I’m back at Techorama Belgium! I’m proud to announce that, just like last year, I’m presenting at Belgium’s biggest Microsoft IT professional and developer conference.

About Techorama

Techorama Belgium is a yearly international technology conference that takes place at Kinepolis Metropolis Antwerp. Techorama welcomes about 1500 attendees, a healthy mix between developers, IT Professionals, Data Professionals and SharePoint professionals. Techorama’s commitment is to create a unique conference experience with quality content and the best speaker line-up.

This year’s Techorama is a special edition, because Techorama Belgium celebrates its fifth anniversary from May 22, 2018 to May 24, 2018.

The Day 1 Techorama 2018 keynote is delivered by Steven van Belleghem. Day 2 keynotes, are delivered straight after lunch by Jeffrey Snover, Sander Hoogendoorn, Dandy Weyn, Paula Januszkiewicz, and others. Other national and International speakers you might have heard of also joined the line-up, including Mirko Colemberg, Dieter Wijckmans, Tim de Keukelaere, John Craddock, Johan Delimon,  Peter Daalmans, Rasmus Hald and Thomas Maurer.

About my session

I’m presenting a 60-minute session on Wednesday May 23:

Under the hood of Azure AD Connect

Wednesday May 23 2018, 5:45PM – 6:45PM, Room 16

Did you ever wonder how Azure AD Connect works? Do you want to know what connector spaces, the metaverse, tens of rules, attribute flows, soft matching, write-back and source anchors do and how they help you synchronize objects and their attributes between Active Directory Domain Services, LDAP stores and Azure AD.

After attending this session you’ll have the tools to meet the hardest Azure AD Connect challenges out there. You’ll also have laughed really loud, I promise.

Join us!

Techorama 2018 has sold out. When you’re among the lucky people to have grabbed a ticket, join me for this session.

We’ll have a lot of fun!

The post I’m speaking at Techorama Belgium 2018 appeared first on The things that are better left unspoken.

Have you been invited to someone’s Azure tenant as an admin? Did you do the work and left, but are you still seeing the tenant? Or did you quit, only to find the tenant still staring at you in the Azure portal? Can’t be invited to Azure tenants, because you’re already invited to about 20 tenants?

Frustrating, I know.

… But now there’s a solution!

People can now self-service leave an organization they were invited in. This feature was announced on May 14, 2018 in a blogpost dedicated to all the new stuff in Azure AD B2B by Alex Simons. While the blogpost aims at user access, this news is great news for admins who were invited to ‘Hotel California’-style Azure AD tenants.

About Self-Service leaving an organization

This feature is good news for anyone who is invited to any organization and/or tenant with either their Office 365 (“work or school”) account or Microsoft (“personal”) account, because he or she can now easily leave an organization to which he or she has been invited, once his or her relationship with that organization has come to an end. It’s no longer necessary to contact an admin of the inviting organization to have his or her account removed.

Before this feature was released, admins couldn’t delete their own guest accounts from Azure Active Directory tenants, and needed to contact another global admin in the Azure tenant to perform this action. Many times, Conditional Access rules wouldn’t even permit access to the Azure Portal when not present at the organization’s location(s).

A positive effect of GDPR

Many people aren’t too happy with Europe’s General Data Protection Regulation (GDPR). Of course, it entails work for many organizations who haven’t been up to spec for the last couple of years and are only scrambling to comply because sanctions will apply starting May 25, 2018.

However, this feature was introduced to meet the requirements in Europe’s General Data Protection Regulation (GDPR), where Article 17 provides people the right to erasure, also referred to as the right to be forgotten.

An Azure Active Directory (Azure AD) B2B guest user can decide to leave an organization at any time if they no longer need to use apps from that organization or maintain any association.

When a user leaves an organization, the user account is “soft deleted” in the directory. By default, the user object moves to the Deleted users state in Azure AD but is not permanently deleted for 30 days. This soft deletion enables the administrator to restore the user account (including groups and permissions), if the user makes a request to restore the account within the 30-day period.

How to leave a lingering organization

To leave an organization, perform these steps:

• Log into the Access Panel at https://myapps.microsoft.com
• In the upper-right corner, select your name.

• Next to Organizations, select the settings icon (gear).

Note:
If you can’t see the settings icon (gear), widen the browser screen. The Access Panel user interface is a reactive interface that adepts to the width of the screen. If the screen is too narrow, a hamburger menu will be shown. In this menu, the settings icon (gear) is not (yet) present.

• Under Organizations, find the organization that you want to leave, and select Leave organization. If you’re not already signed in to the organization that you want to leave, select your name in the upper-right corner, and click the organization you want to leave or follow the Sign in to leave organization link and repeat the last two steps.

• When asked to confirm, select Leave.

Repeat the steps above to leave the organizations you want to leave and keep the organizations you want to keep.

Concluding

My Microsoft account had hit the limit of 23 Azure AD tenants and couldn’t be used to redeem invitations from other organizations. This account had a couple of lingering tenants it was invited to, but was never removed from, by other admins.

Note:
These lingering tenants were all customers from a previous employer, who restricted me from having any contact with them through anti-compete clauses.

So long and thanks for all the fish!

Further reading

Exciting improvements to the B2B collaboration experience
Azure Active Directory B2B collaboration invitation redemption
Leave an organization as a guest user

The post Self-Service leaving a lingering Azure AD tenant as an admin appeared first on The things that are better left unspoken.

Last week, Microsoft released Azure AD Connect version 1.1.819.0. This release of Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments to Azure Active Directory.

What’s Fixed

SQL Server Express 2012 Service Pack 4

This release updates the SQL Server Express installation to SQL Server 2012 SP4, which, among others, provides fixes for several security vulnerabilities.

Sync Rule Processing

No longer do you have to de-apply outbound Join sync rules with no Join Condition in the scenario where the parent synchronization rule is no longer applicable.

Accessibility

Several accessibility fixes have been applied to the Synchronization Service Manager User Interface and the Sync Rules Editor.

AD Connector account error

When you use the Azure AD Connect Wizard you might receive an error when you create the Active Directory Connector account when Azure AD Connect is in a workgroup. This has been fixed.

display of the verification checkbox

On the Azure AD Sign-in page, the verification checkbox is now displayed whenever there is any mismatch in Active Directory domains and Azure AD verified domain names.

Auto-Upgrade

The auto upgrade state was incorrectly set in certain cases after auto upgrade of Azure AD Connect was attempted. This has been fixed in the PowerShell code.

Telemetry

The Azure AD Connect Wizard has been updated to include telemetry to capture previously missing information.

Change User Sign-In Improvements

The following changes have been made in the Azure AD Connect Wizard, when you use the Change user sign-in task to switch from Active Directory Federation Services (AD FS) to Pass-through Authentication (PTA) as the authentication method:

• The Pass-through Authentication Agent is installed on the Azure AD Connect server and the Pass-through Authentication feature is enabled, before we convert domain(s) from federated to managed.
• Users are no longer converted from federated to managed. Only domain(s) are converted.

AD FS Regex Improvement

The AD FS Multi Domain Regex was not correct when the user’s userPrincipalName attribute had ‘ special character. The Regex is updated to support special characters.

Configure source anchor messages

When using the Azure AD Connect Wizard, you might encounter several out of place “Configure source anchor attribute” messages when no settings have changed. This has been fixed.

Support for Dual Federation

The Azure AD Connect Wizard now supports Active Directory Federation Services (AD FS) in dual federation scenarios.

Updating claims

When you convert a managed domain to federated, the Active Directory Federation Services (AD FS) claims were not updated for an added domain. This has been fixed.

updated claims

In this version, two additional AD FS claims were added to the federation trust created to support MFA scenarios.

Web App Proxy deployments

Fixed an issue where adding a Web Application Proxy would fail to use new certificate.

Auto-Uninstall of stale versions

When, during detection of installed packages, Azure AD Connect Setup finds stale DirSync, Azure AD Sync or Azure AD Connect products,  the setup wizard will now attempt to uninstall these stale products.

