Last week, Microsoft released version 1.1.749.0 of Azure AD Connect, its free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments to Azure Active Directory.

This version adds privacy controls, additional security controls, a wizard page for device write-back and other miscellaneous fixes.

What’s New

Privacy settings and notifications

The team added Privacy Settings for the General Data Protection Regulation (GDPR). For GDPR compliance, Microsoft is required to indicate the kinds of customer data that are shared with Microsoft (telemetry, health, etc.),, have links to detailed online documentation, and provide a way to our customers to change their preferences. This version of Azure AD Connect adds the following:

• A data sharing and privacy notification on the End-user License Agreement (EULA) page of the Azure AD Connect Wizard when you perform a clean install.
• A data sharing and privacy notification on the upgrade page when you perform an upgrade.
• A new additional task, labeled “Privacy Settings”, where admins can change their preferences.

Toggle for application telemetry

Azure AD Connect admins can now switch off the exchange of application telemetry between Azure AD Connect and Azure Active Directory.

Azure AD Health data review

An Azure AD Connect Health admin are required to visit the health portal to control their health settings. Once the service policy has been changed, the agents will read and enforce it.

Device write-back configuration

The Azure AD Connect Configuration Wizard now allows admins to perform Device Write-back configuration actions. A progress bar for page initialization is also added.

Improved General Diagnostics

Microsoft improved the general diagnostics with HTML report and full data collection in a ZIP-Text / HTML Report.

Improved reliability of auto-upgrades

Microsoft improved the reliability of the Automatic Upgrade functionality and added additional telemetry to ensure the health of the server can be determined.

Restricted permissions on the AD Connector account

Azure AD Connect restrict permissions available to privileged accounts on the AD Connector account. For new installations, the wizard will restrict the permissions that privileged accounts have on the AD Connector account after creating it.

Note:
This change only applies to Express installations of Azure AD Connect and Custom Azure AD Connect installations with an automatically created service account in Active Directory

No SA privileges required for clean installations

The Azure AD Connect team changed the installer so it no longer requires SA privilege on clean install of Azure AD Connect.

Troubleshoot synchronization for a specific object

Microsoft added a new utility to troubleshoot synchronization issues for a specific object. It is available as part of the “Troubleshoot Object Synchronization” option of Azure AD Connect’s Troubleshoot Additional Task. Currently, the utility checks for the following:

• UserPrincipalName mismatch between synchronized user object in the Active Directory Domain Services (AD DS) environment and the user account in the Azure AD Tenant.
• If the object is filtered from synchronization due to domain filtering
• If the object is filtered from synchronization due to organizational unit (OU) filtering

Synchronize the current password hash for a specific user

Microsoft added a new utility to synchronize the current password hash stored in the on-premises Active Directory Domain Services (AD DS) environment for a specific user account.

What’s Fixed

Microsoft fixed the timing window on background tasks for Partition Filtering page when  switching to next page.

Microsoft fixed a bug that caused an Access violation during the ConfigDB custom action.

Microsoft fixed a bug to recover from SQL connection time-outs.

Microsoft fixed a bug where certificates with SAN wildcards failed a prerequisite check.

Microsoft fixed a bug which caused miiserver.exe to crash during an Azure AD connector export.

Microsoft fixed a bug which bad password attempt logged on a Domain Controller when running the Azure AD Connect wizard to change the configuration.

Version information

This is version 1.1.749.0 of Azure AD Connect.
It was signed off on on February 17, 2018.

Will you get it?

This release is currently distributed to a small and random section of Azure AD Connect tenants that have enabled auto-upgrade. Microsoft intends to expand this group of tenants in the coming weeks until 100% of our auto-upgrade customers have received this release. Microsoft expects to achieve full coverage of auto-upgrade tenants mid March 2018.

When all auto-upgrade tenants have upgraded, Microsoft will release Azure AD Connect version 1.1.749.0 for general download here.

The post Azure AD Connect v1.1.749.0 adds Privacy and Security Controls appeared first on The things that are better left unspoken.

This morning, I received an e-mail from Rick Vanover from Veeam congratulating me with being selected for the 2018 Veeam Vanguard Program by the Veeam Vanguard team.

For me, it means I successfully renewed my previous 2 Veeam Vanguard Awards, dating back to 2016. I still remain one of the three Dutch Veeam Vanguards, together with Joep Piscaer and Arne Fokkema.

I feel honored.

About Veeam Vanguards

The Vanguard program is led by the Veeam Technical Product Marketing & Evangelism team and supported by the entire company. It’s a program around the community of Veeam experts that truly get Veeam’s message, understand Veeam’s products and are Veeam’s closest peers in IT.

Veeam Vanguard represent Veeam’s brand to the highest level in many of the different technology communities. These individuals are chosen for their acumen, engagement and style in their activities on and offline.

There’s a full list of Veeam Vanguards here.

The post I am a 2018 Veeam Vanguard appeared first on The things that are better left unspoken.

As part of a global series of events, on Wednesday March 28 and Thursday March 30, Microsoft hosts the Tech Summit in the Amsterdam RAI.

Since, from a global point of view, this event takes place in my backyard, I’ll be there as an Ask the Expert, together with many of my Dutch MVP peers. Additionally, I’ll redeliver my Microsoft Ignite theater session for all to enjoy.

About the Microsoft Tech Summit

Microsoft Tech Summit is a free, two-day technical training for IT professionals and developers with experts who build the cloud services across Microsoft Azure, Office 365, and Windows 10.

Whether you know your way around the cloud or just getting started, learn from over 50 technical training sessions and hands-on labs to help you build your cloud skills. Deep dive into the latest innovations covering a range of topics across Microsoft Azure and the hybrid platform including security, networking, data, storage, identity, mobile, cloud infrastructure, management, DevOps, app platform, productivity, collaboration and more.

Connect with Microsoft engineering experts from Redmond, technology partners and your industry peers who can help you get the most out of the cloud.

Ask us questions at the Enterprise Mobility Booth

At the Amsterdam Microsoft Tech Summit, several booths will be available for you to ask questions on your favorite technologies and products. There’s booths for Business Solutions, Office Services, Data Platform, Windows Development, Cloud & Datacenter Management, Azure and Enterprise Mobility.

Ronny de Jong and I are your booth babes for the Enterprise Mobility booth.
You can ask us your enterprise mobility questions on Azure Active Directory, Hybrid Identity, Azure Information Protection, Cloud App Security, Advanced Threat Analytics, Advanced Threat Protection and Intune.

We’ll both be around both days, but alternating our presence at the booth.

About my presentation

I’ll redeliver my 20-minute theater session from Microsoft Ignite:

Four most common mistakes with AD FS and Hybrid Identity

Theater, Thursday March 29, 1:30PM

Many organizations have deployed Active Directory Federation Services. Working with them, revealed a pattern of common misconfigurations and misconceptions on deployment and management of AD FS, resulting in serious problems. Here’s our top four from the field, so you won’t have to experience them.

