Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Intranet Sites list in Internet Explorer.

Note:
This is the first part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Local Intranet zone. In the next part we look at the Trusted Sites zone.

Note:
Adding URLs to the Local Intranet zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Intranet Sites?

Active Directory Federation Services (AD FS), and certain functionality in Azure Active Directory leverage Windows Integrated Authentication to allow for Single Sign-on. (SSO).

Single Sign-on reduces prompt fatigue in people and thus makes them more aware of the moments when password prompts happen and (and this is the theory…) paying more attention to what they are doing with their passwords.

I’m not a psychologist, but I do know how to make Windows Integrated Authentication work with Internet Explorer.

Intranet Sites vs. Trusted Sites (with Default settings)

Internet Explorer offers built-in zones:

Local intranet
Trusted sites
Internet
Restricted sites

Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Local intranet zone, by default, offers a medium-low level of security, where Trusted sites allows for medium-level security. By default, the Local intranet zone allows for the following functionality beyond the Trusted sites zone:

Local intranet does not allow ActiveX Filtering
Local intranet allows Scriptlets
Local intranet allows accessing data sources across domains (Trusted sites prompt)
Local intranet allows scripting of Microsoft web browser control
Sites in the Local intranet zone don’t prompt for client certificate selection when only one certificate exists
Sites in the Local intranet zone may launch applications and unsafe files
Sites in the Local intranet zone may navigate windows and frames across different domains
Local intranet sites do not use the Pop-up Blocker feature
Local intranet sites do not use the Defender SmartScreen feature
Local intranet sites allow programmatic clipboard access
Local intranet sites do not use the XSS Filter feature
Local intranet sites allow user authentication

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Local intranet zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

A member of the Domain Admins group, or;
The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Local intranet zone, depending on the way you’ve setup your Hybrid Identity implementation:

https://<YourADFSFarmName>

When you use federation with Active Directory Federation Services (AD FS), the URL for the AD FS Farm needs to be added to the Local Intranet zone. As AD FS is authenticated against, it need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://login.microsoftonline.com

https://secure.aadcdn.microsoftonline-p.com

The https://login.microsoftonline.com and https://secure.aadcdn.microsoftonline-p.com URLs are the main URLs for authenticating to Microsoft cloud services. As these URLs are used to authenticate against, they need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://aadg.windows.net.nsatc.net

https://autologon.microsoftazuread-sso.com

If you use the Seamless Single Sign-On (3SO) feature in Azure AD Connect, then you’ll want to add the following URLS to the Local intranet zone:

These URLs need to be added to the Local intranet zone on all devices where people in the organization use the 3SO feature, as these are the URLs where they will authenticate against. Trusted sites, by default, do not allow this functionality.

If you don’t use the 3SO functionality, don’t add the above URLs.

https://account.activedirectory.windowsazure.com

It is still one of Microsoft’s recommendation to add the https://account.activedirectory.windowsazure.com URL to the Local intranet zone. However, an enhanced experience is available that no longer points employees to this URL, but instead to the https://myprofile.microsoft.com URL, that uses the normal authentication URLs.

The new enhanced experience is available in the Azure portal, under User settings, Manage user feature preview settings (in the User feature previews area) named Users can use preview features for registering and managing security info – enhanced.

If you’ve enabled the enhanced preview, don’t add the above URL.

How to add the URLs to the Local Intranet zone

To add the URLs to the Local Intranet zone, perform these steps:

Log into a system with the Group Policy Management Console (GPMC) installed.
Open the Group Policy Management Console (gpmc.msc)
In the left pane, navigate to the Group Policy objects node.
Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
Right-click the Group Policy object and select Edit… from the menu.
The Group Policy Management Editor window appears.
In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Control Panel and then the Security Page node.

In the main pane, double-click the Sites to Zone Assignment List setting.
Enable the Group Policy setting by selecting the Enabled option in the top pane.
Click the Show… button in the left pane.
The Show Contents window appears.

Add the above URLs to the Local Intranet zone by entering the URL in the Value name column and the number 1 in the Value column for each of the URLs.
Click OK when done.
Close the Group Policy Editor window.
In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
Right-click the OU and select Link an existing GPO… from the menu.
In the Select GPO window, select the GPO.
Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

Concluding

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like Seamless Single Sign-on and remove specific URLs when you move away from specific functionality.

