all their apps, manage guest users as easily and securely as your own employees, and more! Become an identity and access management hero for your organization.

The post Videos and slides are now available on demand for Microsoft Ignite 2019’s Azure AD-related sessions appeared first on The things that are better left unspoken.

‘

Last Wednesday I was a guest at the company I called ‘home’ for over 15 years. I was scheduled to deliver a 45-minute session on Azure AD Connect. As this is one of my favorite topics to talk on, I was really looking forward to the Dutch Windows Management User Group 2019-5 Meetup.

I started early at the customer that was scheduled for Wednesday November 13th, which was conveniently located in the vicinity of Delft. I left for the event at around 3PM and arrived early.

I met with several of my former co-workers, including their CEO Roel Nikkesen, other members of the management team and Rik van Berendonk. I also met one of OGD’s new CTOs Kay van Baarle.

Kenneth van Surksum kicked off the event, followed by Master of Ceremony Rik and Kay introducing OGD as a software company and the proud host for the event. In true OGD style, they started late and ended even later.

After their introduction, Patrick van den Born delivered the first session on identity and access management with Ivanti Identity Director.

Facing a hungry crowd and diner being scheduled in 30 minutes, I decided to deliver my session at lightning speed to provide food to the attendees on premise. That’s all the time I need to tear apart the choices Microsoft makes with Azure AD Connect…

At the break, I noticed that many familiar faces joined the event, including Osman Akagunduz and Erwin Derksen. Just in time, too, as Erwin was scheduled to deliver the third session of the event with a bulletpoint-free presentation on Azure Active Directory Domain Services.

After Erwin’s session we had time left, so Patrick, Erwin and I organized a closing panel discussion to wrap up the event.

We enjoyed a couple of drinks after the event, and I even visited OGD’s maker space, as invited by Mark van der Lars.

Thank you

Thank you to the Dutch Windows Management User Group for organizing this meetup at my former employer and inviting me as a speaker. Thank you to all the attendees and the people behind the technology panel that night.

The post Pictures of the Dutch Windows Management User Group 2019-5 Meetup appeared first on The things that are better left unspoken.

On Friday October 11, 2019, I presented a 45-minute session. The session was titled ‘Identity, the solid base for your organization’s future’. I presented the session in the context of Professional Development Systems’ 2019 edition of AppManageEvent in Utrecht.

Recent IT disasters have proven that there’s no such thing as a safe network. Firewalls continue to lose their value. Munchhausen by proxy has got a whole new meaning. However, a new perimeter has arisen, focusing on the individuals in your organization and their behavior, but with extensive auditing and near-real time mitigating measures: Identity. I explain it all in this session.

The session was live-recorded and made available, for everyone to enjoy with subtitles:

THANK YOU

Thank you to PDS for organizing AppManagEvent 2019 and inviting me as a speaker. They have also made the recording publicly available.

The post Video of my AppManagEvent 2019 session is now available appeared first on The things that are better left unspoken.

Last week, I had the pleasure of being one of the experts in the VeeamON Virtual Expert Lounge for both the APAC and Americas events. I also attended the Europe event.

In this blogpost, I’m sharing some of the questions we received and answered, so we can all benefit.

Licensing

The following questions were asked regarding to Veeam licensing:

How does licensing work for workstation backup? We currently use the free version for workstations, and the enterprise edition for our VMWare virtual machines.

Workstations are protected with Veeam Universal licenses, which are sold in bundles of 10. 1 license will protect 3 workstations, 1 Server, 1 VM, 1 Enterprise app, or 250GB of NAS. Take a look at the editions comparison to determine which edition will work best for you.

We are running per socket perpetual licensing now. We need 10 additional socket licenses. Can we still buy these licenses or are these converted in Universal Licenses?

Perpetual licensing with Veeam is still possible. You can still license sockets. No licenses are automatically converted to the Veeam Universal Licensing (VUL) scheme. License administrator can convert licenses at will in the customer portal.

Tiers and protection

The following questions were asked regarding to scale-out backup repositories, the cloud tier and Cloud Connect:

Is there a Veeam CSP target option for capacity/cloud tier?

If you are running a public S3 Compatible platform that can be a target for the Object Storage Repo. Otherwise you would be looking at offering Cloud Connect Backup as an offsite Cloud Repository.

Can the Cloud Connect Repo act as object storage for the cloud tier?

Cloud Connect is a separate technology outside of the Scale Out Backup Repository (SOBR) functionality.