Did you miss one of the best-rated theater sessions at Microsoft Ignite 2017? No worries, here’s your redelivery.

Join us!

Registration for the Amsterdam Microsoft Tech Summit is free, and there’s still (a couple of) tickets available.

I hope to see you in Amsterdam!

The post I’m speaking at the Amsterdam Microsoft Tech Summit appeared first on The things that are better left unspoken.

In many organizations, when a vendor releases an update to their product, no one bats an eye. However, when a new version is released, suddenly, everything must change.

On one hand we’re seeing massive breaches due to this budgeting, political or time game, because organizations simply don’t install minor security updates. On the other hand, we’re seeing organizations miss out on incredible functionality, delivered as part of these same updates. In some rare cases, like Exchange Server 2010’s Cumulative Update 7, we’re seeing huge barriers for adoption because of an (Active Directory Forest Functional Level) requirement.

I’ll admit I’m part of the problem, too.

Long ago, I’ve stopped installing updates in the same week they are released. I still feel I’m installing updates in a timely fashion, since I’m installing them in the same month they’re released or the same quarter for non-critical infrastructure. However, when everyone would follow that path, we would still have the problem of out of whack and pulled updates… just one week or two weeks later…

Our experiences with Update 3

Although Veeam Availability Suite 9.5 Update 3 has been released nearly two months ago, and Veeam’s update notification service has been alerting for it for the last month, I’ve only recently started rolling it out to our Veeam Backup and Replication implementation.

This has been an undivided joy and brought incredible functionality.
Below are our experiences:

Centralized management

As you may recall, Veeam’s starting point was backup for virtual machines on VMware-based virtualization platforms. With Veeam Availability Suite 9.5 Update 3, Veeam have centralized data protection for physical, virtual and multi-cloud workloads.

You can now deploy and manage Veeam Agent for Microsoft Windows installations, directly from the Veeam Backup and Replication console and deploy and manage Veeam Agent for Linux installations, directly from the Veeam Backup and Replication console, too.

This is a big change to the way the Veeam Agents operated before. Previously, you had to deploy the Veeam Agents manually (or by script), manage them individually, but you could have them create backups to the Veeam Backup Vault you’d use for your virtual infrastructure.

This approach of a single pane of glass adds profound productivity to our backup admin team.

Additional licenses

With the release of Update 3, Veeam has sent all Veeam customers a 6 months no-cost license key for Veeam Agents for Windows and Linux, as well as for Veeam Backup for Office 365. This is to help organizations run an extended evaluation to see if they can completely replace whatever legacy backup solutions they’re using for those remaining physical servers, cloud instances and Microsoft Office 365 with Veeam.

Concluding

Veeam Availability Suite 9.5 Update 3 contains many more features and fixes, but the ones above are the ones important to us. Needless to say,

I feel Update 3 is a major update, that I feel any mixed organization using Veeam should update to.

We encountered no issues in our setup.

Note:
We kept using our current SQL Server cluster, so the new support for SQL Server 2017 wasn’t something we’d use, but it’s good to know Veeam supports it when we upgrade the SQL Cluster later this year.

Note:
Direct Restore to Azure is currently not a part of our Veeam availability strategy.

Related blogposts

The Veeam Agent for Microsoft Windows Free is amazing. Let me tell you why.
Your Exchange Online Contingency Plan is here with Veeam Backup for Office 365

Further reading

Veeam Backup and Replication 9.5 Update 3 Released New Features
Veeam Backup & Replication 9.5 Update 3 New Features

The post Veeam Availability Suite 9.5 Update 3 offers great functionality appeared first on The things that are better left unspoken.

Sometimes, error codes for Microsoft products and technologies are really straightforward. Especially in situations where you have limited to no troubleshooting options, like the Windows Out-of-the-Box Experience (OOBE), this might prove difficult to solve.

Today, let’s look at one of the most common errors you might encounter when you try to Azure AD Join a Windows 10-based device:

The situation

For any organization using an Azure Active Directory tenant, Azure AD Join is enabled by default. This functionality allows your users to designate the Windows installation on devices they trust, as trusted device for single sign-on (SSO). The only thing these users, by default, need is a user object in Azure Active Directory.

Windows 10 offers two built-in methods for users to join their devices to Azure AD:

1. In the Out-of-the-Box Experience (OOBE)
2. In the Settings app

In both situations, the user account used for the Azure AD Join gains local administrator privileges, as Azure AD Join is seen as a Bring Your Own Device (BYOD) scenario by Microsoft.

The error

When a person tries to register another Windows 10 device to Azure AD using their user account, he or she receives an error stating:

Something went wrong.

This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code 801c0003 (click for original screenshot)

The cause

The person receives the error, because he or she has reached the limit of maximum allowed devices to Azure AD Join.

By default, Azure Active Directory enforces a limit of 20 devices for any user object to join. It even enforces this limit on privileged users, like users with the Global Admin role.

This arbitrary value was chosen, because, by default, Azure AD-joined devices are not removed after an idle time-out. It closely resembles the default behavior of the 10-devices limit in Active Directory Domain Services (AD DS) for non-admins, but because Azure AD is at least twice as good as good ol’ AD DS, I guess the team settled on 20.

For organizations using Microsoft Intune and automatic device enrollment, the 20-device limit makes sense, because of the restrictions in licensed devices within Intune licenses assigned to users.

The solutions

As an admin, you can prevent the error from occurring in four separate ways:

Disable Azure AD Join

We encounter Azure AD usage like Azure AD Join in many organizations that have simply synchronized objects from Active Directory Domain Services to enable access to Office 365. Their admins would typically have chosen to use Express Settings with Azure AD Connect and go with Azure AD’s default settings, which results in the scenario where every user can use this functionality, but admin oversight.

To disable Azure AD Join, follow these steps:

• Open your browser and navigate to https://portal.azure.com
• Sign in with a user account in your Azure Active Directory tenant with at least Global Administrator privileges. Perform multi-factor authentication, when prompted.
• In the left navigation pane, click Azure Active Directory.
• In the new pane that emerges, click Devices.
• In the Devices pane, click Device settings.
• Select None for the switch labeled Users may join devices to Azure AD. This will apply to all Windows 10-based devices
• Select None for the switch labeled Users may register their devices with Azure AD. This will also disable Azure-based Workplace Join for iOS and Android devices, as well as legacy Windows versions like Windows 7 and Windows 8.1.
• Click Save.
• Close the browser.

This way, as an admin, you don’t have to deal with these settings just yet. Note, however, that the above two switches do not apply to device synchronization in Azure AD Connect.