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4516044 September 10, 2019

The September 10, 2019 update for Windows Server 2016 (KB4516044) updating the OS Build number to 14393.3204 is a security update, including many security updates.

This update addresses CVE-2019-1273. This is an Important Active Directory Federation Services XSS Vulnerability.

A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (AD FS) does not properly sanitize certain error messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected AD FS server. An attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run scripts in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the AD FS farm on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

The security update addresses the vulnerability by helping to ensure that AD FS error handling properly sanitizes error messages.

KB4522010 September 23, 2019

The September 23, 2019 update for Windows Server 2016 (KB4522010) updating the OS Build number to 14393.3206 does not include Identity-related updates. It includes security updates to Internet Explorer, released out-of-band.

KB4516061 September 24, 2019

The September 24, 2019 update for Windows Server 2016 (KB4516061) updating the OS Build number to 14393.3242 includes the following Identity-related updates:

It addresses an issue that may cause authentication to fail for certificate-based authentication when the certificate authentication includes a cname as part of the pre-authentication request.
It addresses an issue that may cause the Local Security Authority Subsystem Service (LSASS) to stop working with an “0xc0000005” error.
It addresses an issue that causes the Security Authority Subsystem Service (LSASS) to stop working, which causes the system to shut down. This occurs when migrating Data Protection API (DPAPI) credentials using dpapimig.exe with the –domain option.
It addresses an issue with LdapPermissiveModify requests, which fail to make Active Directory (AD) group membership changes if the Lightweight Directory Access Protocol (LDAP) client uses the Security Identifier (SID) syntax. In this scenario, Active Directory returns a “SUCCESS” status even though the change did not occur.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4512578 September 10, 2019

The September 10, 2019 update for Windows Server 2016 (KB4512578) updating the OS Build number to 17763.737 is a security update, including many security updates.

This update addresses CVE-2019-1273. This is an Important Active Directory Federation Services XSS Vulnerability.

The security update addresses the vulnerability by helping to ensure that AD FS error handling properly sanitizes error messages.

KB4522015 September 23, 2019

The September 23, 2019 update for Windows Server 2016 (KB4522015) updating the OS Build number to 17763.740 does not include Identity-related updates. It includes security updates to Internet Explorer, released out-of-band.

KB4516077 September 24, 2019

The September 24, 2019 update for Windows Server 2016 (KB4516077) updating the OS Build number to 17763.774 includes the following Identity-related updates:

It addresses an issue that may cause the Local Security Authority Subsystem Service (LSASS) to stop working with an “0xc0000005” error.
It addresses an issue that causes the lsass.exe service to stop working, which causes the system to shut down. This occurs when migrating Data Protection API (DPAPI) credentials using dpapimig.exe with the -domain option.
It addresses an issue that prevents you from running the Active Directory Diagnostics Data Collector Set from the Performance Monitor for Domain Controllers. This causes the Data Collector Set name to appear empty. Running the Active Directory Diagnostics Data Collector Set returns the error, “The system cannot find the file specified.” Event ID 1023 is logged with the source as Perflib and the following messages:
- Windows cannot load the extensible counter DLL “C:\Windows\system32\ntdsperf.dll.
- The specified module could not be found.
It addresses an issue that may cause authentication to fail for certificate-based authentication when the certificate authentication includes a cname as part of the pre-authentication request.
It addresses a Lightweight Directory Access Protocol (LDAP) runtime issue for Domain Controller Locator-style LDAP requests. The error is, “Error retrieving RootDSE attributes, data 8, v4563.”
It addresses an issue that causes LDAP queries that contain LDAP_MATCHING_RULE_IN_CHAIN (memberof:1.2.840.113556.1.4.1941) to intermittently fail on Windows Server 2019 domain controllers. However, these queries do not fail on domain controllers running previous versions of Windows Server.
It addresses an issue that causes group membership changes in Active Directory groups to fail. This occurs if the Lightweight Directory Access Protocol (LDAP) client uses the Security Identifier (sID) Distinguished Name (DN) syntax after installing previous versions of NTDSAI.DLL. In this scenario, an issue with the LdapPermissiveModify (LDAP_SERVER_PERMISSIVE_MODIFY_OID) control causes Active Directory to incorrectly return a SUCCESS status even though the group membership change did not occur.
It addresses an issue in which the Set-AdfsSslCertificate script is successful. However, it throws an exception during resource cleanup because the target server-side endpoint is no longer there.