Improved PTA Error messages

When you install the Pass-through Authentication (PTA) agent and it fails, the correct errors are now shown. The Error Message Mapping was incorrect.

Logging of Domain and OU Filtering

The logging of Domain and OU filtering selections was improved.

Configuration Container

The “Configuration” container has been removed from the Domain OU Filtering page in the Azure AD Connect wizard.

Password Hash Sync Popup

The pop-up help text on the Optional Features page for Password Hash Sync has been changed, to correctly explain password hashes are synchronized and not plain passwords.

AD Account Privilege issue

An issue resolving a custom Sync Service Account which has no AD Read privileges, was fixed.

Synchronization engine installation

Now, when you install the Synchronization Engine, unnecessary legacy logic that occasionally would cause the Sync Engine install to fail, has been removed.

Synchronization Engine improvements

Three fixes were made to the synchronization engine:

• The scenario where a Connector Space object had an imported delete and Sync Rules attempt to re-provision the object, has been fixed.
• A help link has been added for the Online connectivity troubleshooting guide to the event log entry for an Import Error
• The memory usage of Sync Scheduler when enumerating Connectors was reduced

What’s New

PingFederate Integration

This release includes the public preview of the integration of PingFederate in Azure AD Connect. With this release organizations can easily and reliable configure their Azure Active Directory environment to leverage PingFederate as their federation provider.

New troubleshooting scenarios

Microsoft updated the Azure AD Connect Wizard Troubleshooting Utility, where organizations can now analyze more error scenarios, such as Linked Mailboxes and AD Dynamic Groups.

Device Writeback Management

Device Writeback configuration is now managed solely within the Azure AD Connect Wizard. There is no need to run PowerShell anymore to this purpose. The ADPrep.psm1 module has been deprecated.

New Tools PowerShell module

A new PowerShell Module called ADSyncTools.psm1 is added that can be used to troubleshoot SQL Connectivity issues. It also contains various other troubleshooting utilities.

Configure device options

A new additional task “Configure device options” has been added. You can use the task to configure Hybrid Azure AD Join and Device writeback.

Version information

This is version 1.1.819.0 of Azure AD Connect.
It was signed off on on May 4, 2018.

Concluding

Azure AD Connect version 1,1.819.0 offers numerous fixes, that make your life as a Hybrid Identity admin more enjoyable.

The post Azure AD Connect version 1.1.819.0 offer numerous fixes and PingFederate support appeared first on The things that are better left unspoken.

Last week, I was at Heliview’s 2018 IAM Congress in Nieuwegein, the Netherlands. My employer offered a booth, besides many great names like Okta, One Identity, Bomgar, Thycotic and CyberArk.

As a Microsoft Cloud-focused Systems Integrator (SI), we were in a good spot to tell attendees how to leverage their identity and access management, using whatever product on display.

We arrived early to set up the booth and enjoy breakfast. After that, we took a look at the main stage, where preparations were in full swing for a privacy panel.

At 11:20 AM, I was scheduled to present for 25 minutes on going password-less.

As not a lot of organizations focus in this area (yet), we thought it would be a good idea to talk about our company and our vision, but most of all about Windows Hello for Business and the FIDO 2.0 login possibilities in Azure AD-joined Windows 10 version 1803 devices.

After the session, we enjoyed some more conversations with customers and potential customers, to better understand their needs, their worries about GDPR and the legacy stuff that’s keeping them back.

I enjoyed Heliview’s IAM congress.

Thanks to all the people attending, sitting in on my session and, of course, the people that took the time out of their busy schedule to talk to us. We felt we brought unique value to the event as the only booth without products to sell.

The post Pictures of Heliview’s 2018 IAM Congress appeared first on The things that are better left unspoken.

Last week, I presented at Techorama Belgium 2018 in Antwerp.

In terms of travel, this was the ideal event for me, since the organization scheduled my presentation for the last time slot on Day 1. Being an early starter, this meant I could work a normal day (for me, that’s 7AM – 3:30PM), then travel to Antwerp, throw my slide deck together and still be in time for the session, starting at 5:45 PM.

On Wednesday May 23, I arrived at around 16:30 at Kinepolis. I talked to a couple of speakers and a couple of attendees, who happened to be former colleagues. Then, I put the finishing touches to my slide deck and headed over to room 16 for my presentation on Azure AD Connect.

After my session it was time for the Techorama speaker buffet in the Lindner Hotel, next to Antwerp Central train station. Leaving my car at Kinepolis for the night, I hopped on the shuttle to the hotel, checked in, and enjoyed the evening with my fellow speakers.

After a good night’s rest and some breakfast, I opted for the shuttle again to get me back to Kinepolis. Hanging out with some of the speakers, having lunch and attending sessions were the highlights of this day.

After a couple of drinks at the Techorama 5 Year Celebration, where I mostly spoke to the guys from Synergics and Fabian Williams, I drove home with a smile on my face.

Thank you!

Thanks to all the people attending, sitting in on my session and, of course, the people who stuck around after my session for the interesting discussions. Thanks to the Techorama organization for making it better every year and, of course, my fellow speakers who are always fun to hang out with.

The post Pictures of Techorama Belgium 2018 appeared first on The things that are better left unspoken.

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for May 2018:

What’s New

Graph APIs for administrative scenarios for Terms of use

Service category: Terms of Use
Product capability: Developer Experience

Microsoft has added Microsoft Graph APIs for administration operation of the Azure AD Terms of Use feature. You are now able to create, update and delete the Terms of Use object.

Add Azure AD multi-tenant endpoint as an identity provider in Azure AD B2C

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Using custom policies, you can now add the Azure AD common endpoint as an identity provider in Azure AD B2C. This allows you to have a single point of entry for all Azure AD users that are signing into your applications.

Improvements to the B2B redemption experience and leave an org

Service category: B2B
Product capability: B2B/B2C

Three improvements have been made to Azure AD B2B feature:

1. Just in time redemption
2. Modern redemption experience
3. Guest users can leave the org

Use Internal URLs to access apps from anywhere with the My Apps Sign-in Extension and the Azure AD Application Proxy

Service category: My Apps
Product capability: SSO

Users can now access applications through internal URLs even when outside your corporate network by using the My Apps Secure Sign-in Extension for Azure AD. This will work with any application that you have published using the Azure AD Application Proxy, on any browser that also has the Access Panel browser extension installed. The URL redirection functionality is automatically enabled once a user logs into the extension. The extension is available for download on Edge, Chrome, and Firefox.

Enterprise Applications Search – Load More Apps

Service category: Enterprise Apps
Product capability: SSO

Microsoft has added the ability to load more applications in your enterprise applications all applications list. This helps when you’re having trouble finding applications and/or security principals. By default, 20 applications are shown. Admins can now click load more to view additional applications.

View legacy authentications through Sign-ins activity logs

Service category: Reporting
Product capability: Monitoring & Reporting

With the introduction of a field called Client App in the Sign-in activity logs, Customers now can see users that are using legacy authentications. Customers will be able to access this information using the Sign-ins MS Graph API or through the Sign-in activity logs in Azure AD portal where you can use the Client App control to filter on legacy authentications.

New Federated Apps available in Azure AD App gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2018, Microsoft has added the following 18 new apps in the Azure AD App gallery with Federation support:

• AwardSpring
• Infogix Data3Sixty Govern
• Yodeck
• Jamf Pro
• KnowledgeOwl
• Envi MMIS
• LaunchDarkly
• Adobe Captivate Prime
• Montage Online
• まなびポケット
• OpenReel
• Arc Publishing – SSO
• PlanGrid
• iWellnessNow
• Proxyclick
• Riskware
• Flock
• Reviewsnap

New user provisioning SaaS app integrations

Service category: App Provisioning
Product capability: 3rd Party Integration

Azure AD allows you to automate the creation, maintenance and removal of user identities in SaaS applications such as Dropbox, Salesforce, ServiceNow and more. For May 2018, we have added user provisioning support for the following applications in the Azure AD app gallery:

• BlueJeans 
• Cornerstone OnDemand 
• Zendesk

Azure AD access reviews of groups and app access now provides recurring reviews

Service category: Access Reviews
Product capability: Governance

Access reviews of groups and apps is now generally available (GA) as part of Azure AD Premium P2. Administrators will be able to configure access reviews of group memberships and application assignments to automatically recur at regular intervals, such as monthly or quarterly.