Make users join their own devices

In other organizations, admins may use their account to Azure AD join devices. This way, they circumvent the default BYOD behavior of local admin rights to the user account belonging to the person joining the device.

Indeed, the admin is the only person with local administrator rights on these devices, but it breaks the model in organizations that (later on decide to) implement Microsoft Intune.

Although every Microsoft feature, product and technology is used in ways that wasn’t envisioned by Microsoft, this is not a feature you want to abuse this way. When you want to leverage Azure AD Join, allow your users to join their devices using their user accounts.

Up the device limit

Of course, you can also up the Azure AD Join device limit. Follow these steps to do so:

• Open your browser and navigate to https://portal.azure.com
• Sign in with a user account in your Azure Active Directory tenant with
  at least Global Administrator privileges. Perform multi-factor authentication,
  when prompted.
• In the left navigation pane, click Azure Active
  Directory.
• In the new pane that emerges, click Devices.
• In the Devices pane, click Device
  settings.
• Select your favorite number for the value labeled Maximum number of devices per user. Values include 5, 10, 20 ,50, 100 and Unlimited.

• Click Save.
• Close the browser.

Delete some devices

Another way is to delete some of the devices from Azure AD for the person encountering the error. As there is no way for users to self-manage their Azure AD-joined device, you can channel your inner BOFH and delete some of the devices the person no longer needs(and their associated BitLocker recovery information).

Perform these actions:

• Open your browser and navigate to https://portal.azure.com
• Sign in with a user account in your Azure Active Directory tenant with
  at least Global Administrator privileges. Perform multi-factor authentication,
  when prompted.
• In the left navigation pane, click Azure Active
  Directory.
• In the new pane that emerges, click Devices.
• Either Search by name from the top bar, or sort the information on devices using the Owner field.
• Select a device at random of confer with the person on a suitable device. Click on the three little dots on the end of the line for your device of choice. Select Delete from the context-menu.
• Close the browser.

Concluding

As an admin you can help colleagues encountering error 801c0003 when they try to Azure AD Join another device in the Out-of-the-Box Experience (OOBE) in several ways.

Further reading

Managing devices using the Azure portal
Error code 801c0003

The post KnowledgeBase: You receive error 801c0003 when you try to Azure AD Join a device during the Out-of-the-Box Experience (OOBE) appeared first on The things that are better left unspoken.

Whenever I talk about the claim rules in Active Directory Federation Services (AD FS) for the ‘Office 365 Identity Platform’ Relying Party Trust (RPT), between the on-premises AD FS implementation and Azure AD, I get the following question:

How do we manually set up the advanced claim rules that Azure AD Connect configures automatically?

Let’s look at the ways to set up the Relying Party Trust and how to do it in a way that benefits you and your organization the most.

About Relying Party Trusts

Active Directory Federation Services (AD FS) utilizes Relying Party Trusts (RPTs) to define trust relationships between applications (and sometimes identity hubs, towards their applications) and itself, as a security token service for its identity provider (IdP), which most of the times is Active Directory Domain Services (AD DS).

Whenever a person accesses an application that has a Relying Party Trust (RPT) in AD FS, and expresses to use his/her account in your Active Directory, the device is redirected to AD FS for authentication. AD FS will talk Kerberos to AD DS and then translate the information into claims, using the claims rules. The claims are sent from AD FS to the device. Then, the device sends them to the application to authenticate to the application (or the identity hub), based on the trust relationship.

The claim rules indicate the contents of the claims tokens that are being exchanged. As such, they play a vital role in authorization.

Ways to create the Relying Party Trust

When you want to take advantage of a Relying Party Trust towards Azure AD and onwards to Office 365, any of the 2900+ Azure AD-integrated applications, or your own apps, there are three ways to set it up:

1. Configure the Relying Party Trust using PowerShell
2. Configure the Relying Party Trust using Azure AD Connect
3. Configure the Relying Party Trust manually

PowerShell

To setup the ‘Office 365 Identity Platform’ Relying Party Trust using Windows PowerShell, you can use the Convert-MSOLDomainToFederated Cmdlet from the MSOnline PowerShell Module.

If you haven’t installed the MSOnline PowerShell Module on your system, yet, run the following PowerShell one-liner, once:

Install-Module MSOnline -Force

Then, execute these lines, after you’ve changed the grayed-out DNS Domain Name with your information, on the (primary) AD FS Server in the AD FS Farm:

Import-Module MSOnline

Import-Module ADFS

Connect-MSOLService

Convert-MsolDomainToFederated -DomainName domain.tld -SupportMultipleDomain

Each of these three actions triggers the automatic creation of the ‘Office 365 Identity Platform’ Relying Party Trust with default rules:

• When you convert the first DNS Domain Name in Azure AD to federated in the context of the AD FS Farm specified using Convert-MSOLDomainNameToFederated.
• When you update the first DNS Domain Name in Azure AD to be federated to the AD FS Farm specified, after being federated to another AD FS Farm previously using Update-MSOLFederatedDomain.
• When you create a new DNS Domain Name in Azure AD to be federated to the AD FS Farm specified using New-MSOLFederatedDomain.

The rules created by the MSOnline PowerShell module are basic.

Azure AD Connect

Microsoft’s Azure AD Connect tool also offers to manage Active Directory Federation Services (AD FS). You can:

• Setup and configure AD FS Servers and Web Application Proxies from Azure AD Connect, specifying hosts and settings for the AD FS Farm.
• Change or set the sign-in options to Federation and point to a previously configured AD FS Farm to start managing its Azure AD and Office 365 settings using Azure AD Connect.

Using Azure AD Connect results in more extensive claims rules for the ‘Office 365 Identity Platform’ Relying Party Trust, including claim rules to specify the mS-DS-ConsistencyGUID user attribute as source anchor with the ObjectGUID attribute as fall-back.

The claim rules created are subject to the version of Azure AD Connect used to configure the RPT. Currently, version 1.1.654.0 is the most recent version available for download, which is 3 months old. Hence, the claims rules logic is 3 months old.

Manually

Creating Relying Party Trusts (RPTs) manually is not something I can recommend. However, updating RPTs manually, is something I do nearly every day. This is also the situation where the question in the first paragraph stems from. However, there are a couple more questions to ask:

How do I gain access to the latest claim rules for the ‘Office 365 Identity Platform’ RPT?

Previously, we used a development instance of Azure AD Connect with a development Azure AD tenant to investigate the rules. However, Microsoft has created new functionality in the adfshelp.microsoft.com ADFSHelp Portal:

In the Tools section, there is now a Claims Generator wizard labeled Azure AD RPT Claim Rules, that will help you get optimized claims rules for the ‘Office 365 Identity Platform’ RPT.