Regarding avoiding Ransomware issues, what is the recommended way to setup my environment? Should the backup server be added to the domain or not? What other things do you recommend?

Anton Gostev’s blogpost here sheds some more light and provides links to the smart choices you can make. Remember that these choices may also negatively impact the backup, management and restore processes.

Does Veeam plan to integrate the Kaspersky solution with Secure Backup?

As far as Kaspersky is manageable with a CLI you can use it with Secure Restore, right now.

It was being talked about that you could now restore a backed up physical server straight to a VM on vSphere. Is that same ability available for Hyper-V?

Yes, when you create agent-based backups you can restore wherever you need.

Cloud

The following questions were asked regarding backing up and restoring cloud services, like Office 365 and Azure Stack:

Are we able to backup the office 365 to on premises disk storage?

Veeam Backup for Microsoft Office 365 (VBO) is Veeam’s standalone product to create backups of data in Office 365 to on-premises storage. It creates backups of data in Exchange Online, SharePoint Online, OneDrive for Business and Teams. Here’s more information.

Are there any performance increases with VBO v4?

Yes, there are significant performance improvements for both SharePoint and OneDrive. It uses multiple accounts to overcome per account throttling.

Will Veeam Backup For Office 365 v4 be able to restore Teams better than Veeam Backup For Office 365 v3

There is no change in the way VBO v4 restores Teams data compared to VBO v3.
Veeam is aware of certain limitations, like restoring a file attachment in a teams chat (restoring the chat including attachments). This functionality is currently missing in the Office 365 APIs.

How about Azure AD backup, are we able to backup to on-premises storage and restore it in the on premises host?

Not at the moment. Take care of different attributes that reside only in Azure AD.

Is Veeam B&R able to communicate with the old Azure Stack or the new Azure Stack HCI?

Yes. Azure Stack HCI leverages Storage Spaces Direct (S2D). This is supported with VBR and not a problem at all – just like any other Hyper-V cluster deployment. The product formerly known as Azure Stack is now called Azure Stack Hub and requires agent-based backups in Veeam. There are now three products from Microsoft with the Azure Stack moniker:

1. Azure Stack Edge, a cloud-managed appliance with use cases like Machine Learning on-premises, IoT solutions and network data transfer
2. Azure Stack HCI, a Hyper-converged Infrastructure (HCI) solution to run virtual machines and use Windows Admin Center to connect to Azure for cloud services
3. Azure Stack Hub, a cloud-native integrative system for disconnected scenarios, data sovereignty and application modernization, leveraging consistent Azure services and APIs.

When will immutable backup repositories be available for Azure like it will be for AWS?

Microsoft recently announced write-once, read-many (WORM) Azure storage. However, the feature in Azure offers container-level lock functionality, whereas the AWS feature offers object level locks. Azure’s current functionality would not be very cost-effective for incremental backups.

Miscellaneous

The following miscellaneous questions were asked and answered:

For a backup repository, what is the maximum size?

There isn’t a max disk size for a backup repository as such. It’s dictated by your storage and the filesystem type. If you are having disk and storage constraints you can extend Object Storage via Veeam’s Cloud Tier built into the Scale Out Backup Repository (SOBR) functionality.

How do we know that Veeam Backup is backing up valid data, not corrupted data?

Veeam Backup and Replication (VBR) creates backups. In the backup process there is no true check if the right data and sufficient data is backed up. However, VBR offers the SureBackup functionality, that allows you to restore a backup for a test scenario. You can run automated tests to this restore and test if the VM is indeed restorable (sufficient data) and restores as intended (the right data).

Can we backup VMs configured for Near Sync via the Nutanix API?

No. It seems to be a limitation in Nutanix, not Veeam, so it might be better to ask if Nutanix will support it soon. Nutanix version 5.10 still shows as lightweight snapshots which do not support change block tracking which is what Veeam and other backup solutions use to tell what needs to be backed up and what has already been.

I recently added a SAN to the Veeam Server in the Infrastructure Settings. As soon as it was connected and Veeam had finished doing the Inventory it looks like all our existing backup jobs started using the SAN for creating the snapshots. I did not change any of the backup job settings. Is there a way in the backup job to turn off the ability to use the SAN for snapshots and force it to use the usual way and have Veeam create the snapshot in vCenter?

The backup job now uses the Backup from storage snapshot option. If Veeam Backup & Replication (VBR) detects a supported storage array, it turns on the integration automatically. To return to the previous backup method, disable the option.

I’m looking at offsite Veeam Copy\Replication with 2 EMC Dedupe boxes. Is it better to use native replication or Veeam Copy?