Azure AD Activity logs (sign-ins and audit) are now available through Microsoft Graph

Service category: Reporting
Product capability: Monitoring & Reporting

Azure AD Activity logs, which, includes Sign-ins and Audit logs, are now available through MS Graph. We have exposed 2 end points through MS Graph to access these logs.

What’s Changed

Public Preview of new and improved Sign-ins User experience in Azure Portal  

Service category: Reporting
Product capability: Monitoring & Reporting

With the new Sign-ins User experience, customers now can get the following:

• Improved latency from 2 hours to within 5 mins.
• Ability to add filters dynamically using the “Columns” button. By adding columns to the Sign-in report in UX, you can automatically see them as filters for you to use.
• Ability to sort by Date, User Name and Application.
• Inclusion of legacy authentications and ability to filter for legacy authentications using the “Client App” column.
• Inclusion of a downloadable PowerShell script which is customized based on the filter conditions you choose in the UX. With this PowerShell script, you can get as many rows of data as you want (based on your filter criteria) which will provide the output in a .csv format.

Azure AD access reviews: auto-apply

Service category: Access Reviews
Product capability: Governance

Access reviews of groups and apps are now generally available as part of Azure AD Premium P2. An administrator can configure to automatically apply the reviewer’s changes to that group or app as the access review completes. The administrator can also specify what happens to the user’s continued access if reviewers didn’t respond, remove access, keep access or take system recommendations.

ID tokens can no longer be returned using the query response_mode for new apps.

Service category: Authentications (Logins)
Product capability: User Authentication

Apps created on or after 4/25/2018 will no longer be able to request an id_token using the query response_mode. This brings Azure AD inline with the Open ID Connect (OIDC) specifications and helps reduce your apps’ attack surface.

Concluding

Not a technical change, but more of a legal change, is the advent of a Microsoft Docs page that details where data is stored for Azure Active Directory tenants in the North Europe and West Europe regions.

The post What’s New in Azure Active Directory for May 2018 appeared first on The things that are better left unspoken.

Advertised as the biggest Microsoft IT Pro event in the Netherlands, Experts Live Netherlands will take place Tuesday June 19th, 2018 at Cinemec Ede.

As at previous Experts Live Netherlands editions, you’ll find several DirTeam bloggers presenting at this event.

About Experts Live

Experts Live is an independent platform for IT Professionals on Microsoft solutions. A platform for and by the community. Almost every year, Experts Live organizes its knowledge event in the Netherlands. Started as an idea from a small group of Dutch Microsoft MVPs, Experts Live has become the largest Microsoft community event in the Netherlands, with over a thousand visitors.

Both national and international speakers update the visitors in one day on the latest Microsoft technologies. Subsequently, through the years, many famous and notorious speakers delivered sessions on the Experts Live events.

This year, Experts Live is hosted at CineMec in Ede, the Netherlands again, and scheduled for Tuesday June 19th, 2018. The event offers over 40 break-out sessions, an opening keynote and a closing keynote.

About my session

I’ll deliver one 60-minute session in the security track:

Azure Multi-Factor Authentication: Who do you think you are?

4:15PM – 5:15PM

Passwords have been introduced to solve the authentication problems decades ago. Today, we have different challenges and we need more in-depth solutions for authentication assurance. Office365- and Azure Multi-Factor Authentication (MFA) offer this solution for both your organizations’ cloud and on-premises resources. Your organization will no longer be in the dark on the person on the other side of the line: it’s really you and you’ve got the means to prove it!

With several large and complex Azure MFA implementations and upgrades under their belts, Sander Berkouwer (Directory Services and Enterprise Mobility MVP) shares his experiences with these products, their licensing, on-premises deployment scenarios, end-user expectations and the inner workings of the product line-up, including MFA Server, the Security Graph and Azure AD Identity Protection.

Looking for your next-generation identity primer? Look no further!

Join us!

Dave Stork is co-presenting with Jetze Mellema on moving mailboxes cross-premises, from on-premises, from other groupware solutions and between Office 365 tenants. It’s a session you don’t want to miss, either!

Although it’s been a while (almost 19 months after the previous Experts Live Netherlands edition), I’m looking forward to it. I hope you are, too.

Although over 80% of the tickets has already been sold, tickets are still available, so pick up yours before June 14th Dutch and join us!

The post I’m speaking at Experts Live Netherlands 2018 appeared first on The things that are better left unspoken.

Some opportunities are too much fun to pass up on. So, when the aOS Community asked me if I’d be willing to help them out by speaking at their Aix-en-Provence event, of course, I said “Yes”.

About aOS

aOS Community (which stand for Azure, Office 365, SharePoint) is an international non-profit gathering of professionals working on the Microsoft Collaborative platform.

The aOS Community is an independent organization, open to all, whose members aim to share and exchange ideas around Microsoft technologies in the area of Azure, Office 365 and SharePoint.

aOS organizes, participates and supports event, promoting the sharing and exchange of these ideas, targeting French-speaking countries, primarily, but expanding globally.

aOS is open to everybody.

About ‘Journée AOS Aix-en-Provence’

You are invited by CMD (Cloud Mobility Datacenter) and aOS (azure Office 365 SharePoint) to the third of the aOS Aix-en-Provence meeting at Cési Aix en Provence on June 21st, 2018. For an entire day, experts in Office 365 and Azure share their experiences from the field.

About my session

I’ll deliver a 45-minute session from 1:30 PM to 2:15PM in the Office 365 track:

Seven ways Identity enriches your Office 365 and Azure experience

Azure and Office 365 rely on Azure Active Directory as their identity store.

As tenfold MVP, I think I know a little about identity. My experience with numerous organizations, ranging from enterprises to small business, have taught me that good identity is important to embracing cloud services. I’ll show you seven ways identity enriches the experience you, your colleagues and your customers have when using Azure and Office 365, in my typical humorous but straight to the point style.

You’re welcome!

We welcome you on June 21st at CESI in Aix-en-Provence! Access is free of charge, but you will need to register for it on EventBrite.

I studied French for six years when I was in high school. As I’m arranging travel for this event and communicating with the event organizers, it’s all coming back to me. I’m looking forward to it!

The post I’m speaking at Journée aOS Aix-en-Provence appeared first on The things that are better left unspoken.

Today, there is an issue in a component of Azure AD Connect version 1.1.819.0, Microsoft free Hybrid Identity bridge product, that enables you to synchronize objects and their attributes between your on-premises Active Directory Domain Services (AD DS) environment(s) and Azure Active Directory.

The Azure AD Connect Health Sync Monitor Service consumes lots of CPU.

About Azure AD Connect Health

Azure AD Connect Health helps administrators monitor and gain insights into their Hybrid Identity implementations. It enables you to maintain a reliable connection to Office 365 and Microsoft Online Services by providing monitoring capabilities for your key identity components:

• Azure Active Directory Connect installations
• Active Directory Federation Services (AD FS) servers
• Web Application Proxies
• Active Directory Domain Controllers

Azure AD Connect Health makes the key data points about these components easily accessible in the Azure AD Connect Health portal so performance monitoring, usage analysis, troubleshooting and gaining other important insights becomes easy.

Note:
The Azure AD Connect Health component is installed, by default, with Azure AD Connect and, by default, sends diagnostic data to Microsoft. However, an Azure AD Premium license is needed to access the Azure AD Connect Health Portal.

The situation

You have installed Azure AD Connect version 1.1.819.0 or your Azure AD Connect version has automatically upgraded to version 1.1.819.0, along with the auxiliary components, like Azure AD Conect’s Health Agent for Sync. Version 1.1.819.0 of Azure AD Connect comes with Health Agent for Sync version 3.0.164.