The wizard asks you for the source anchor (Immutable ID) you’d want to use, where your choices include ‘ObjectGUID’, ‘ms-Ds-consistencyGuid with fallback to ObjectGUID’ and ‘Other’. Then, you can specify the attribute that users will use to sign into Azure AD. ‘userPrincipalName’ is default, but you can specify ‘Alternate ID’. To offer multiple domain support, question 3 asks you if you have multiple domains. If you do, you can specify multiple DNS Domain Names in Azure AD, or upload a *.csv file with the information needed. The last button is aptly labeled ‘Generate claims’.

How do I implement these claim rules without the risk of mistyping the rules?

After you use the wizard, you have two options. You can copy a Windows PowerShell script that will target the ‘Office 365 Identity Platform’ RPT and will update the claims rules for it.

Alternatively, the rules themselves are also displayed. You can compare them to the output of  the Get-ADFSRelyingPartyTrust PowerShell Cmdlet to see if you actually have to update the claims rules. You might already run the latest rules, right?

How do I provide feedback on the functionality of the claim rules?

The adfshelp.microsoft.com ADFSHelp Portal offers a Feedback option. You can leave behind any feedback you have, whether it is a problem, suggestion or something general.

Concluding

Microsoft now offers the adfshelp.microsoft.com ADFSHelp Portal with useful functionality.

Throughout the past years, we’ve been discussing Active Directory Federation Services (AD FS), Azure Active Directory and Office 365. I’ve provided tips and you’ve provided feedback and additional questions. I’m very pleased with the interaction we’ve got going. Let’s keep that up!

The post Pro Tip! Use the claim rules from ADFSHelp for your ‘Office 365 Identity Platform’ Relying Party Trust appeared first on The things that are better left unspoken.

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAPv3-based identity platforms to Azure Active Directory.

During installation, Azure AD Connect offers a choice. This is the first choice and also the most fundamental choice for Azure AD Connect:

• You can Use express settings
• You may Customize the installation

Many customers have opted to install Azure AD Connect with Express Settings. This four-click setup has a couple of advantages to the more elaborate Custom Settings installation options.

The below table offers an overview of the differences between using express settings and customizing Azure AD Connect, based on Azure AD Connect version 1.1.654.0, released on December 12, 2017:

The fourth column depicts whether you can change the setting after initial installation and subsequent configuration runs. Your mileage may vary on the outcome, though.

By default, Azure AD Connect configures Password Hash Sync (PHS) as the sign-in method. This option synchronizes hashes of on-premises hashes in Active Directory Domain Services (AD DS) to Azure AD for all user and inetorgperson objects in scope. When you migrate off this Same Sign-on (SSO) method to one of the Single Sign-On (SSO) options, like Active Directory Federation Services (AD FS) and Pass-through Authentication (PTA), these synchronized values won’t magically disappear.

As you can see, the Custom Settings installation option allows you to optionally (re)use a (group) managed service account (gMSA). This option was added to Azure AD Connect version 1.1.443.0, back in March 2017. It’s described here.

As shown, when you Use express settings,

• You can’t later on change the installation path.
• You can’t switch to using Microsoft SQL Server instead of the default SQL Server Express installation to host the database for Azure AD Connect.
• You can’t switch the service account running the Azure AD Connect service and connecting to the SQL Server back-end through the Azure AD Connect Wizard. However, you can change the credentials used to communicate with Active Directory Domain Services (AD DS) and Azure AD in the Synchronization Manager.
• You can’t change the names of the four local groups that will be created on the Windows Server installation running Azure AD Connect.

If you want to make these changes, you will need to uninstall Azure AD Connect and reinstall Azure AD Connect, or create a new Azure AD Connect installation in Staging Mode, and switch the active Azure AD Connect installation.

Concluding

Haste trips over its own heels.

Getting Office 365 and Azure Active Directory to work in a mere four clicks sounds fantastic, but when you want to change things later on, you might find yourself doing work twice.

The post Azure AD Connect Custom Settings vs Express Settings appeared first on The things that are better left unspoken.

While Microsoft was steadily rolling out Azure AD Connect throughout the first half of March to organizations with automatically upgrading Azure AD Connect installations, an issue was discovered.

The issue was fixed in Azure AD Connect version 1.1.750.0 and put through the same rollout pace as version 1.1.749.0 to land at automatically upgrading organizations.

As promised, Microsoft has released Azure AD Connect version 1.1.750.0 for download, now that, apparently, all automatically upgrading Azure AD Connect installations at organizations have actually been upgraded.

What’s fixed

The AutoUpgrade functionality was incorrectly disabled for some Azure AD tenants who deployed Azure AD Connect version 1.1.524.0, or up.

To ensure that your Azure AD Connect instance is still eligible for AutoUpgrade, run the following Windows PowerShell Cmdlet:

Set-ADSyncAutoUpgrade -AutoupGradeState AutoUpgradeConfigurationState.Enabled

The Set-ADSyncAutoUpgrade Windows PowerShell Cmdlet would previously block Autoupgrade if auto-upgrade state is set to Suspended. This is now changed so it does not block AutoUpgrade of future builds.

Version information

This is version 1.1.750.0 of Azure AD Connect.
It was signed off on on March 22, 2018.

Download information

You can download Azure AD Connect here.
The download weighs 80,7 MB.

Note

After the upgrade to Azure AD Connect version 1.1.750.0 completes, a Full Synchronization cycle is automatically triggered, followed by a full import for the Azure AD connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Azure AD Connect environment, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

The post Azure AD Connect version 1.1.750.0 is now available for download appeared first on The things that are better left unspoken.

Last week, Microsoft introduced Windows Server Insider Preview version 17623, providing admins a preview on its upcoming Windows Server 2019 Long-term Servicing Channel (LTSC) release, scheduled for the second half of calendar year 2018.

While Microsoft strongly urges to validate the in-place upgrade functionality of Windows Server 2019 from Windows Server 2012 R2 and Windows Server 2016, one issue has already arisen in this area.

The issue

To paraphrase the Windows Server Insider Preview version 17623 release notes:

In‑place OS upgrade: Domain Controllers. During an in-place OS upgrade, Active Directory (AD) Domain Controllers (DC) might not be upgraded correctly. So, back up any AD DCs before performing an in-place OS upgrade.

I feel running a Windows Server Insider Preview build in a production environment to power your Active Directory Domain Controllers is only for a select few admins with a strong desire to feel alive again…. and have left Microsoft support far behind them.

However, in test and acceptance environments, this issue is something that might prove a challenge. It’s nothing new, however, since In-place upgrading an Active Directory Domain Controller to Windows Server build 17093 might also fail.

The post Active Directory Domain Controllers may not be in-place upgraded to Windows Server Insider Preview 17623 appeared first on The things that are better left unspoken.

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for March 2018:

What’s New

Twitter and GitHub identity providers in Azure AD B2C

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

You can now add Twitter or GitHub as an identity provider in Azure AD B2C. Twitter is moving from public preview to General Availability (GA). GitHub is being released in public preview.