We always recommend to use Veeam Backup Copy Jobs. In this case Veeam Backup & Replication is aware that every single block made it offsite successfully. There’s no such ‘insurance’ if you use native deduplicated replication.

Concluding

It is clear that Veeam succeeded to get the possibilities of cloud in the heads of the attendees at VeeamON Virtual this year.

In cloud scenarios things change faster and Veeam is depending on the API possibilities from the cloud vendors.

That latter has always been the case, even when they started out with VMware vSphere. The difference today seems that vendors of hyperscale cloud platforms catch the eyeballs of people faster, entice them faster, but lack in API support. The number of organizations on the platform and demanding improvements dictates the development of secondary goals like API management.

Large cloud vendors get away with it, today. With their reputation of being a cutting-edge and agile data protection vendor, Veeam now sometimes take the hit, while from a secure development point of view, they’re walking the right path, the API path.

The post Asked questions at VeeamON Virtual 2019 appeared first on The things that are better left unspoken.

On November 7, 2019, I presented a 60-minute session with Deji Akomolafe. The session was titled ‘Virtualize Active Directory the right way’. We presented the session in the context of VMware’s VMworld Europe 2019 event in Barcelona.

Active Directory Domain Services (ADDS) allows organizations to deploy a scalable and secure directory service for managing users, resources, and applications. Although virtualizing Domain Controllers has been a simple and supported operation for many years, many organizations have been very reluctant to do so.

Organizations have struggled to understand how to properly navigate and avoid the multiple pitfalls (such as synchronization, convergence, security, time management, availability, and data integrity) inherent in virtualizing a production, enterprise-level Active Directory Domain Services (AD DS) infrastructure. Even when they have virtualized their Domain Controllers, administrators still worry about the security, safety, and integrity of their AD DS infrastructure.

Watch this session to see how to virtualize AD the right way:

Thank you

Thank you to VMware for organizing VMworld Europe 2019 and inviting me as a speaker. VMware have also made the recording publicly available. Thank you to Deji for co-presenting this session with me.

The post Video of my Active Directory session at VMworld Europe is now available appeared first on The things that are better left unspoken.

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the extended protection for authentication feature with AD FS.

Note:
This blogpost assumes you’re running AD FS Servers as domain-joined Windows Server 2016 Server Core installations. The same information applies to AD FS Servers running Windows Server 2016 with Desktop Experience (Full).

Why look at Extended Protection for Authentication

To help secure your Hybrid Identity deployments, you can set and use the extended protection for authentication feature with AD FS. This setting specifies the level of extended protection for authentication supported by the AD FS servers in the farm.

Reasons why

Extended protection for authentication helps protect against Man-in-the-Middle (MitM) attacks. In this type of attack, a malicious person intercepts client credentials and forwards them to a server. Protection against such attacks is made possible through a Channel Binding Token (CBT) which can be either required, allowed, or not required by the server when it establishes communications with clients.

Extended Protection for Authentication aims to prevent this type of credential relay. It does this by implementing a protocol based on RFC5056 “On the Use of Channel Bindings to Secure Channels”.

Possible negative impact (What could go wrong?)

When the client doesn’t support the Channel Binding Token (CBT), the authentication will fail. As Windows Authentication is the first negotiated authentication methods for the intranet, clients will use this authentication method by default. When this type of authentication fails, the client may resort to other authentication methods, like Forms authentication, Certificate authentication, Device authentication or Microsoft Passport authentication, if enabled.

Note:
By default, Forms authentication, Windows Authentication and Microsoft Passport authentication are enabled as authentication methods for the intranet on Windows Server 2016-based AD FS farms.

Windows 7 and up, and Windows Server 2008 R2 and up support the feature and have the feature enabled, by default. However, older Windows clients, that have not received KB968389, do not support the feature.

Chrome and FireFox don’t support the Extended Protection for Authentication feature.

Getting ready

To enable the Extended Protection for Authentication feature, make sure to meet the following requirements:

Information requirements

If you expect clients to fail integrated Windows authentication when you enable the Extended Protection for Authentication feature, it is wise to assess the impact clearly. You can do so with a test Windows Server that runs Internet Information Services (IIS) version 7.5 or up, and configure it with Extended Protection for Authentication using the steps described here.

The information gathered this way clearly defines the scope and impact. Then, an informed choice can be made to enable and it, or not.

System requirements

Make sure the AD FS servers are installed with the latest cumulative Windows Updates.