You can check these versions in Programs and Features:

The issue

The Azure AD Connect Health Sync Monitoring Service with version 3.0.164 of the Health Agent for Sync (AzureADConnectHealthSyncMonitor) is always running with high CPU usage. When you stop the service and start it again, CPU usage is normal for the service for a few minutes, before it starts consuming many CPU cycles again.

Reinstalling or reregistering the Azure AD Connect Health Sync Monitoring Service does not resolve the situation.

The cause

Azure AD Connect Health’s Sync Monitoring Service is causing high CPU usage, because of .NET Framework 4.7.2.

The solution

Uninstalling the package that upgrades .NET Framework to version 4.7.2 from the Windows (Server) installation that runs Azure AD Connect solves the issue:

• • On Windows Server 2012, uninstall the Update for Microsoft Windows (KB4054542).
  • On Windows 8.1 and Windows Server 2012 R2, uninstall the Update for Microsoft Windows (KB4054566).
  • On Windows 10 Anniversary Update, Windows 10 Creators Update and Windows Server 2016, uninstall the Update for Microsoft Windows (KB4054590).
  • In Windows 10 Fall Creators Update, uninstall the Update for Microsoft Windows (KB4073120).

Note:
.NET Framework 4.7.2 is not a security release of .NET Framework, but a compatibility update…

Concluding

Software isn’t perfect. It has bugs and vulnerabilities, but the speed in which a software vendor remedies these brings trust. When two teams in a large software vendor, like Microsoft, create incompatibilities, this reduces trust.

Further reading

What’s new in the .NET Framework
Azure AD Connect Health Sync Monitor High CPU Usage

The post KnowledgeBase: High CPU Usage for Azure AD Connect Health Sync Monitor with .NET Framework 4.7.2 Installed appeared first on The things that are better left unspoken.

Next week, on June 27th, I’m presenting a webinar with Darren Mar-Elia, titled ‘Picking the right type of solution for Active Directory Backup and Restore’. This free webinar, hosted by Semperis, aims to help you determine the right solution for your needs, whether its reverting changes, undeleting objects, restoring Domain Controllers after ransomware attacks, recovering your entire Active Directory forest or restoring and/or moving your Domain Controllers to a public cloud provider.

About Semperis Inc.

Semperis Inc. is an enterprise identity protection company that enables organizations to quickly recover from accidental or malicious changes and disasters that compromise Active Directory, on-premises and on cloud. The company is led by Mickey Bresman and Guy Teverovsky. Darren is their Head of Product.

Their Semperis Directory Services Protection Platform provides enterprises with the capabilities to automatically restore an entire Active Directory forest, quickly recover thousands of objects or a single crucial attribute, and instantly revert to a previous Active Directory state.

About the webinar

Backing up and restoring Active Directory Domain Controllers have caused headaches for many administrators and the age of the cloud has introduced new challenges and opportunities in this area. Solving these problems before they harm the enterprise is crucial, because often when AD goes down, the entire network becomes inaccessible. The two big pieces in AD continuity planning are replication and proper restores, which means you’ll need proper backups.

In this webinar, we’ll discuss proper backups for Active Directory Domain Controllers. They will be sharing what solutions are on the market today to perform backups and how to pick the Active Directory Domain Controllers solution that serves as the foundation of your restore ambitions.

You’ll learn:

• What to consider in AD backup and recovery
• How to make sure that your AD backups and restores align with your needs
• Three main types of backup and recovery options

Join us!

The webinar is scheduled for Wednesday June 27th, 2018, starting at 2PM Eastern Time. We’re scheduled to stop at 3PM, but I’m sure we’ll remain online to answer any questions you may have on this topic.

You’re more than welcome to join us, after initial registration.
This event is free of charge.

The post I’m co-presenting a Webinar on Picking the Tight Backup and Restore Solution for your Active Directory Domain Services needs appeared first on The things that are better left unspoken.

Last week, the biggest Microsoft IT Pro event in the Netherlands, Experts Live Netherlands, took place at Pathé Ede.

As this event takes place in the Netherlands, there was not a lot for me to take care of. So, on Tuesday morning I stepped into my car, set the satnav to Ede and enjoyed the ride there. I parked my car in the neighborhood, so I could recharge it and walked over to the venue.

As I walked in, I was greeted by familiar faces and with warm congratulations.

Apparently, my session was popular enough to be moved to the 1000+ seats ExpoTheater room, the same room as was used for the keynote. As I arrived during the keynote, I decided to take a look at my room during a break. Based on that experience, I decided to adjust my slide deck a bit in terms of text size.

But first… Interview time!

Erwin Derksen and I had a good laugh, as we spoke for about 15 minutes. I’m sure we added good material to the interview blooper reel, but we also discussed some real technical issues.

I took some pictures of Raymond’s session on ‘Hardening the Modern Windows Client, Let’s not break it this time…’ and evaluated the sound and picture from all angles of the ExpoTheater. Then, it was time for me to climb that stage to talk about multi-factor authentication and conditional access:

After my session, I talked to a couple of people, who had questions and enjoyed the conversation. Then, I headed home.

Thank you!

Thanks to all the people attending, sitting in on my session and, of course, the people who stuck around after my session for the interesting discussions. Thanks to the Experts Live organization for making their event better every year and, of course, my fellow speakers who are always fun to hang out with.

The post Pictures of Experts Live Netherlands 2018 appeared first on The things that are better left unspoken.

After having volunteered as a speaker for the aOS Community, I finally had the chance to present with them. Last Thursday, I was scheduled to present between 1:30PM and 2:15PM in Aix-en-Provence in the South of France.

I started early in the KLM Lounge at Schiphol airport. Although KLM offers a selection of drinks, I opted for a tea and some breakfast. Then, we boarded and traveled South.

After an uneventful flight, we landed at Marseille Provence airport (MRS). A driver was waiting there for me to bring me 20 kilometers East to CESI’s training center in Aix-en-Provence in an airconditioned mini-van. I realized I was lucky, when I saw the temperature outside was 33 degrees Celsius (91 degrees Fahrenheit), while it was a mere 14 degrees Celsius in Amsterdam (57 degrees Fahrenheit).

CESI is an organization specializing in the training of engineers, executives, technicians and master’s officers. CESI sponsors the aOS community with event locations, for which they open their locations throughout France.

I checked and settled in the room, before I enjoyed lunch outside with my fellow speakers, fellow MVPs and the attendees. I must admit my timing was impeccable, since lunch was starting to get served the moment I stepped outside.

After lunch, I strolled through the beautiful environment. Aix-en-Provence’s typical Mediterranean forest countryside. On a sunny day, like last Thursday, this is lovely.

With Microsoft Garage’s Presentation Translator I translated my slides and offered near real-time French subtitles to my English presentation. It was the first time I used this tool. It worked great!

After my presentation, I headed back to Marseille Provence airport. The driver who brought me to the event also returned me to the airport, where I arrived well on time for my flight home.

As I flew past our SCCT office in Leidschendam, I smiled and waved to my colleagues.

Thank you!

Thanks to all the people attending, sitting in on my session and, of course, the people who stuck around after my session for the interesting discussions. Thanks to the aOS community for making this trip and its lunch enjoyable, and of course, the French MVP speakers who are always fun to hang out with.

The post Pictures of aOS Journée Aix-en-Provence appeared first on The things that are better left unspoken.

Denial of Service attacks on identity and access systems are common place. When you think you’re done when you’ve covered all the bases with account lock-out in your on-premises Active Directory Domain Services (AD DS) environment, you’re wrong. Hybrid Identity requires more effort and Microsoft only made the tools you need generally available this month.

Let’s have a look.

A multi-layer approach

Attackers may cause Denial of Service through password spraying (trying the same password on all user accounts) and/or brute-force attacks (trying multiple passwords for one user account). As accounts get locked, end users experience errors when they themselves log on and disruption in their logged-on applications.

To avoid the Denial of Service situations, common endpoints need to be protected in a smart way. I feel this requires a multi-layer approach, where the actual account lock in the Identity Provider is prohibited from end user-facing endpoints.