Restrict browser access using Intune Managed Browser with Azure AD application-based conditional access for iOS and Android

Service category: Conditional Access
Product capability: Identity Security & Protection

The Intune Managed Browser SSO is now in preview. Employees can use single sign-on across native clients (like Microsoft Outlook) and the Intune Managed Browser for all Azure AD-connected apps.

Intune Managed Browser Conditional Access Support is now in preview. Admins can now require employees to use the Intune Managed browser using application-based conditional access policies.

App Proxy Cmdlets in Powershell GA Module

Service category: App Proxy
Product capability: Access Control

The Application Proxy PowerShell Cmdlets are now part of the generally available (GA) Azure Active Directory Powershell Module.

Office 365 native clients are supported by Seamless SSO using a non-interactive protocol

Service category: Authentications (Logins)
Product capability: User Authentication

People using Office 365 native clients get a silent sign-on experience using Seamless SSO. This support is provided by the addition of WS-Trust (a non-interactive protocol) to Azure Active Directory.

This applies to Office installation versions 16.0.8730.xxxx and above, so basically people in organizations using the targeted Semi-Annual Channel since January 17, 2018 or Monthly Channel releases of Office since March 13, 2018.

Users get a silent sign-on experience, with Seamless SSO, if an application sends sign-in requests to Azure AD’s tenanted endpoints

Service category: Authentications (Logins)
Product capability: User Authentication

People get a silent sign-on experience, with Seamless SSO, if an application (for example, https://contoso.sharepoint.com) sends sign-in requests to Azure AD’s tenanted endpoints – that is, https://login.microsoftonline.com/contoso.com/ or https://login.microsoftonline.com/<tenant_ID>/ – instead of Azure AD’s common endpoint (https://login.microsoftonline.com/common/).

Adding Optional Claims to your apps tokens (public preview)

Service category: Authentications (Logins)
Product capability: User Authentication

Your Azure AD app can now request custom or optional claims in JWTs or SAML tokens. These are claims about the user or tenant that are not included by default in the token, due to size or applicability constraints. This is currently in public preview for Azure AD apps on the v1.0 and v2.0 endpoints. See the documentation for information on what claims can be added and how to edit your application manifest to request them.

Azure AD supports PKCE for more secure OAuth flow

Service category: Authentications (Logins)
Product capability: User Authentication

Azure AD docs have been updated to note support for Proof Key for Code Exchange (PKCE) as described in RFC7636, which allows for more secure communication during the OAuth 2.0 Authorization Code grant flow. Both S256 and plaintext code_challenges are supported on the v1.0 and v2.0 endpoints.

New Federated Apps available in Azure AD App gallery

In March 2018, the Active Directory team has added following 15 new apps in the Azure Active Directory App gallery with Federation support:

• Boxcryptor
• CylancePROTECT
• Wrike
• SignalFx
• Assistant by FirstAgenda
• YardiOne
• Vtiger CRM
• inwink
• Amplitude
• Spacio
• ContractWorks
• Bersin
• Mercell
• Trisotech Digital Enterprise Server
• Qumu Cloud

PIM for Azure Resources is generally available (GA)

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

If you are using Azure AD Privileged Identity Management (PIM) for directory roles, you can now use PIM’s time-bound access and assignment capabilities for Azure Resource roles such as Subscriptions, Resource Groups, Virtual Machines, and any other resource supported by Azure Resource Manager. Enforce Multi-Factor Authentication when activating roles Just-In-Time, and schedule activations in coordination with approved change windows.

In addition, this release adds enhancements not available during public preview including an updated UI, approval workflows, and the ability to extend roles expiring soon and renew expired roles.

Support for provisioning all user attribute values available in the Workday Get_Workers API

Service category: App Provisioning
Product capability: 3rd Party Integration

The public preview of inbound provisioning from Workday to Active Directory and Azure AD now supports the ability to extract and provisioning of all attribute values available in the Workday Get_Workers API. This adds supports for hundreds of additional standard and custom attributes beyond the ones shipped with the initial version of the Workday inbound provisioning connector.

Changing group membership from dynamic to static, and vice versa

Service category: Group Management
Product capability: Collaboration

It is now possible to change how membership is managed in a group. This is useful when you want to keep the same group name and ID in the system, so any existing references to the group are still valid; creating a new group would require updating those references. We’ve updated the Azure AD Admin center to add support for this functionality. Now, customers can convert existing groups from dynamic membership to assigned membership and vice-versa. The existing PowerShell Cmdlets are also still available.

What’s Changed

Improved sign-out behavior with Seamless SSO

Service category: Authentications (Logins)
Product capability: User Authentication

Previously, even if users explicitly signed out of an application secured by Azure AD, they would be automatically signed back in using Seamless SSO if they were trying to access an Azure AD application again within their corpnet from their domain joined devices. With this change, sign out is supported. This allows users to choose the same or different Azure AD account to sign back in with, instead of being automatically signed in using Seamless SSO.

Application Proxy Connector Version 1.5.402.0

Service category: App Proxy
Product capability: Identity Security & Protection

Application Proxy Connector Version 1.5.402.0 is gradually being rolled out. This new connector version includes the following changes:

• The connector now sets domain level cookies instead of cookies on the sub-domain level. This ensures a smoother SSO experience and avoids redundant authentication prompts.
• Support for chunked encoding requests
• Improved connector health monitoring
• Several bug fixes and stability improvements

What’s Fixed

Certificate expire notification

Service category: Enterprise Apps
Product capability: SSO

Azure Active Directory sends a notification when a certificate for a gallery or non-gallery application is about to expire.

Some organizations did not receive notifications for enterprise applications, configured for SAML-based single sign-on. This issue was resolved. Azure Active Directory sends notification for certificates expiring in 7, 30 and 60 days. You are able to see this event in the audit logs.

The post What’s New in Azure Active Directory for March 2018 appeared first on The things that are better left unspoken.

Last Wednesday and Thursday, Microsoft organized a Tech Summit event in the Amsterdam RAI. I was invited as a booth expert and a speaker.

As one of the last Tech Summit events in a long row of events, my experience with the organization for the Tech Summit was top notch. It started on Tuesday already.

On Tuesday, Microsoft arranged for a speaker check-in between 4 PM and 6 PM. We were all invited to the speaker room, check out our rooms, the booth, the theater, discuss slides and pick up our badges and T-shirts.

Wednesday morning I arrived at the Amsterdam RAI at around 7:30 AM. It was a cloudy day. The perfect weather for an indoor event…

I joined the other experts at the booth around 8 AM, until the keynote started at around 9:30 AM. By then, we had answered a handful of questions on Exchange, Azure Active Directory, Teams and Skype for Business already! I met with one of this blog’s biggest fans and spent most of my day at the Experts booth on Wednesday, before heading home at 7 PM.