Privilege requirements

Make sure to sign in with an account that has privileges to manage the AD FS farm. In case of Windows Internal Database (WID) as the storage method for the AD FS Configuration database, sign in with an account that has local administrator privilege on the primary AD FS server.

Who to communicate to

As the AD FS servers operate as part of a chain, notify all stakeholders in the chain. This means sending a heads-up to the load balancer guys and gals, the networking guys and gals, the rest of the Active Directory team and the teams that are responsible for Azure AD, Office 365 and cloud applications. It’s also a good idea to talk to the people responsible for backups, restores and disaster recovery.

As the Extended Protection for Authentication feature is an AD FS feature that mainly impacts client systems, go and have a chat with the people responsible for managing workstations in the organization. Do they see the same things in terms of scope and impact?

Enabling Extended Protection for Authentication

When all stakeholders are informed and the organization is in agreement that the Extended Protection for Authentication feature adds value, perform these steps:

Check the Extended Protection feature

Check the Extended Protection for Authentication feature status by running the following line of Windows PowerShell:

Get-ADFSProperties | Select ExtendedProtectionTokenCheck

On an AD FS farm running Windows Server 2016 and/or Windows Server 2019 AD FS servers with default settings, the above line of Windows PowerShell would return Allow.

This means the AD FS server in the farm are partially hardened, because the Extended Protection for Authentication is enforced only when clients have been patched to support it.

Configure Extended Protection for Authentication to Require

To fully harden the AD FS Farm, set the Extended Protection for Authentication feature to Require, use the following line of PowerShell on an elevated Windows PowerShell prompt:

Set-ADFSProperties –ExtendedProtectionTokenCheck Require

Testing Extended Protection for Authentication

After enabling the Extended Protection for Authentication feature,  it’s time to test. Everyone involved should sign off (not literally, unless that’s procedure) on the correct working of the AD FS servers. Does authentication to cloud applications still work? Is the user experience on down-level clients and non-Microsoft browsers still adequate?

Rolling back Extended Protection to default settings

In the case of the Extended Protection for Authentication feature, this security feature can stand in the way of user satisfaction. If so, you might need to roll it back.

To roll-back the AD FS Farm in terms of the Extended Protection for Authentication feature, use the following line of PowerShell on an elevated Windows PowerShell prompt:

Set-ADFSProperties –ExtendedProtectionTokenCheck Allow

Concluding

Windows Server 2016, by default, comes with the Extended Protection for Authentication feature enabled, but not fully hardened. Configure Extended Protection for Authentication to Require to get the most out of it.

Further reading

MSRC – Extended Protection for Authentication
Windows Extended Protection <extendedProtection>
Is disabling the ADFS ExtendedProtectionTokenCheck setting required for allowing Firefox and Chrome users to authenticate?

The post HOWTO: Enable Extended Protection for Authentication on the AD FS Farm appeared first on The things that are better left unspoken.

Since August 2016, this blog features news on Veeam Backup for Microsoft Office 365. We’ve been implementing this awesome Veeam product at customers ever since version 1.5 and validated the Office 365 contingency plan vision with Veeam repeatedly.

This week marks the release of version 4 of Veeam Backup for Microsoft Office 365, so let’s look at what’s new and improved!

What’s New

Veeam lists the following improvements in Veeam Backup for Microsoft Office 365 version 4:

Object storage support

Veeam Backup for Microsoft Office 365 v4 delivers a cloud-optimized deployment option, targeted at cloud-first companies. Using object storage, these organizations can deploy Veeam Backup for Microsoft Office 365 in a cloud-native way, by leveraging cost-efficient cloud-based object storage to store their Microsoft Office 365 data.

Popular object storage providers, including Amazon’s AWS S3, Microsoft’s Azure Blob storage and IBM Cloud, but also S3-compatible providers are supported in this release.

When organizations choose to use object storage to store backups of Microsoft Office 365 data, they can:

• Reduce costs of storage, because they only pay for what they consume
• Benefit from unlimited scalability with unlimited storage capacity
• Simplify their deployments using public cloud providers with no complex planning.

The new Cloud Credential Manager feature can be used to maintain the list of object storage accounts. This allows for easy changes of credentials without having to change the configuration of the object storage manually.

Increased Information security

Veaam Backup for Microsoft Office 365 version 4 provides added security to backups with at-rest encryption for Office 365 data in object storage. Organizations can be sure their data is secure and protected, as data in object storage is protected with AES 256-bit encryption, when this option is enabled.