Also, Hybrid Identity is different from a couple of years ago. Previously, all we needed to focus on was Active Directory Federation Services (AD FS). Today, account lock-out needs to be available for all sign in methods, whether the organization leverages AD FS, Password Hash Sync (PHS) or Pass-through Authentication (PTA).

The layers should be:

1. Extranet Smart Lock-out (for AD FS)
   Azure AD Custom Smart Lock-out (for PHS and PTA) Preview
2. Active Directory (AD) password and account lock-out policies

Note:
As the Azure AD Lock-out feature doesn’t affect authentications when Active Directory Federation Services (AD FS) is used as the sign in method, we’ll have to configure the Extranet (Smart) Lock-out feature in AD FS instead of the Azure AD Lock-out feature.

We’ll have to make sure the most outwards-oriented layer has lower values for the lock-out threshold and observation time window, than the inner-most layer. This way, the outer layer would cause an account lock-out earlier than the inner layer. Then, end users might always revert to inside authentication when the outside authentication is locked out.

For the purpose of this blogpost, we’ll use a lock-out threshold of 10 attempts during an observation window of 5 minutes and a lock-out period of 5 minutes for outside authentication and 5 attempts within 5 minutes for indefinite lock-out for inside authentication (after which the account will need to be unlocked by service desk personnel).

Configuring AD FS Extranet Smart Lock-out

Requirements:

• Active Directory Federation Services (AD FS) as sign in method
• AD FS Servers running Windows Server 2016
• June 2018 Cumulative update KB4284880, or above installed on all AD FS Servers

When your organization has deployed Active Directory Federation Services (AD FS) with Web Application Proxies or other MS-ADFSPIP-enabled front-end servers (like F5 appliances), you should be familiar with the AD FS Extranet Lock-out feature, as depicted below:

For organizations leveraging Active Directory Federation Services (AD FS) on Windows Server 2016, a new feature is available, labeled Extranet Smart Lock-out. This feature is generally available since the June 2018 Cumulative update for Windows Server 2016 (KB4284880, OS Build 14393.2312).

Note:
The feature was originally announced as part of the March 2018 Cumulative update for Windows Server 2017 (KB4088889, OS Build 14393.2155). After a quality issue was detected, the feature was postponed to May/June, where it was mentioned as:

Addresses an issue where enabling Extranet Smart Lock-out in UTC +1 and higher (Europe and Asia) did not work.

The difference between ‘normal’ Extranet Lock-out and Extranet Smart Lock-out is the use of a new AccountActivity table in the Artifact Resolution Store of the AD FS farm or in the Windows Internal Database (WID) installations on all AD FS servers in the AD FS farm.

Whenever a password-based authentication is successful, a ‘familiar IP’ address is added to the table. Whenever a password-based authentication, originating from an unfamiliar IP address failed, the failed authentication count for that IP address is incremented. When the failed authentication count for an unfamiliar IP reaches the lock-out threshold, authentication attempts from the specific unfamiliar IP address are locked out. However, end users from familiar IP addresses do not experience any lock-outs, because lock-outs from familiar locations apply separately from this new unfamiliar lock-out counter.

To enable Extranet Smart Account Lock-out for an AD FS farm using Windows Internal Database (WID), run the following lines of PowerShell:

Set-AdfsProperties -ExtranetLockoutThreshold 10

Set-AdfsProperties -ExtranetObservationWindow (New-Timespan -minutes 5)

Set-AdfsProperties -EnableExtranetLockout $true

Set-AdfsProperties -ExtranetLockoutMode AdfsSmartLockoutEnforce

Restart-Service adfssrv

Configuring Azure AD Custom Smart Lock-out

Even when organizations are not running Active Directory Federation Services, or are using another sign in method for Azure Active Directory and its connected services, like Office 365, account lock-out can be configured:

Instead of configuring Extranet Smart Lock-out in AD FS, account lock-out needs to be configured in Azure AD.

Perform these steps:

• Log into the Microsoft Azure Portal with an account with Company Administrator / Global Administrator privileges.
• In the left navigation pane, click on Azure Active Directory.
• In the Azure AD navigation pane, click on Authentication methods. Scroll down in the navigation pane until you see it, if needed.

• In the Custom smart lockout field, specify the settings for Lockout threshold and Lockout duration in seconds.

Note:
The value entered for Lockout duration in seconds applies to each lock-out, but if an account locks repeatedly, the duration increases exponentially.

• Click Save in the top bar, when done.

Configuring AD password policies

Requirements:

• At least one Active Directory Domain Controller running Windows Server 2012, or up
• The Active Directory Domain Functional Level (DFL) must be Windows Server 2008

The inner layer consists of fine-grained Password and Account Lock-out policies (FGPP). With the availability of managing Fine-grained Password Policies from the Graphical User Interface (GUI) of the Active Directory Administrative Center (ADAC) and in Windows PowerShell, it has become much easier to manage password and lock-out settings for (groups of) users.

Use the below lines of code to create a fine-grained password policy and assign it to the built-in Domain Users group:

New-ADFineGrainedPasswordPolicy -Name LockoutPolicy -DisplayName LockoutPolicy -Precedence 100 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -PasswordHistoryCount 10 -MinPasswordLength 8 -MinPasswordAge 0.00:15:00 -MaxPasswordAge 42.00:00:00 -LockoutThreshold 20 -LockoutObservationWindow 0.00:5:00 -LockoutDuration 0.00:30:00

Add-ADFineGrainedPasswordPolicySubject -Identity LockOutPolicy -Subjects “Domain Users”

Concluding

We’ve seem to have come full circle. Where a couple of decades ago, password attacks caused denial of service in Active Directory environments, we’re seeing the same kind of attacks on Hybrid Identity environments.

Luckily, this time, there is comprehensive multi-layer protection available.

The post Configuring Account Lockout throughout a Hybrid Identity Environment appeared first on The things that are better left unspoken.

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for June 2018:

What’s Planned

Security fix to the delegated authorization flow for apps using Azure AD Activity Logs API

Service category: Monitoring & Reporting
Product capability: Reporting

Due to our stronger security enforcement, we’ve had to make a change to the permissions for apps that use a delegated authorization flow to access Azure AD Activity Logs APIs. This change will occur by June 26, 2018.

If any of your apps use Azure AD Activity Log APIs, update your app permissions to ensure the app doesn’t break after the change happens.

What’s New

Configure TLS settings to connect to Azure AD services for PCI DSS compliance

Service category: New feature
Product capability: Platform

Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications and is the most widely deployed security protocol used today.

The PCI Security Standards Council has determined that early versions of TLS and Secure Sockets Layer (SSL) must be disabled in favor of enabling new and more secure app protocols, with compliance starting on June 30, 2018. This change means that if you connect to Azure AD services and require PCI DSS-compliance, you must disable TLS 1.0. Multiple versions of TLS are available, but TLS 1.2 is the latest version available for Azure Active Directory Services. Microsoft highly recommends moving directly to TLS 1.2 for both client/server and browser/server combinations.

Out-of-date browsers might not support newer TLS versions, such as TLS 1.2. To see which versions of TLS are supported by your browser, go to the Qualys SSL Labs site and click Test your browser. Microsoft recommends you upgrade to the latest version of your web browser and preferably enable only TLS 1.2.

New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: Third-party Integration

In June 2018, Microsoft has added these 15 new apps with Federation support to the Azure Active Directory app gallery:

• Skytap
• Settling music
• SAML 1.1 Token enabled LOB App
• Supermood
• Autotask
• Endpoint Backup
• Skyhigh Networks
• Smartway2
• TonicDM
• Moconavi
• Zoho One
• SharePoint on-premises
• ForeSee CX Suite
• Vidyard
• ChronicX

Azure AD Password Protection is available in public preview

Service category: Identity Protection
Product capability: User Authentication

Use Azure AD Password Protection to help eliminate easily guessed passwords from your environment. Eliminating these passwords helps to lower the risk of compromise from a password spray type of attack.