This update includes so many improvements, that Joseph Ryan Ries, Escalation Engineer at Microsoft Corp., claims that Windows Server 2019 Domain Controllers are now ready for production…

The post On-premises Identity updates & fixes for September 2019 appeared first on The things that are better left unspoken.

Hybrid Identity

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Trusted Sites list in Internet Explorer.

Note:
This is the second part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Trusted Sites zone. In the previous part we looked at the Local Intranet zone.

Note:
Adding URLs to the Trusted Sites zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Trusted Sites?

Hybrid Identity enables functionality for people using on-premises user accounts, leveraging Azure Active Directory as an additional identity platform. By default, Azure AD is the identity platform for Microsoft Cloud services, like Exchange Online, SharePoint Online and Azure.

By adding the URLs for these services to the Trusted Sites list, we enable a seamless user experience without browser prompts or hick-ups to these services.

Internet Explorer offers built-in zones. Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Trusted Sites zone, by default, offers a medium level of security.

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Trusted Sites zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions, for example when you mistype the URLs or when DNS is compromised.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

A member of the Domain Admins group, or;
The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Trusted Sites zone, depending on the way you’ve setup your Hybrid Identity implementation:

*.live.com

*.microsoft.com

*.microsoftonline.com

*.windows.net

ajax.aspnetcdn.com

microsoft.com

microsoftline.com

microsoftonline-p.net

onmicrosoft.com

The above URLs are used in Hybrid Identity environments. While they overlap with some of the URLs for the Local Intranet Zone, these URLs allow side services to work properly, too.

*.msappproxy.net

Web applications that you integrate with Azure Active Directory through the Azure AD Application Proxy are published using https://*.msappproxy.net URLs. Add the above wildcard URL to the Trusted Sites list, when you’ve deployed or are planning to deploy Azure AD App Proxy. If you use vanity names for Azure AD App Proxied applications, add these to the Trusted Sites list, as well.

Other Office 365 services

Most Hybrid Identity implementations are used to allow access to Office 365 only. Last year, 65% of Hybrid Identity implementations are used to unlock access to one or more Office 365 services, like Exchange Online, SharePoint Online, OneDrive for Business and Teams, only. This blogpost focuses on the Hybrid Identity URLs, but you might want to add more Office 365 URLs and IP address ranges to the Trusted Sites list as you deploy, roll out and use Office 365 services. You can use this (mostly outdated) Windows PowerShell script to perform that action, if you need.

How to add the URLs to the Trusted Sites zone

To add the URLs to the Trusted Sites zone, perform these steps:

Log into a system with the Group Policy Management Console (GPMC) installed.
Open the Group Policy Management Console (gpmc.msc)
In the left pane, navigate to the Group Policy objects node.
Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
Right-click the Group Policy object and select Edit… from the menu.
The Group Policy Management Editor window appears.
In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Control Panel and then the Security Page node.

In the main pane, double-click the Sites to Zone Assignment List setting.
Enable the Group Policy setting by selecting the Enabled option in the top pane.
Click the Show… button in the left pane.
The Show Contents window appears.
Add the above URLs to the Trusted Sites zone by entering the URL in the Value name column and the number 2 in the Value column for each of the URLs.
Click OK when done.
Close the Group Policy Editor window.
In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
Right-click the OU and select Link an existing GPO… from the menu.
In the Select GPO window, select the GPO.
Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

Concluding

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like the Azure AD Application Proxy and remove specific URLs when you move away from specific functionality.

The situation

The customer has an Active Directory Domain Services environment, consisting of one Active Directory domain. The Active Directory domain is synchronized to Azure Active Directory using Azure AD Connect. Users authenticate to Azure AD using Active Directory Federation Services (AD FS).

To facilitate release management, we advised to implement a Staging Mode Azure AD Connect server and the accompanying processes. We asked an admin at the customer to get us an additional domain-joined virtual machine running Windows Server 2019.

We downloaded Azure AD Connect using the same account and ran the installer. We made the following choices:

On the Welcome to Azure AD Connect screen, we checked the I agree to the license terms and privacy notice. option and clicked the Continue button.
On the Express Settings screen, we clicked the Customize button.
On the Install required components screen, we clicked the Install button.
On the User sign-in screen, we selected Federation with AD FS as the sign on method and clicked the Next button to continue.