The new Password Manager feature can be used to maintain passwords used for this encryption.

Faster backup performance

With Veeam Backup for Microsoft Office 365 version 4, organizations can achieve faster backup performance for SharePoint Online and OneDrive for Business data. This significantly shortens the backup windows for Microsoft Office 365 data and helps deliver more easily on RTOs and RPOs.

Microsoft throttling mechanisms become a challenge when it comes to backup of SharePoint Online and OneDrive for Business data. Microsoft throttles backups once you hit a certain number of requests from a single service account in a certain period, regardless of the number of backup proxies.

Veeam Backup for Microsoft Office 365 version 4 leverages multiple auxiliary backup accounts to distribute the load on Microsoft Office 365 servers and significantly reduce the risk of backups throttling.

The Limit network bandwidth option in version 3 in the backup proxy properties dialogue has been updated to Throttle network traffic to in version 4 to correctly reflect this feature.

Exclude retention for contacts and calendars

This feature allows admins to protect all contacts and calendar items for as long as an associated mailbox is protected and skip these items from the retention cleanup.

Group-based targeting

Backup jobs for Veeam Backup for Microsoft Office 365 can be configured with non-mail enabled Office 365 security groups  as a source for backup jobs. This applies to both synchronized groups, security groups created in Azure Active Directory and groups created in Office 365.

Enhanced reporting

The enhanced Mailbox Protection report now includes protection statistics for Office 365 Group, Public, Shared and Resource (Equipment/Room) mailboxes.

Version information

This release of Veeam Backup for Microsoft Office 365 is version 4.0.0.1345 and marks the first General Available version of the version 4 branch. It was signed off on on November 26th, 2019.

Download

Download version 4.0.0.1345 of Veeam Backup for Microsoft Office 365 here. The download weighs 29,5 MB. To protect less than 10 mailboxes and 1 TB of SharePoint data, alternatively, the free Veeam Backup for Microsoft Office 365 Community Edition can be downloaded and utilized.

Concluding

Veeam Backup for Microsoft Office 365 version 4 is a major update to the product. Recently it became clear to me that the product is of significant importance to Veeam and that it exhibits the strategy and UI for Veeam products to come.

Further reading

Veeam Backup for Microsoft Office 365 v4
Object storage in NEW Veeam Backup for Microsoft Office 365 v4
Release Notes for Veeam Backup for Microsoft Office 365 v4
Download Veeam Backup for Microsoft Office 365 v4

Related blogposts

Your Exchange Online Contingency Plan is here with Veeam Backup for Office 365
Veeam Backup for Office 365 version 2 expands on earlier Cloud Protections
Veeam Backup for Office 365 now offers support for the Baseline Policy ‘Require MFA for Admins’

The post What’s New in Veeam Backup for Microsoft Office 365 version 4 appeared first on The things that are better left unspoken.

It’s time for a new version of Azure AD Connect to incorporate Microsoft’s lessons learned and distribute the fixes Microsoft made to the larger public. Last Friday, Microsoft released the fourth version in the 1.4 branch of Azure AD Connect: v1.4.38.0.

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

What’s New

Microsoft made the following improvements:

Password Hash Sync

Microsoft updated Password Hash Sync (PHS) for Azure Active Directory Domain Services to properly account for padding in Kerberos hashes. This provides a performance improvement during password synchronization from Azure Active Directory to Azure Active Directory Domain Services.

Pass-through Authentication

Microsoft added support for reliable sessions between the authentication agent and the Azure service bus when Pass-through Authentication (PTA) is used as the authentication method.

This release of Azure AD Connect enforces TLS 1.2 for communications between the authentication agent and Azure AD when Pass-through Authentication (PTA) is used as the authentication method.

Microsoft added a DNS cache for websocket connections between the authentication agent and Azure AD when Pass-through Authentication (PTA) is used as the authentication method.

Microsoft added the ability to target a specific agent from cloud to test for agent connectivity.

Seamless Single Sign-on

Release 1.4.18.0 introduced a bug where the PowerShell cmdlet for Seamless Single Sign-on (also known as Desktop SSO) was using the login windows credentials instead of the admin credentials provided. As a result, it was not possible to enable Seamless Single Sign-on in multiple forests through the Azure AD Connect Configuration Wizard.

A fix was made to enable Seamless Single Sign-on (also known as Desktop SSO)simultaneously in all forests through the Azure AD Connect Configuration Wizard.

Version information

This is version 1.4.38.0 of Azure AD Connect.
This release in the 1.4 branch for Azure AD Connect was made available for download on December 6, 2019.