Thursday morning, I arrived at 7 AM. This was the day I was to present a 60-minute session on GDPR (AVG) in terms of Microsoft 365 from 10:45 and 11:45. I studied the slides and demos Microsoft provided me. It was a really nice slide deck that began with explaining the background for GDPR, then to introduce Microsoft Compliance Manager, followed by explaining some of the more difficult moving parts of Microsoft 365, including Conditional Access, Azure AD Identity Protection, Azure Information Protection and Office 365 Advanced Threat Protection. Alas, the slide deck didn’t include eDiscovery, for which I apologized to the audience beforehand.

Room Elicium 2 was packed with people, mostly technical people I recognized, although the session was advertised as a session for decision makers.

After a short break for lunch, I was scheduled for a second presentation. This time I was in for even more fun with one of my own favorite presentations in a nice informal setting; Talking for 15 minutes on the silly stuff people do when it comes to AD FS and Hybrid Identity.

The feedback I received from the people that were actually able to follow the presentation in the busy expo area was overwhelmingly positive:

It’s always nice to hear when people enjoyed learning things I present on.

After the session I joined Jeff Woolsey again at the Experts Booth, where we discussed GDPR and baselines with one of the Netherlands’ largest healthcare insurers. Another interesting question came from an organization that would currently create user administrator accounts in Azure AD for partner admins, so they could create user objects for their partner users to access the app. They figured this saved them a lot of money on user administration. Apparently, no-one had introduced them to Azure AD B2B, yet.

Thank you!

A big ‘Thank You!’ to all Microsoft Tech Summit attendees, sponsors, speakers and staff for making the past week such an enjoyable experience!

I had a lot of fun and I hope you did, too!

The post Pictures of the 2018 Amsterdam Microsoft Tech Summit last week appeared first on The things that are better left unspoken.

Windows Server 2016’s March 2018’s Cumulative Quality Update, bringing the OS version to 14393.2155, offers two fixes for issues you might be experiencing on Windows Server 2016-based Active Directory Domain Controllers.

About Windows Server 2016 Updates

Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016.  This update, too, is cumulative and includes all quality and security fixes shipped prior to this release. 

Active Directory Domain Services fixes

LSASS faults with exception code 0xc0000005, status code 255

The first fix addresses an issue where a Windows Server 2016 Domain Controller may periodically restart after a Local Security Authority Subsystem Service (LSASS) module faults with exception code 0xc0000005. This interrupts applications and services bound to the Domain Controller at that time.

The following events may be logged:

Application Error event ID 1000

The faulty module mentioned is NTDSATQ.dll with exception code 0xc0000005.

User32 event ID 1074

Microsoft-Windows-Wininit event ID 1015

Both these error events indicate that lsass.exe failed with status code 255.

AdminSDHolder trips over deleted members in protected groups

The second fix addresses an issue where the AdminSDHolder task fails to run when a protected group contains a member attribute that points to a deleted object.

Additionally, Event 1126 is logged that contains the following text:

Active Directory Domain Services was unable to establish a connection with the global catalog. Error value: 8430. The directory service encountered an internal failure. Internal ID: 320130e.

Call to action

When you experience any one of these issues, you are invited to install Windows Server 2016’s March 2018’s Cumulative Quality Update (KB4088889) on your AD FS Servers and Web Application Proxies to resolve them.

Known Issues

There are no known issues with this update, to date.

The post Windows Server 2016’s March 2018 Quality Update brings two Active Directory Domain Services fixes appeared first on The things that are better left unspoken.

On Thursday evening April 19, 2018 I’ll deliver a 55-minute presentation for the Dutch Windows Azure User Group (WAZUG) on Azure Active Directory device management.

About WAZUG.nl

The Dutch Windows Azure User Group (WAZUG) was founded in 2010 by a group of enthusiasts to inform and inspire developers, architects and consultants for Microsoft’s cloud application platform: Azure.

WAZUG organizes events roughly every month. They invite speakers to talk about technology, but also about reference cases. It’s also an ideal way to meet like-minded people and network. Meetings, food and drinks are always free to attendees.

WAZUG, these days, is run by Iwan Bel, Erwyn van der Meer, Edward Bakker and Sjoerd van Roessel.

About WAZUG.nl 47

Meeting 47 is organized with the help of Centric, a Dutch IT services provider in terms of managed ICT services, IT solutions and software engineering. They invited us over at their headquarters in Gouda, the Netherlands.

In contrast to earlier WAZUG.nl meetings, WAZUG.nl 47 has an IT Pro focus.

The evening kicks off at 6PM with dinner. After a short welcoming ceremony, I’ll present for 55 minutes. After a short break, a second session is presented. After the second session, there’s room and time for drinks up until 9:15PM.

About my presentation

Between 6:35PM and 7:30PM, I’ll deliver a 55-minute session on Azure AD Devices:

Devices and Azure AD: who, what, where?

For a long time, device management within on-premises Active Directory was Microsoft’s strong point. Lately, Microsoft has been building out their possibilities in Azure Active Directory in terms of devices. Think about Single Sign-On (SSO), device join/registration and the ability to grant or deny access based on the device’s status and location.

In this session I’ll tell you everything there is to know about devices in Azure AD. I’ll discuss Azure AD Join, Conditional Access, Azure Multi-Factor Authentication, Azure Identity Protection and Windows Hello. Of course, I’ll share my recommended practices for all these technologies.

Join us!

Join us for free.
If you haven’t yet, sign up to the Dutch Windows Azure User Group using a Microsoft account, and then register for this WAZUG event.

The post I’m speaking at WAZUG.nl 47 appeared first on The things that are better left unspoken.

When looking back, I realized we’ve been working with Microsoft’s on-premises Azure Multi-Factor Authentication (MFA) Server version  7.3.0.3 for a year. This week, Microsoft released a new version of it’s on-premises authentication security product: version 8.0.0.3.

What’s New

Registration experience improvements on mobile

Using MFA Server’s mobile portal, end-users may register the authenticator app on their mobile device using a QR-code. This experience has been improved.

Improved interaction with AD Sync

Azure MFA Server leverages MFA Providers in Azure Active Directory. Azure AD Connect offers synchronization of user objects (and, in some scenarios, password hashes) from Active Directory to Azure Active Directory. To allow both products to work optimally together, several changes have been made to MFA Server.

Support for TLS 1.2 for LDAP, User Portal to Web Service SDK, and SChannel replication

As MFA Server communicates to back-end systems and allows communication to its Web Service SDK, it’s imperative to allow the strongest available encryption for data in transit. MFA Server 8 now offers TLS 1.2 support for:

• Communication from MFA Server to LDAP stores
• Communication to MFA Server’s User Portal and Web Service SDK
• Communication with Active Directory Domain Controllers

Compliance with General Data Protection Regulation

MFA Server is now in compliance with Europe’s General Data Protection Regulation (GDPR). The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union.