On the Connect to Azure AD screen, we signed in with an account with the Global administrator role in Azure AD and clicked Next. After inserting the credentials, we performed multi-factor authentication.
On the Connect your directories screen, we clicked the Add Directory button.
In the AD forest account dialog screen, we kept the default option to Create new AD account and entered the credentials for the customer’s admin account:

The issue

Azure AD Connect validated the credentials, and threw an error:

Cannot establish a connection to the Domain Controller(s) associated to a forest named: ‘domain.tld‘. Please validate the following:

The Credentials (Username and Password) you have provided are correct

UDP and TCP port 389 are open in these DCs (you have to perform this manual check on the “Windows Firewall with Advanced Security” window on every Domain Controller) Learn more

This error is unexpected.

My troubleshooting

I started troubleshooting the issue.

I didn’t have to question whether the server was domain-joined; if it’s not domain-joined you can’t select Active Directory Federation Services (AD FS) as the authentication method to Azure Active Directory…

Am I logged in with a domain account or a local account?

The first question I wanted to solve is whether we were logged onto the Azure AD Connect installation using a domain account or a local account.

I started up a Command Prompt (cmd.exe) and used whoami.exe to view information for the signed-in account. We were signed in using an account that is a member of the Domain Admins group.

Can I resolve the domain in DNS?

I started up a Command Prompt (cmd.exe) and used nslookup.exe appended with the domain name. This returned the Domain Controllers without issues.

Can I communicate to the Domain Controllers?

As Azure AD Connect mentioned network connectivity was probably to blame for the error, I started up a PowerShell window and used Test-NetConnection to probe several of Active Directory’s common ports. This returned success values for all ports I tried on all Domain Controllers I tried. I guess this is not a Firewall issue, either…

What does Azure AD Connect think it actually is?

I decided to take a look at the Azure AD Connect diagnostics data. Azure AD Connect provides detailed output of all its actions in the C:\ProgramData\AADConnect folder.

I opened up the trace file and scrolled down to the bottom:

$Notepad with the latest trace-* file in the C:\ProgramData\AADConnect folder (click for original screenshot)$

That’s where I read what was going on. It wasn’t a connectivity problem at al. The admin account simply lacked the Enterprise Admins group membership.

Actually, Azure AD Connect’s AD Forest account dialog screen, clearly states you need to specify an ENTERPRISE ADMIN USERNAME.

However, in an Active Directory environment with a single domain, the privileges for Domain Admins and Enterprise Admins are equal, as the Microsoft Docs on Default groups points out…

The solution

We asked the admin to add his account to the Enterprise Admins group. As this is a single domain, this change is performed without issues.

We signed off and on again after this change. We ran the Azure AD Connect wizard again and decided to remove the membership to the Enterprise Admins group after installing and configuring Azure AD Connect.

Concluding

Enterprise Admins privileges may be needed for Azure AD Connect configuration of the service account to communicate to Active Directory. Whether it makes sense or not…

Thank you

Thank you to Nigel and Irene for organizing Office 365 and SharePoint Connect 2019 and inviting me as a speaker for another year. Thank you to all the attendees, especially the people in my session.

The post Pictures of Office 365 and SharePoint Connect 2019 – Community Edition appeared first on The things that are better left unspoken.

Hybrid Identity

In this part of the series, we start looking at Azure AD Connect in-depth.

Why look at the Export Deletion Threshold

Azure AD Connect is responsible for synchronizing objects and their attributes. It uses rules to act in a certain way, based on certain input to guarantee certain output. In some cases, the straightforwardness of the rules may result in unwanted scenarios, such as deletion of all objects from Azure AD.

To circumvent this last situation, Microsoft has built in a deletion threshold into Azure AD Connect. When the threshold is reached while running an Export operation (writing to a connected directory), Azure AD Connect stops synchronizing to prevent further harm.

Now, there is a sweet spot to Azure AD Connect’s export deletion threshold:

You don’t want to set the deletion threshold too low. Organizations rely on Azure AD Connect for their Identity and Access Management (IAM) processes. When synchronization stops, the process stops. Onboarding, offboarding, group membership changes; they all stop. You might hit the threshold often, when it is set too low.
You don’t want to set the deletion threshold too high, either. If something does go wrong, you don’t want to lose most of the objects before finding out.

By default, Azure AD Connect’s object deletion threshold is set it at 500 objects.