Download information

You can download Azure AD Connect here.
The download weighs 91.0 MB.

The post Azure AD Connect version 1.4.38.0 offers some bug fixes appeared first on The things that are better left unspoken.

Sometimes, Microsoft products have a way of their own. The Domain Naming System (DNS) service since Windows Server 2003, too, has a nice little quirk that I ran into the other day, that I’d like to share with you.

About DNS debug logging

When you suspect problems with the Domain Naming System (DNS) Service, the records it keeps and scavenges, or the errors it encounters, but doesn’t let you know about in the event logs, you can enable DNS debug logging.

The DNS debug log provides extremely detailed data about all DNS information that is sent and received by the DNS server, similar to the data that can be gathered using packet capture tools such as network monitor. Debug logging can affect overall server performance and also consumes disk space, therefore it is recommended to enable debug logging only temporarily when detailed DNS transaction information is needed.

How to enable DNS debug logging

You can enable DNS Debug logging in three separate ways:

Through the Graphical user interface

To enable DNS debug logging through the Graphical User Interface (GUI), follow these steps:

• Log in to the DNS Server with an account that has local administrator privileges. When the DNS Server is also a Domain Controller, log on with an account that is a member of the Domain Admin group.
• Open the Domain Name System Microsoft Management Console (dnsmgmt.msc).
• In the left pane, right-click the server name and select Properties from the context menu.
  The Properties window appears.
• Navigate to the Debug Logging tab.

• Select the Log packets for debugging option at the top op the tab.
• Select the rest of the options, as need be.
• Specify a location to store the logged information.
• Click the OK button.

Note:
Windows Server 2003 introduced the ability to provide a location for storing the logged information. On Windows 2000 Server, by default, information from DNS debug logging was stored in C:\windows\system32\dns\dns.log

When you’re done, disable DNS debug logging again by following the same steps, but unselecting the Log packets for debugging option.

When you’ve used removable media to store the logged information, you can safely remove it.

On the Command-line

To enable DNS debug logging on the command-line, use the following line on an elevated command prompt, while logged on with an account that has local administrator privileges:

dnscmd.exe localhost /Config /LogLevel 0x6101 /logfilepath E:\DNS.log

To disable DNS Debug Logging when you’re done, use the /LogLevel switch with the 0x0 value.

The issue

After you’ve used DNS debug logging on a removable media, removed the media and then restarted the Windows Server installation acting as DNS Server, the DNS Service no longer starts.

This is indicated by Event ID 7031 with source Service Control Manager in the System log.

The solution

Remove the location for DNS debug logging in the registry.

The location used is stored in the LogFilePath value in the following path:
HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Simply remove it, and the DNS service is ready for you to start without problems again.

Concluding

Clearly, there is code that checks the previously configured debug logging location for existence. This code prevents the DNS service from starting when it can’t locate this location.

Further reading

Select and enable debug logging options on the DNS server
Gathering detailed DNS debug logs from AD DNS
Enabling DNS Server Debug Logging
Enable DNS Request Logging for Windows 2003 and above

The post Knowledgebase: When you enable DNS debug logging to removable media, the DNS Service no longer starts appeared first on The things that are better left unspoken.

On November 13, 2019, I presented a 30-minute session at 5th meeting of the Dutch Windows Management User Group for 2019 at the company I called ‘home’ for over 15 years: OGD in Delft. The video of my 30-minute talk on Azure AD Connect is now available for you to watch.

20 million organizations worldwide use Azure AD. The majority of them use Azure AD Connect to synchronize the on-premises Active Directory environment with Azure AD. An organization can realize this in four clicks, but what exactly do you get? And is that sufficient?

In this session I show the possibilities of Azure AD Connect. Opportunities that until recently were not possible, but are certainly worthwhile for many organizations. In addition, I share the experiences of my team, so that you can take the tips, tricks, do’s and especially the don’s with you to your own (or future) implementations of Azure AD Connect.

Watch this session to learn everything I shared:

Note:
This video is in Dutch, but English subtitles are available on-demand.

THANK YOU

Thank you to the Dutch Windows Management User Group for organizing this meetup at my former employer and inviting me as a speaker. Thank you to OGD for recording the session and making the video available to all the attendees. Thank you the people behind the technology panel that night.

The post Video of my Azure AD Connect session at Dutch Windows Management User Group 2019-5 Meet-up is now available appeared first on The things that are better left unspoken.