The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU. GDPR is implemented per EU country and has different names in some of them

Accessibility improvements to User Portal, MFA Server management, and installation

To allow people with disabilities, like impairments, activity limitations, and participation restrictions, to use MFA Server, Microsoft has made several improvements to the User Portal, Management Console and Installation Wizard.

As Microsoft believes 25% of people live with disabilities, not just limited to speech, hearing or eyesight, but also autism and ADHD. these improvements are welcome, even though they might break your current branding strategy.

Miscellaneous bug fixes and improvements

Several more bug fixes and improvements have been made to MFA Server 8.

Known Issues

Windows Authentication for Remote Desktop Services (RDS) is not supported for Windows Server 2012 R2.

Upgrade considerations

You must upgrade MFA Server and Web Service SDK before upgrading the User Portal, Mobile Portal or AD FS adapter.
Read the guidance in the How to Upgrade section in this blogpost for more information.

Download

You can download Azure Multi-Factor Authentication Server 8.0.0 here.
The download weighs 182.2 MB.

Version information

This is version 8.0.0 of Azure Multi-Factor Authentication Server.
It was signed off on April 10, 2018.

The post Azure Multi-Factor Authentication Server 8.0.0.3 is here appeared first on The things that are better left unspoken.

Last week, Microsoft released Azure AD Connect version 1.1.751.0. This release of Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments to Azure Active Directory is a HotFix release.

This means it is not offered to organization running Azure AD Connect using the Automatic Upgrade functionality. Instead, it is available for download, only.

What’s Fixed

Azure AD Sync

An issue was corrected where automatic Azure instance discovery for China tenants was occasionally failing.

AD FS Management

There was a problem in the configuration retry logic that would result in an ArgumentException stating:

an item with the same key has already been added.

This would cause all retry operations to fail.

Version information

This is version 1.1.751.0 of Azure AD Connect.
It was signed off on on April 12, 2018.

Concluding

At first sight, making a version of Azure AD Connect available for download only would not make much sense. However, the two fixes apply to the initial configuration part of Azure AD Connect and, thus,  do not affect organizations currently running Azure AD Connect without problems (after configuration).

Surely, these fixes flow into next versions of Azure AD Connect that will be made available for automatic upgrades. There’s no hurry, though.

The post Azure AD Connect version 1.1.751.0 was released as a hotfix last week appeared first on The things that are better left unspoken.

Windows Server 2016’s April 2018’s Cumulative Quality Update, bringing the OS version to 14393.2214, offers three fixes for issues you might be experiencing on Windows Server 2016-based Active Directory Domain Controllers.

About Windows Server 2016 Updates

Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016.  This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.

Active Directory Domain Services fixes

Authentication Policy Auditing Mode blocks NTLM

The first fix addresses an issue that blocks failed NTLM authentications instead of only logging them when using an authentication policy with audit mode turned on. Netlogon.log may show the following:

SamLogon: Transitive Network logon of <domain>\<user> from <machine2> (via <machine1>) Returns 0xC0000413

SamLogon: Transitive Network logon of <domain>\<user> from <machine2> (via <machine1>) Entered

NlpVerifyAllowedToAuthenticate: AuthzAccessCheck failed for A2ATo 0x5. This can be due to the lack of claims and compound support in NTLM

Restoring invalid backlink attribute logic

The second fix addresses an issue that prevents you from modifying or restoring Active Directory objects that have invalid backlink attributes populated in their class. The error you receive is:

Error 0x207D An attempt was made to modify an object to include an attribute that is not legal for its class.

Running the Administrative Center with PowerShell Transcripting enabled

The third fix addresses an issue that prevents the Active Directory Administrative Center (dsac.exe) from running on a client that has PowerShell Transcripting enabled. The following error appears:

Cannot connect to any domain. Refresh or try again when connection is available.

The PowerShell transcript feature is an effective way to log, audit and trace back malicious code run through PowerShell on Domain Controllers. System-wide PowerShell Transcripting can be enabled through Group Policy, Desired State Configuration and through the Start-Transcript PowerShell Cmdlet.

Call to action

When you experience any one of these issues, you are invited to install Windows Server 2016’s April 2018’s Cumulative Quality Update (KB4093120) on your Active Directory Domain Controllers to resolve them.

Known Issues

There are no known issues with this update, to date.

The post Windows Server 2016’s April 2018 Quality Update brings two Active Directory Domain Services fixes appeared first on The things that are better left unspoken.

Yesterday, I presented on devices in the context of Azure Active Directory for the Dutch Azure User Group (WAZUG.nl) at Centric’s headquarters in Gouda, the Netherlands.

After working hours, we gathered at the dinner buffet, consisting of Chinese food from Restaurant Hong Kong. Straight after I arrived, I hooked up my device and showed the title slide on both screens.

After this meal and a short introduction by Centric, it was my task to share my knowledge on the five ways you can join devices and servers to Azure Active Directory, the impact of the (default) device settings in the Azure Portal, Windows Hello for Business as the first step towards a password-less future and my recommended practices.

After a short break, Sebastiaan Brozius and Theo van Drimmelen from Solvinity presented on automatically deployed hybrid Dev/Test environments.

After that, we enjoyed drinks at the bar.

I had a lot of fun.  
Thank you!

The post Pictures of WAZUG.nl Meetup 47 appeared first on The things that are better left unspoken.

On May 17, 2017, Heliview Congresses and Training organizes an Identity and Access Management Congress. I’m delivering a 25-minute session on the password-less future, using Microsoft technologies.

About Heliview Congresses and Training

Heliview Congresses and Training Dutch offers managers and senior specialists a stage to share and consume knowledge in their field of expertise. Additionally, personal networking is highly encouraged during their events throughout the Netherlands and Belgium.

Heliview Congresses and Training also offers training. For 2018 they have several topics on their schedule, including cyber resilience, data quality, IT outsourcing, data privacy and security awareness.

Heliview Congresses and Training was founded in 1983.

About the IAM Congress

The Identity & Access Management Congress is a yearly congress on Enterprise Identity and Access Management. The 2018 IAM Congress is the 13th edition.

The Identity & Access Management Congress offers an up to date overview and the underlying developments on Identity & Access Management. Identity and Access Management (IAM) provides the right people with the right access at the right time. Good enterprise IAM solutions are user-friendly, compliant, safe and allow for cost savings.

Heliview Congresses and Training organizes the 2018 Identity & Access Management Congress on May 17, 2018 at NBC in Nieuwegein, the Netherlands.

About my presentation

I’m presenting a 25-minute session on:

Living a password-less life; dream or reality?