Specifically, Azure AD Password Protection helps you:

• Protect your organization’s accounts in both Azure AD and Windows Server Active Directory (AD).
• Stops your users from using passwords on a list of more than 500 of the most commonly used passwords, and over 1 million character substitution variations of those passwords.
• Administer Azure AD Password Protection from a single location in the Azure AD portal, for both Azure AD and on-premises Windows Server AD.

Conditional Access changes for Terms Of Use

Service category: Terms of Use
Product capability: Governance

During the creation of your Terms of Use (ToU):

• A new conditional access policy template is also created for “all guests” and “all apps”. This new policy template applies the newly created ToU, streamlining the creation and enforcement process for guests.
• A new “custom” conditional access policy template is also created. This new policy template lets you create the ToU and then immediately go to the conditional access policy creation blade, without needing to manually navigate through the portal.

Azure AD delegated app management roles are in public preview

Type: New feature
Service category: Enterprise Apps

Admins can now delegate app management tasks without assigning the Global Administrator role. The new roles and capabilities are:

• New standard Azure AD admin roles:
  • Application Administrator. Grants the ability to manage all aspects of all apps, including registration, SSO settings, app assignments and licensing, App proxy settings, and consent (except to Azure AD resources).
  • Cloud Application Administrator. Grants all of the Application Administrator abilities, except for App proxy because it doesn’t provide on-premises access.
  • Application Developer. Grants the ability to create app registrations, even if the allow users to register apps option is turned off.
• Ownership (set up per-app registration and per-enterprise app, similar to the group ownership process):
  • App Registration Owner. Grants the ability to manage all aspects of owned app registration, including the app manifest and adding additional owners.
  • Enterprise App Owner. Grants the ability to manage many aspects of owned enterprise apps, including SSO settings, app assignments, and consent (except to Azure AD resources).

The post What’s New in Azure Active Directory for June 2018 appeared first on The things that are better left unspoken.

Today, I received a localized e-mail from the Microsoft Most Valuable Professional (MVP) Award team:

In Dutch, it reads:

Beste Sander Berkouwer,

Nogmaals presenteren we u met genoegen de 2018-2019 Microsoft Most Valuable Professional (MVP) Award als erkenning van uw buitengewone leiderschap in technische community’s. We waarderen uw uitmuntende bijdragen in de volgende technische community’s in het afgelopen jaar:

• Enterprise Mobility

We blijven de MVP Award-taxonomie onderhouden voor een blijvende afstemming op veranderingen in de technologie. Overeenkomstig uw Award-herkenning ontvangt u mogelijk een kennisgeving met betrekking tot een update van uw Award-categorie. Binnenkort ontvangt u meer informatie.

Uw MVP Award-cadeaupakket is onderweg. U ontvangt binnen vijf werkdagen een verzendingsmelding. Om toegang te krijgen tot alle Award-voordelen, voltooit u de MVP-activeringsstappen hierna.

As I was first awarded MVP in on January 1st 2009, this marks my 10th MVP Award:

1. 2009 Microsoft MVP Directory Services
2. 2010 Microsoft MVP Directory Services
3. 2011 Microsoft MVP Directory Services
4. 2012 Microsoft MVP Directory Services
5. 2013 Microsoft MVP Directory Services
6. 2014 Microsoft MVP Directory Services
7. 2015 Microsoft MVP Directory Services
8. 2016 Microsoft MVP Enterprise Mobility, Identity and Access
9. 2017-2018 Microsoft MVP Enterprise Mobility, Identity and Access
10. 2018-2019 Microsoft MVP Enterprise Mobility, Identity and Access

It’s an honor to be part of this wonderful group of people helping others and closing the feedback circle with Microsoft, especially for the situations in which people use Microsoft products in ways Microsoft has never imagined.

Thank you!

The post X marks the spot! My 10th Microsoft MVP Award appeared first on The things that are better left unspoken.

This week, we’ve seen the availability of Veeam Availability Suite Update 3a. This update addresses several minor issues. However, it also add support for the latest and greatest that Veeam Vanguards and Veeam admins work with.

Veeam Backup and Replication 9.5 Update 3a

Veeam B&R is the cornerstone of Veeam’s Availability Suite.

This Monday, the Release Notes for Veeam Backup & Replication 9.5 Update 3a were published

Its ‘Update 3a’ (build 9.5.0.1922) seems like only a little update to the ‘Update 3’ release, but remember that I feel Update 3 was, in fact, a big release offering a lot of new and improved functionality, including the ability to centrally manage Veeam agents.

Update 3a brings support for:

• VMware vSphere 6.5 Update 2 Preliminary
• VMware vSphere 6.7
• Vmware vCloud Director 9.1
• VMware Cloud on AWS version 1.3
• Microsoft Windows Server Semi-Annual Channel (SAC) releases:
  • Windows Server, version 1803 Standard Edition
  • Windows Server, version 1803 Datacenter Edition
• Microsoft System Center Virtual Machine Manager 1801

Note:
Windows Server version 1709 was supported with Veeam B&R Update 3, already.

To get the most out of their life cycles, more and more organizations upgrade earlier to the latest vSphere, vCloud Director, Windows 10 and Windows Server releases. Ensuring that these platforms are supported for backup is an important check on their checklists.

Veeam Agent for Microsoft Windows

When Veeam introduced its Agent for Microsoft Windows, it meant it broke free of the virtualization space and entered the mainstream world of backup and restore solutions that support virtualized, multi-cloud and non-virtualized resources, while still offering industry-best support to virtualized workloads.

With its integration in Veeam Availability Suite 9.5 Update 3 for centralized management, the Veeam Agent for Microsoft Windows became a key part of Veeam’s Availability Suite.

Veeam Agent for Windows 2.2 now offers support for:

• Windows Server Semi-Annual Channel (SAC) releases: Windows Server version 1803
• Windows 10 1803 (RS4, April 2018 update)

Note:
Windows Server version 1709 and Windows 10 1709 (RS3, Fall Creators Update) were supported with Veeam B&R Update 3, already.

Veeam Agent for Linux

Version 2 of Veeam’s Agent for Linux was the first version of the product to be manageable through Veeam Availability Suite. This allows you to streamline the discovery, deployment and centralized management of these agents.

Veeam Agent for Linux version 2.0.1 works with Veeam Availability Suite 9.5 Update 3a.

This recently released version supports any Linux kernel from version 2.6.32 and above as long as you use the default kernel of your distribution. Notable newly supported Linux distribution versions by Veeam Agent for Linux 2.0.1 include:

• Oracle Linux (UEK) R4 U6, R4 U7
• Oracle Linux (RHCK) 7.5
• CentOS 7.5
• RedHat Enterprise Linux 7.5
• Ubuntu 18.04
• Fedora 27, 28
• openSUSE Leap 15
• SUSE Linux Enterprise for SAP Applications 11 SP4
• SUSE Linux Enterprise for SAP Applications 12 SP1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2
• SUSE Linux Enterprise Server for SAP Applications 12 SP3

Veeam ONE

Veeam ONE provides complete visibility and delivers proactive monitoring and alerting. Veeam ONE dit not need an update to support the above products. The version that was part of the generally available version 9.5 Update 3 was confirmed to be fully compatible with these technologies already.

Concluding

Although Veeam Availability Suite 9.5 Update 3a is mostly a platform support release, although the Release Notes also mention 20 minor updates, including support for ExpressRoute for Direct Restore to Azure,

Further reading

Veeam 9.5 Update 3a – What’s in it for Service Providers
Veeam Availability Suite 9.5 Update 3a is now available!
NEW Veeam Agent for Microsoft Windows 2.2
NEW Veeam Agent for Linux 2.0.1

The post Veeam Availability Suite adds support for the latest technology appeared first on The things that are better left unspoken.

Presenting at the Microsoft Campus in Redmond has been an item on my bucket list, for a while. In three weeks time, I’m getting the opportunity to do just that, at TechMentor Redmond 2018!