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for November 2019:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4525236 November 12, 2019

The November 12 update for Windows Server 2016 (KB4525236), updating the OS build number to 17763.864 is an update that combines security and quality improvements.

While this updates contains updates for several vulnerabilities, even some rated critical, none of them are identity-related.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4523205 November 12, 2019

The November 12 update for Windows Server 2019 (KB4523205), updating the OS build number to 17763.864 is an update that combines security and quality improvements.

While this updates contains updates for several vulnerabilities, even some rated critical, none of them are identity-related.

The post On-premises Identity updates & fixes for November 2019 appeared first on The things that are better left unspoken.

Last week, I delivered two sessions at the European SharePoint Conference in Prague.

After a day of consulting on Tuesday December 3rd at one of my long-term customers, I traveled to Schiphol airport. My choice to not park at the airport anymore, led me to the parking lot near the train station in Nieuw Vennep. A short train ride brought me to Amsterdam Schiphol Airport in time for my flights to Prague.

I arrived late and went to bed. In the morning, I got up early to get to the venue, register and watch Alex Simons’ keynote. The short walk from the Corinthia hotel to the Prague Congress Center allowed for sufficient time to soak up the atmosphere and sun. I must admit we had the best weather you can wish for in Prague in December with an abundance of sun.

I prepared for my first session in the speaker room, where I met with a lot of familiar community faces, including Morgan Simonsen, Thomas Vochten, Fabian Williams and Luise Freese.

At 11:45 AM it was time to present on GDPR. The room featured 100 seats, and the room was packed with people interested in my experiences with GDPR in the past 17 months.

I thought my abstract made it clear that my session on GDPR was anything but boring, but getting the below feedback from an attendee was still wonderful:

This was nowhere as boring as I expected it to be, based on the topic.

After the session, I scoured the expo for people I know and organizations offering technology I might need.

I ran into Nikola Pejková at the Veeam booth and ran into Julia Ivanova at the Netwrix booth. It was fun to meet the person behind many of the webinars I did in recent years with Netwrix.

At 4:45PM, I started my second presentation. This is the helping hand to organization that want to get the most out of their Microsoft-oriented Identity and Access Management (IAM) investments.

After the session, I went to the hotel to drop my stuff and get ready for the party. We had a great time at Club SaSaZu, but I had to get back to the hotel early for my 5AM ride to the airport.

On Thursday December 5th, I was scheduled to arrive at 11:45 AM at Amsterdam Schiphol Airport, after two short flights with a layover in Paris. However, due to the French strike, full flights, a reroute via Frankfurt and a sick copilot, I eventually arrived at 11:45 PM at Amsterdam…

Thank you

Thank you to the European SharePoint Conference Program Team for inviting me as a speaker. Thank you to all the attendees, especially the people in my sessions.

The post Pictures of the 2019 European SharePoint Conference appeared first on The things that are better left unspoken.

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for November 2019:

What’s Planned

Support for the SameSite attribute and Chrome 80

Service category: Authentications (Logins)
Product capability: User Authentication

As part of a secure-by-default model for cookies, the Chrome 80 browser is changing how it treats cookies without the SameSite attribute. Any cookie that doesn’t specify the SameSite attribute will be treated as though it was set to SameSite=Lax, which will result in Chrome blocking certain cross-domain cookie sharing scenarios that apps may depend on. To maintain the older Chrome behavior, apps can use the SameSite=None attribute and add an additional Secure attribute, so cross-site cookies can only be accessed over HTTPS connections. Chrome is scheduled to complete this change by February 4, 2020.

Microsoft recommends all developers to test their apps using this guidance:

• Set the default value for the Use Secure Cookie setting to Yes.
• Set the default value for the SameSite attribute to None.
• Add an additional SameSite attribute of Secure.

What’s New

Google social ID support for Azure AD B2B collaboration General Availability

Service category: B2B
Product capability: User Authentication

New support for using Google social IDs (Gmail accounts) in Azure AD helps to make collaboration simpler for users and partners. There’s no longer a need for Google-based partners to create and manage a new Microsoft-specific account. Additionally, Microsoft Teams now fully supports Google users on all clients and across the common and tenant-related authentication endpoints.

For more information, see Add Google as an identity provider for B2B guest users.

Microsoft Edge Mobile Support for Conditional Access and Single Sign-on General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

Azure AD for Microsoft Edge on iOS and Android now supports Azure AD Single Sign-On and Conditional Access:

• Microsoft Edge single sign-on (SSO): Single sign-on is now available across native clients (such as Microsoft Outlook and Microsoft Edge) for all Azure AD-connected apps and services.
• Microsoft Edge conditional access: Through application-based Conditional Access policies, users must use Microsoft Intune-protected browsers, such as Microsoft Edge.