Getting ready

To change the Export Deletion Threshold, you’ll need to have local privileges on each Windows Server running Azure AD Connect. You’ll need to be member of the local ADSyncAdmins group, or a member of the custom local group you may have selected as the Azure AD Connect Administrators group, during the installation of Azure AD Connect:

On the Azure AD side of things, you’ll need an account that has the Global administrator role assigned.

Additionally, make sure the Windows PowerShell Module for Active Directory is installed on each of the Azure AD Connect installations, to be able to run the below scripts.

Properly managing the Export Deletion Threshold

I feel there are three aspects to properly managing Azure AD Connect’s Export Deletion Threshold:

Set the threshold at 10% of your objects

A 500 object threshold does not make much sense in an organization with 50 people. The same threshold also doesn’t make sense in an organization with 900,000 people.

As a rule of thumb I configure Azure AD Connect’s Export Deletion Threshold at 10% of the number of median objects in Active Directory.

With default rules, Azure AD Connect synchronizes user objects, inetorgperson objects, contacts, groups and devices. User objects are the main concern for most organizations, but losing groups and devices might also hurt processes. Taking the number of objects in each of these three object types into consideration, we commonly observe that organizations have more groups than users (although a lot of groups will be empty) and more users than devices. This means 10% of your person objects in the metaverse (user objects and/or inetorgperson objects) is a safe value, but your needs may vary.

The below script provides information on the number of users, groups and devices within scope of your Azure AD Connect installation:

$c = Get-ADSyncConnector –Name domain.tld
$ous = ($c).Partitions.ConnectorPartitionScope.ContainerInclusionList

$ADUsers = @()
$ADGroups = @()
$ADComputers = @()

ForEach ($ou in $ous){
$ADUsers += (Get-ADUser -SearchBase $ou -Filter *)

}
ForEach ($ou in $ous){
$ADGroups += (Get-ADGroup -SearchBase $ou -Filter *)
}
ForEach ($ou in $ous){
$ADComputers += (Get-ADComputer -SearchBase $ou -Filter *)

}

Write-Host

Write-Host “Total number of users is” $ADUsers.count

Write-Host “Total number of groups is” $ADGroups.count

Write-Host “Total number of devices is” $ADComputers.count

Set it once for all your Azure AD Connect installations

When you have Staging Mode Azure AD Connect installations, you only need to configure the Export Deletion Threshold on one of your Azure AD Connect installations.

The Export Deletion Threshold is a per-Azure AD tenant setting. This is good news, as a Staging Mode Azure AD Connect installation gains the information automatically. It doesn’t perform exports today, but it could, one day, when it’s no longer in Staging Mode, but actively synchronizing.

Monitor threshold-related incidents

While it would seem advantageous to disable the Export Deletion Threshold in the actively synchronizing Azure AD Connect when making big changes, this defeats the purpose of the feature.

Include a step in your Azure AD Connect upgrade and management procedures to perform a synchronization cycle. The documentation on Azure AD Connect conveys when a Full Synchronization cycle needs to happen and when the normal delta synchronization cycles suffice.

Monitor for threshold-related incidents, in any of the below four ways:

1. Event log

Azure AD Connect writes to the event log on Windows Servers on which it is installed. You will see, in chronological order:

A warning event with Event-ID 116 and source Directory Synchronization in the Application event log, showing you the current Export Deletion Threshold in relation to the amount of object deletions it is trying to export:

An error event with Event-ID 906 and source Directory Synchronization in the Application event log with specific error code 95:

An error event with Event-ID 6950 and source ADSync. in the Application event log, reiterating that the number of deletes exceed the deletion threshold count with error code 0x80231366 in several code blocks and files within Azure AD Connect:

2. Error in Azure AD Connect Synchronization Service

An export profile would show stopped-deletion-threshold-exceeded status in Azure AD Connect’s Synchronization Service Manager interface ().

3. Azure AD Connect Health

for organizations with Azure AD Premium licenses, Azure AD Connect Health shows a warning on the Alerts blade for Azure Active Directory Connect Servers in the Azure Portal:

Export to Azure Active Directory failed.

Issue
The export operation to Azure Active Directory Connector has failed. As a result, some objects may not be exported successfully to Azure Active Directory.
Fix
Please investigate the event log errors of export operation for further details.