About TechMentor Events

TechMentor offers quality education and exposure to what’s now, new and next in the IT world. Since 1998, TechMentor has delivered immediately usable training to IT professionals.

Leveraging highly respected and professional presenters, TechMentor delivers how-to technical information on deploying, managing and supporting Microsoft products and technologies.

About TechMentor Redmond 2018:
‘Geek of Thrones’

On August 6 through August 10, 2018, TechMentor returns to Microsoft Headquarters in Redmond, WA for TechMentor Redmond 2018: ‘Geek of Thrones’. In today’s IT world, more things change than stay the same. For its 20th birthday, TechMentor is more committed than ever to providing immediately usable IT education, with the tools you need today, while preparing you for tomorrow – keep up, stay ahead and avoid Winter, ahem, Change.

About my presentations

I will be delivering two presentations:

TH13 – Security Implications of Virtualizing Active Directory Domain Controllers

Thursday August 9 2:15PM – 3:30 PM, St. Helens

Active Directory Domain Controllers hold the keys to your kingdom. So how do you virtualize these castles of identity, without compromising on the requirements of your organization?

This session shares the best practices and process recommendations for hardening, backing up, restoring and managing virtualized Domain Controllers on both Hyper-V, Azure Stack and in Azure Infrastructure-as-a-Service VMs, from the field.

TH19 – Azure AD Connect Inside and Out

Thursday August 9 3:45PM – 5 PM, Cascade 

New hybrid cloud scenarios introduce new identity challenges. But how do you overcome these? How do you properly design and implement Hybrid Identity in real world scenarios?

In this demo-packed session, I’ll turn Microsoft’s free Hybrid Identity ‘bridge’ product, Azure AD Connect, inside out, showing all the good stuff, but also the gory details!
This session is one no Active Directory admin should miss!

Join us!

You owe it to yourself, your company and your career to be at TechMentor Redmond 2018! This is your chance to experience 5 full days of sessions and in-depth workshops taught by 3rd party instructors, leading independent IT analysts and Microsoft team members. Register for TechMentor Redmond 2018: ‘Geek of Thrones’ now.

The post I’m speaking at TechMentor Redmond 2018 appeared first on The things that are better left unspoken.

A while back, I was invited by Redmond Magazine to work with them on a webcast. As I feel Redmond Magazine is still one of the leading publications for Microsoft-oriented IT Pros, I agreed wholeheartedly.

August 1st 2018 marks the calendar for our first mutual experience!

About Redmond Magazine

Redmond Magazine is the authoritative, independent voice of the Microsoft IT community, and provides real-world technical, product, news, and industry information for experienced IT professionals working within a Windows platform computing environment.

RedmondMag’s readers are the decision drivers of the industry and include IT managers, network managers, network administrators and system administrators. To provide them with the information, strategies, and behind-the-scenes insight into Microsoft and the Windows computing platform enables them to make better informed decisions regarding their organizations’ IT infrastructures.

About the webinar

The webinar is hosted by Redmond Magazine on August 1st, 2018 at 11 AM Pacific Time:

Disaster Recovery Gaps in Hybrid AD Environments

Speakers:
Sander Berkouwer, Microsoft MVP
Keri Farrell, Quest Software

Many organizations have embraced hybrid identity strategies, where they extend their on-premises Active Directory Domain Services environment to Azure AD.

Let’s look at how admins have typically performed this task, and why their real-world setups differ from Microsoft’s marketing materials. Learn how Azure AD is not (and cannot be) seen as a 100% slave to Active Directory and how this impacts your backup and restore strategy both in terms of changes and deletions.

Backing up AD, but not Azure AD? You might be in trouble…

Join us!

Register today to join us!
This webinar is offered free of charge.

The webcast is sponsored by Quest.

The post I’m doing a webcast with Redmond Magazine on typical Disaster Recovery gaps in Hybrid Active Directory environments appeared first on The things that are better left unspoken.

Last Friday, Microsoft released Azure AD Connect version 1.1.880.0. This release of Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

What’s Fixed

SQL Deadlock Issue

The Azure AD Connect team fixed a bug that would intermittently produce an error message for an auto-resolved SQL deadlock issue.

Accessibility Issues

The Azure AD Connect team fixed several accessibility issues for the Sync Rules Editor and the Sync Service Manager.

Registry access issue

The Azure AD Connect team fixed a bug where Azure AD Connect can not get registry setting information.

Forward/Back Issue

The Azure AD Connect team fixed a bug that created issues when the user goes forward/back in the Azure AD Connect configuration wizard.

Multi-thread handling issue

The Azure AD Connect team fixed a bug to prevent an error happening due to incorrect multi-thread handing in the Azure AD Connect configuration wizard.

LDAP error resolving issue

When an admin encounters an LDAP error when resolving security groups on the Group Sync Filtering page, Azure AD Connect now returns the exception with full fidelity. The root cause for the referral exception is still unknown and will be addressed by squashing a different bug.

Windows Hello for Business Certificate Issue

The Azure AD Connect team fixed a bug where permissions for Next Generation Cryptography (NGC) and non-NGC keys were not correctly set on the msDS-KeyCredentialLink attribute on user and/or device objects for Windows Hello for Business.

Set-ADSyncRestrictedPermissions issue

The Azure AD Connect team fixed a bug where Azure AD Connect did not call the Set-ADSyncRestrictedPermissions Windows PowerShell Cmdlet correctly.

Support for permission granting on Group Write-back

The Azure AD Connect team added support for permission granting on the Group Writeback feature in Azure AD Connect’s installation wizard.

Sign-in method from PHS to AD FS switching issue

Previously, when changing the sign-in method from Password Hash Synchronization (PHS) to Active Directory Federation Services (AD FS), Password Hash Sync was not disabled. Starting in Azure AD Connect version 1.1.880.0, switching the sign-in method disables PHS.

IPv6 Verification in AD FS configuration

When Azure AD Connect is used to manage Active Directory Federation Services (AD FS), proper DNS resolvement for the AD FS service name is conducted. Previously, only IPv4 addresses were verified against IPv4-based DNS servers. The Azure AD Connect team added verification for IPv6 addresses in AD FS configuration, so organizations that only utilize IPv6 are now able to use this functionality, too.

Updated error messages

The Azure AD Connect team updated the notification message to inform that an existing configuration exists in Azure AD Connect.

In multi-domain and multi-forest environments, one Organizational Unit (OU) needs to be picked by an admin in one of the domains for device write-back. When device write-back fails to detect the container in an untrusted forest, a better error message and a link to the appropriate documentation are shown.

Deselecting an OU and then synchronization/writeback corresponding to that OU gives a generic sync error. This has been changed to create a more understandable error message.

What’s New

PingFederate Integration is GA

The Ping Federate integration in Azure AD Connect is now available for General Availability (GA). Learn more about how to federated Azure AD with Ping Federate.

More resilient AD FS RPT Change logic

Azure AD Connect now creates a backup of the “Office 365 Identity Platform’ relying party tryst (RPT) in Active Directory Federation Services (AD FS), every time an update is made and stores it in a separate file for easy restore if required. Learn more about the new functionality and Azure AD trust management in Azure AD Connect.

New troubleshooting tooling

New troubleshooting tooling has been introduced to help troubleshoot changing primary email addresses and accounts hidden from the global address list (GAL).

SQL Server Native Client update

Azure AD Connect was updated to include the latest SQL Server 2012 Native Client.

Seamless Single Sign-On by Default

When an admin switches the  user sign-in method to Password Hash Synchronization (PHS) or Pass-through Authentication (PTA) in the “Change user sign-in” task, the Seamless Single Sign-On (S3O) checkbox is enabled by default.

Added support for Windows Server Essentials 2019

Azure AD Connect can now be installed on Windows Server Essentials 2019. This version of Windows Server 2019, aimed at Home offices and small business. Currently, there is no information available on this specific version of Windows Server 2019.
Windows Server 2019 is currently in Preview.