Azure AD entitlement management General Availability

Service category: Other
Product capability: Entitlement Management

Azure AD entitlement management is a new identity governance feature, which helps organizations manage identity and access lifecycle at scale. This new feature helps by automating access request workflows, access assignments, reviews, and expiration across groups, apps, and SharePoint Online sites.

With Azure AD entitlement management, Azure AD admins can more efficiently manage access both for employees and also for users outside your organization who need access to those resources.

Updates to the My Apps page along with new workspaces
Public Preview

Service category: My Apps
Product capability: 3rd Party Integration

Azure AD admins can now customize the way their organizations’ users view and access the refreshed My Apps experience. This new experience also includes the new workspaces feature, which makes it easier for users to find and organize apps.

For more information about the new My Apps experience and creating workspaces, see Create workspaces on the My Apps portal.

New AD FS app activity report to help migrate apps to Azure AD Public Preview

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Azure AD Admins are welcome to use the new Active Directory Federation Services (AD FS) app activity report in the Azure portal. This way, admins can identify which of their apps are capable of being migrated to Azure AD. The report assesses all AD FS apps for compatibility with Azure AD, checks for any issues, and gives guidance about preparing individual apps for migration.

New workflow for users to request administrator consent Public Preview

Service category: Enterprise Apps
Product capability: Access Control

The new admin consent workflow gives Azure admins a way to grant access to apps that require admin approval. If a user tries to access an app, but is unable to provide consent, they can now send a request for admin approval. The request is sent by email, and placed in a queue that’s accessible from the Azure portal to all the admins who have been designated as reviewers. After a reviewer takes action on a pending request, the requesting users are notified of the action.

New Azure AD App Registrations Token configuration experience for managing optional claims Public Preview

Service category: Other
Product capability: Developer Experience

The new Azure AD App Registrations Token configuration blade on the Azure portal now shows app developers a dynamic list of optional claims for their apps. This new experience helps to streamline Azure AD app migrations and to minimize optional claims misconfigurations.

New two-stage approval workflow in Azure AD entitlement management Public Preview

Service category: Other
Product capability: Entitlement Management

Microsoft has introduced a new two-stage approval workflow that allows Azure AD admins to require two approvers to approve a user’s request to an access package. For example, they can set it so the requesting user’s manager must first approve, and then they can also require a resource owner to approve. If one of the approvers doesn’t approve, access isn’t granted.

Automated user account provisioning for additional SaaS apps

Service category: Enterprise Apps
Product capability: 3rd Party Integration

Azure AD admins can now automate creating, updating, and deleting user accounts for these eight newly integrated apps:

• SAP Cloud Platform Identity Authentication Service
• RingCentral
• SpaceIQ
• Miro
• Cloudgate
• Infor CloudSuite
• OfficeSpace Software
• Priority Matrix

New Federated Apps available in Azure AD App gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2019, Microsoft has added these 21 new apps with Federation support to the app gallery:

• Airtable
• Hootsuite
• Blue Access for Members (BAM)
• Bitly
• Riva
• ResLife Portal
• NegometrixPortal Single Sign On (SSO)
• TeamsChamp
• Motus
• MyAryaka
• BlueMail
• Beedle
• Visma
• OneDesk
• Foko Retail
• Qmarkets Idea & Innovation Management
• Netskope User Authentication
• uniFLOW Online
• Claromentis
• Jisc Student Voter Registration
• e4enable

What’s Changed

New and improved Azure AD application gallery

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Microsoft has updated the Azure AD application gallery to make it easier for admins to find pre-integrated apps that support provisioning, OpenID Connect, and SAML on Azure Active Directory tenants.

Increased app role definition length limit from 120 to 240 characters

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Based on feedback from customers that the length limit for the app role definition value in some apps and services is too short at 120 characters. Microsoft has increased the maximum length of the role value definition to 240 characters.

New hotfix for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2)

Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

A hotfix rollup package (build 4.6.34.0) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2). This rollup package resolves issues and adds improvements that are described in the “Issues fixed and improvements added in this update” section of 4512924 Microsoft Identity Manager 2016 Service Pack 2 (build 4.6.34.0) Update Rollup is available.

The post What’s New in Azure Active Directory for November 2019 appeared first on The things that are better left unspoken.