4. Email

Eventually, an alert e-mail is sent to the technical contact for the Azure AD tenant, titled Servername: Export to Azure Active Directory failed – You have an important alert from Azure Active Directory, sent from azure-noreply@microsoft.com:

How to view the Threshold Configuration

To view the Export Deletion Threshold configuration on an Azure AD Connect installation, run the following line of Windows PowerShell on an elevated prompt:

Get-ADSyncExportDeletionThreshold

How to disable the Export Deletion Threshold

To disable the Export Deletion Threshold on an Azure AD Connect installation, run the following line of Windows PowerShell on an elevated prompt:

Disable-ADSyncExportDeletionThreshold

Provide the credentials of an Azure AD account with the Global Administrator role assigned to complete the command.

How to enable and set the Deletion Threshold

To set the number of objects for the Export Deletion Threshold on an Azure AD Connect installation, perform these steps:

Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500

Provide the credentials of an Azure AD account with the Global Administrator role assigned to complete the command.

How to overcome hitting the Deletion Threshold

Your changes are desired

When you’re notified or experience the Export Deletion threshold, and the deletes are desired, you can perform the above three actions as parts of the steps below:

Sign in to the actively synchronizing Azure AD Connect installation.
Open an elevated Windows PowerShell window.
View the Export Deletion Threshold value.
(Disable the Export Deletion Threshold or configure the Export Deletion Threshold to a value that is higher than the number of deletions to be exported.
Perform a synchronization cycle using the following line of Windows PowerShell

Start-ADSyncSyncCycle

Enable and set the Export Deletion Threshold when you’ve disabled the Export Deletion Threshold previously, or set it back to the number it was configured to, when you’ve reconfigured it to a higher number in the previous steps.
Close the Windows PowerShell window.
Sign out.

Set the Export Deletion Threshold to the same value as set previously, or use the information on the situation as a lesson-learned and increase or decrease the threshold value accordingly.

When the deletions are a result of a configuration change, perform the same configuration change on the Staging Mode Azure AD Connect installation(s), unless the configuration change is one that is stored in Azure AD.

Your changes are undesired

When you’re notified or experience the Export Deletion threshold, and the deletes are undesired, roll back the configuration changes, or switch the actively synchronizing Azure AD Connect installation with a Staging Mode installation that still has the previous configuration.

Concluding

Azure AD Connect’s Export Deletion Threshold is a truly cool feature that might save your behind some day.

Don’t disable it. Tweak it. For many of the blogposts to come in this series, you’ll be glad you did.

About the Dutch Windows Management User Group (WMUG)

Windows Management User Group Netherlands (WMUG) is a Dutch user group offering a stage to share knowledge between fellow-IT Pros through regular and 100% community-driven user group meet-ups.

I know many of the persons running WMUG. I meet Kenneth van Surksum, Arie de Haan, Erik Loef and Bob Cornelissen regularly at events and worked together with Peter Daalmans. Glimlach

About the WMUG 2019-5 Meetup

Windows Management User Group Netherlands (WMUG) organizes a free community event on Wednesday night November 13, 2019 at OGD ict-diensten in Delft, the Netherlands.

The event starts at 4:30 PM with presentations and people are welcomed at the venue from 4 PM onwards. After the first one-hour presentation by Patrick van den Born titled ‘Identity and Access Management with Ivanti’, I have the stage for a maximum of 45 minutes, because, right after my presentation, we’ll eat. After the 60-minute dinner break, Erwin Derksen discusses Azure AD Domain Services, before we get some drinks.

To me personally, presenting at a former employer feels extra special.

About my presentation

I’ll present a 45-minute session, titled

Azure AD Connect; How did you think it went?

5:30 PM – 6:15 PM

20 million organizations worldwide use Azure AD. The majority of them use Azure AD Connect to synchronize their on-premises Active Directory environment(s) with Azure AD. An organization can realize this in four clicks, but what exactly do you get? And is that sufficient?

In this session, I’ll show the ultimate possibilities of Azure AD Connect. Opportunities that you thought were not possible, but are certainly worthwhile for many organizations. In addition, I’ll share the experiences of my team, so that you can take the tips, tricks, do’s and especially the don’ts with you to your own (or future) implementations of Azure AD Connect.

Join us!

This promises to be an excellent event for those craving some in-depth identity and access management!
Register for this event for free. Dutch

The post I’m presenting at the Dutch Windows Management User Group 2019-5 Meetup appeared first on The things that are better left unspoken.