Azure AD Connect Health Agent 3.1.7.0

The Azure AD Connect Health agent that is installed by default with every Azure AD Connect installation is updated to version 3.1.7.0. This version corrects the race condition in the Azure AD Connect Health Sync Monitor service that caused 100% CPU on Azure AD Connect installations with the latest windows updates installed.

Version 3.1.7.0 Azure AD Connect Health Agent for AD FS and AD DS are also available as separate downloads to resolve identical issues on Web Application Proxies (WAPs), AD FS Servers and Domain Controllers that are monitored using Azure AD Connect Health.

More resilient modified Sync Rule overwrite logic

During an upgrade, if the Azure AD Connect installer detects changes to the default sync rules, the admin is prompted with a warning before overwriting the modified rules. This will allow the user to take corrective actions and resume later.

Previously if there was any modified out-of-box rule, then manual upgrade was overwriting those rules without giving any warning to the admin and the sync scheduler was disabled without informing user. Now, the admin will be prompted with a warning before overwriting the modified out-of-box sync rules. The admin will have the choice to stop the upgrade process and resume later after taking corrective action(s).

Error for MD5 Hash Generation in FIPS-compliant environments

Azure AD Connect now provides a better handling of a FIPS compliance issue, providing an error message for MD5 hash generation in a FIPS-compliant environments and a link to documentation that provides a work around for this issue.

Grouped Federation Tasks

All federation additional tasks are now grouped under a single sub-menu for ease of use.

ADSyncConfig PowerShell Module revamped

A new revamped ADSyncConfig Windows PowerShell Module (AdSyncConfig.psm1) is introduced in Azure AD Connect version 1.1.880.0, that now includes AD Permissions functions. These functions were moved from the old ADSyncPrep.psm1 Windows PowerShell module, which may be deprecated shortly.

Version information

This is version 1.1.880.0 of Azure AD Connect.
It was signed off on on July 20, 2018.

When will you get it?

This release is currently distributed to Azure AD Connect tenants that have enabled auto-upgrade. When sufficient auto-upgrade tenants have upgraded to eliminate the possibility of a bad Azure AD Connect version, Microsoft will release Azure AD Connect version 1.1.880.0 for general download here.

Concluding

Azure AD Connect version 1,1.880.0 offers numerous fixes, that make your life as a Hybrid Identity admin more enjoyable, including the 100% CPU issue with the Azure AD Connect Health Sync Monitor service. On a high note, PingFederate Support is now GA with this version.

The post Azure AD Connect version 1.1.880.0 is now available appeared first on The things that are better left unspoken.

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new and changed functionality for Azure Active Directory for July 2018:

What’s New

Azure AD Activity Logs are now available through Azure Monitor

Service category: Reporting
Product capability: Monitoring & Reporting

The Azure AD Activity Logs are now available in public preview for the Azure Monitor (Azure’s platform-wide monitoring service). Azure Monitor offers organizations long-term retention and seamless integration, in addition to these improvements:

• Long-term retention by routing your log files to your own Azure storage account.
• Seamless integration with Security Incident and Event Management (SIEM) solutions, without requiring to write or maintain custom scripts.
• Seamless integration with own custom solutions, analytics tools, and/or incident management solutions.

Conditional access information added to the Azure AD sign-ins report

Service category: Reporting
Product capability: Identity Security & Protection

This update to the Azure AD Sign-ins Report lets admins see which policies are evaluated when a user signs in along with the policy outcome. In addition, the report now includes the type of client app used by the user, so admins can identify legacy protocol traffic. Report entries can also now be searched for a correlation ID, which can be found in the user-facing error message and can be used to identify and troubleshoot the matching sign-in request.

View legacy authentications through Sign-ins activity logs

Service category: Reporting
Product capability: Monitoring & Reporting

With the introduction of the Client App field in the Sign-in activity logs, organizations can now see users that are using legacy authentications. Admins will be able to access this information using the Sign-ins MS Graph API or through the Sign-in activity logs in the Azure AD portal, where admins can now use the Client App control to filter on legacy authentications.

New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2018, The Azure AD team has added these 16 new apps with Federation support to the app gallery:

• Innovation Hub
• Leapsome
• Certain Admin SSO
• PSUC Staging
• iPass SmartConnect
• Screencast-O-Matic
• PowerSchool Unified Classroom
• Eli Onboarding
• Bomgar Remote Support
• Nimblex
• Imagineer WebVision
• Insight4GRC
• SecureW2 JoinNow Connector
• Kanbanize
• SmartLPA
• Skills Base

New user provisioning SaaS app integrations

Service category: App Provisioning
Product capability: 3rd Party Integration

Azure AD allows organizations to automate the creation, maintenance, and removal of user identities in SaaS applications such as Dropbox, Salesforce, ServiceNow, and more. For July 2018, Microsoft has added user provisioning support for the following applications in the Azure AD app gallery:

• Cisco Spark
• Cisco WebEx
• Bonusly

Converged security info management for self-service password reset and Multi-Factor Authentication

Service category: Self-Service Password Reset
Product capability: User Authentication

This new feature lets users manage their security info (for example, phone number, email address, mobile app, and so on) for self-service password reset (SSPR) and Multi-Factor Authentication (MFA) in a single experience. Users will no longer have to register the same security info for SSPR and MFA in two different experiences. This new experience also applies to users who have either SSPR or MFA.

Note:
This is an opt-in public preview. Admins can turn on the new experience (if desired) for a selected group of users or all users in a tenant.

What’s Changed

Improvements to Azure AD email notifications

Service category: Other
Product capability: Identity lifecycle management

Azure Active Directory (Azure AD) emails now feature an updated design, as well as changes to the sender email address and sender display name, when sent from the following services:

• Azure AD Access Reviews
• Azure AD Connect Health
• Azure AD Identity Protection
• Azure AD Privileged Identity Management
• Enterprise App Expiring Certificate Notifications
• Enterprise App Provisioning Service Notifications

The email notifications will be sent from azure-noreply@microsoft.com. Be sure to check the Junk Email folder of your (admin) mailbox, and to update any mail flow rules you might have.

Visual updates to the Azure AD and MSA sign-in experience

Service category: Azure AD
Product capability: User Authentication

Microsoft has updated the user interface for Microsoft’s online services sign-in experience, such as for Office 365 and Azure. This change makes the screens less cluttered and more straightforward. For more information about this change, see the Upcoming improvements to the Azure AD sign-in experience blogpost, dated April 4th, 2018.

Updates to the Terms of Use (ToU) end-user interface

Service category: Terms of Use
Product capability: Governance

Microsoft has updated the acceptance string in the TOU end-user interface.

Current: In order to access [tenant] resources, you must accept the terms of use.
New: In order to access [tenant] resource, you must read the terms of use.

Current: Choosing to accept means that you agree to all of the above terms of use.
New: Please click Accept to confirm that you have read and understood the terms of use.

Pass-through Authentication supports legacy protocols and applications

Service category: Authentications (Logins)
Product capability: User Authentication

Pass-through Authentication (PTA) now supports legacy protocols and apps. These previous limitations are now fully supported:

• User sign-ins to legacy Office client applications, Office 2010 and Office 2013, without requiring modern authentication.
• Access to calendar sharing and free/busy information in Exchange hybrid environments on Office 2010 only.
• User sign-ins to Skype for Business client applications without requiring modern authentication.
• User sign-ins to PowerShell version 1.0.
• The Apple Device Enrollment Program (Apple DEP), using the iOS Setup Assistant.

Use the Microsoft Authenticator app to verify your identity when you reset your password

Service category: Self-Service Password Reset
Product capability: User Authentication

This feature lets non-admins verify their identity while resetting a password using a notification or code from Microsoft Authenticator (or any other authenticator app). After admins turn this self-service password reset method on, colleagues who have registered a mobile app through aka.ms/mfasetup or aka.ms/setupsecurityinfo can use their mobile app as a verification method while resetting their password.

Mobile app notification can only be turned on as part of a policy that requires two methods to reset your password.

The post What’s New in Azure Active Directory for July 2018 appeared first on The things that are better left unspoken.