Break Out 2A, 11:20AM – 11:45AM

Passwords for authentication stem from the early days of IT, but we’re all concluding their use is out of date. Research shows us 81% of all digital breaches are related to weak and/or leaked credentials. 20% of the IT cost, made by organizations is spend on ways to help people with forgotten passwords.

At SCCT, we say:

End-users should not have to use passwords for their day to day work.

In this session, I show how we help organizations to get rid of passwords using open standards, Microsoft technologies and the Microsoft cloud.

Join us!

As an employee of an organization that contemplates the use of new Identity and Access Management (IAM) solutions, you can join the Heliview IAM Congress for free. Alternatively, you can buy a € 645 ticket, without 1 on 1 talks or questionnaire. This price tag also applies to advisors, consultants and students.

You can sign up here Dutch.

The post I’m speaking at the 2018 Heliview IAM Congress appeared first on The things that are better left unspoken.

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for April 2018:

What’s New

New federated apps available in Azure AD App gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In April 2018, Microsoft has added following 13 new apps in our App gallery with Federation support:

• Criterion HCM
• FiscalNote
• Secret Server (On-Premises)
• Dynamic Signal
• mindWireless
• OrgChart Now
• Ziflow
• AppNeta Performance Monitor
• Elium 
• Fluxx Labs
• Cisco Cloud
• Shelf
• SafetyNet

Test single sign-on configuration for SAML-based applications

Service category: Enterprise Apps
Product capability: SSO

When configuring SAML based SSO applications you are able to test the integration on the configuration page. If you encounter an error during sign-in, you can provide the error in the testing experience and Azure AD provides you with resolution steps to solve the specific issue.

Easy app configuration with metadata file or URL

Service category: Enterprise Apps
Product capability: SSO

On the Enterprise applications page, administrators can upload a SAML metadata file to configure SAML based sign-on for AAD Gallery and Non-Gallery application.

Additionally, you can use Azure AD application federation metadata URL to configure SSO with the targeted application.

Azure AD Terms of use now generally available

Service category: Terms of Use
Product capability: Compliance

Azure AD Terms of Use has moved from public preview to generally available (GA).

Azure AD Terms of Use now has per user reporting

Service category: Terms of Use
Product capability: Compliance

Administrators can now select a given Terms of Use (ToU) and see all the users that have consented to that Terms of Use (ToU) and what date and time it took place.

Azure AD Connect Health: Risky IP for AD FS extranet lockout protection

Service category: Other
Product capability: Monitoring & Reporting

Azure AD Connect Health now supports the ability to detect IP addresses that exceed a threshold of failed logins using username/password combinations on an hourly or daily basis. The capabilities provided by this feature are:

• A comprehensive report showing IP address and the number of failed logins generated on an hourly/daily basis with a customizable threshold.
• Email-based alerts showing when a specific IP address has exceeded the threshold of failed username/password logins on an hourly/daily basis.
• A download option to do a detailed analysis of the data

Azure AD B2C Access Token are GA

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

You can now access web APIs secured by Azure AD B2C using access tokens. The feature is moving from public preview to GA. The UI experience to configure Azure AD B2C applications and web APIs has been improved, and other minor improvements were made.

Allow or block invitations to B2B users from specific organizations

Service category: B2B
Product capability: B2B/B2C

You can now specify which partner organizations you want to share and collaborate with in Azure AD B2B Collaboration. To do this, you can choose to create list of specific allow or deny domains. When a domain is blocked using these capabilities, employees can no longer send invitations to people in that domain.

This helps you to control access to your resources, while enabling a smooth experience for approved users.

This B2B Collaboration feature is available for all Azure Active Directory customers and can be used in conjunction with Azure AD Premium features like conditional access and identity protection for more granular control of when and how external business users sign in and gain access.

Grant B2B users in Azure AD access to your on-premises applications (public preview)

Service category: B2B
Product capability: B2B/B2C

As an organization that uses Azure Active Directory (Azure AD) B2B collaboration capabilities to invite guest users from partner organizations to your Azure AD, you can now provide these B2B users access to on-premises apps. These on-premises apps can use SAML-based authentication or Integrated Windows Authentication (IWA) with Kerberos constrained delegation (KCD).

What’s Changed

Get SSO integration tutorials from the Azure Marketplace

Service category: Other
Product capability: 3rd Party Integration

If an application that is listed in the Azure marketplace supports SAML based single sign-on (SSO), clicking Get it now provides you with the integration tutorial associated with that application.

Faster performance of Azure AD automatic user provisioning to SaaS applications

Service category: App Provisioning
Product capability: 3rd Party Integration

Previously, customers using the Azure Active Directory user provisioning connectors for SaaS applications (for example Salesforce, ServiceNow, and Box) could experience very slow performance if their Azure AD tenants contained over 100,000 combined users and groups, and they were using user and group assignments to determine which users should be provisioned.

On April 2nd, very significant performance enhancements were deployed to the Azure AD provisioning service that greatly reduce the amount of time needed to perform initial synchronizations between Azure Active Directory and target SaaS applications.

As a result, many customers that had initial synchronizations to apps that took many days or never completed, are now completing within a matter of minutes or hours.

Self-service password reset from Windows 10 lock screen for hybrid Azure AD joined machines

Service category: Self Service Password Reset
Product capability: User Authentication

Microsoft has updated the Windows 10 Self-Service Password Reset (SSPR) feature to include support for machines that are hybrid Azure AD joined. This feature is available in Windows 10 RS4. Users who are enabled and registered for self-service password reset can utilize this feature to reset their password from the lock screen of a Windows 10 machine.

The post What’s New in Azure Active Directory for April 2018 appeared first on The things that are better left unspoken.

On Wednesday May 2nd, I featured in a webcast from the editors of Redmond Magazine. This webcast, sponsored by Okta, is now available on demand.

Best Practices for Pulling Identities Together: What Enterprises Are Doing Now to Stay Secure

In this editorial webcast, Lafe Low from Redmond Magazine, Daniel Lu from Okta and I walk through the best practices organizations are using to corral all the accounts an average employee uses today to log into tens of applications, and make sure these accounts are being used in a way that doesn’t compromise the rest of the organization.

Questions

Questions we covered included:

• How are organizations unifying their identity and authentication processes through Single Sign-On, especially in organizations with an Active Directory environment?
• How do organizations gain visibility into the SaaS apps that are being used by their employees?
• How can organizations enforce secure password policies for their users on SaaS apps that are hosted by third parties?
• What kind of education is most effective in preventing users from reusing passwords or otherwise skirting company policies?

Watch it now

Come away from this session with actionable tactics for minimizing the gaps in your company’s identity and authentication security posture.

Register for the on-demand version of the webcast here.

We’re sure you’ll enjoy it.

The post Best Practices for Pulling Identities Together with Redmond Magazine appeared first on The things that are better left unspoken.