Hybrid Identity

In this part of the series, we look at a new feature of Active Directory Federation Services (AD FS) since Windows Server 2016.

Why look at Extranet Smart Account Lockout

Denial of Service attacks on identity and access systems are common place. When you think you’re done when you’ve covered all the bases with account lock-out in your on-premises Active Directory Domain Services (AD DS) environment, you’re wrong. Hybrid Identity requires more effort.

Attackers may cause Denial of Service through password spraying (trying the same password on all user accounts) and/or brute-force attacks (trying multiple passwords for one user account). As accounts get locked, end users experience errors when they themselves log on and disruption in their logged-on applications.

In contrast to the Extranet Lockout feature in Active Directory Federation Services (AD FS) on Windows Server 2012 R2, Extranet Smart Account Lockout has a couple of tricks up its sleeve: It will now count authentication attempts per IP address. IP addresses where good authentications originate from are whitelisted. IP addresses where bad attempts originate are blacklisted. This way, people in your organization are hindered less with lockouts in the case of a Denial of Service (DoS) attack or even a distributed Denial of Service (dDoS) attack. Of course, if your people fat-finger their passwords themselves, they’ll still be locked-out.

Getting ready

To configure Smart Account Lockout, make sure to meet the following requirements:

System requirements

Make sure the AD FS servers are installed with the latest cumulative Windows Updates. Several fixes have been made available to the Smart Account Lockout feature, since its general availability in the form of the June 2018 Cumulative update for Windows Server 2016 (KB4284880).

Your organization must have Active Directory Federation Services (AD FS) deployed with Web Application Proxies or another MS-ADFSPIP-enabled front-end server (like an F5 appliance). Account Lockout is only triggered for authentications that AD FS considers originating from the extranet, thus via MS-ADFSPIP-enabled front-end servers.

Your AD FS Farm must be configured with auditing enabled.

Additionally, Extranet Smart Lockout requires that Windows Remote management be enabled on every AD FS server.

Privilege requirements

Make sure to sign in with an account that has privileges to manage the AD FS Farm.

In case of Windows Internal Database (WID) as the storage method for the AD FS Configuration database, sign in with an account that has local administrator privilege on the primary AD FS Server.

In case of SQL Server as the storage method for the AD FS Configuration database, make sure the account you use is also a local administrator on the SQL Server.

Who to communicate to

As the AD FS servers operate as part of a chain, notify all stakeholders in the chain. This means sending a heads-up to the rest of the Active Directory team and the teams that are responsible for Azure AD, Office 365 and cloud applications.

How to do it

Coming up with the right values

Make sure Extranet Smart Account Lockout has lower values for the lock-out threshold and observation time window, than Active Directory lockout. This way, AD FS would cause an account lock-out earlier than AD. Then, end users might always revert to inside authentication when the outside authentication is locked out.

Use the following command-line in a Command Prompt (cmd.exe) window to get the account lockout values for the currently logged in account:

net.exe accounts

If your organization uses fine-grained password solutions, look at these, by running the following lines of Windows PowerShell:

Get-ADFineGrainedPasswordPolicy -Filter *

For the purpose of this blogpost, we’ll use a lock-out threshold of 10 attempts during an observation window of 5 minutes and a lock-out period of 5 minutes for outside authentication and 5 attempts within 5 minutes for indefinite lock-out for inside authentication (after which the account will need to be unlocked by service desk personnel).

For AD FS Farms using SQL Server

Extranet smart lockout requires the AD FS service account to have permissions to create a new table in the AD FS artifact database. This database is in use when the AD FS farm uses SQL Server instead of the Windows Internal Database. Run the following lines of Windows PowerShell:

$cred = Get-Credential

Update-AdfsArtifactDatabasePermission -Credential $cred

Enabling Extranet Smart Account Lockout

To enable Extranet Smart Account Lockout, run the following lines of Windows PowerShell to configure the AD FS Farm:

Set-AdfsProperties -EnableExtranetLockout $true `
-ExtranetLockoutThreshold 15 -ExtranetObservationWindow `
(new-timespan -Minutes 30) -ExtranetLockoutRequirePDC $false

Rol-back

To disable Extranet Smart Account Lockout, run the following lines of Windows PowerShell:

Set-AdfsProperties -EnableExtranetLockout $false

Concluding

Extranet Smart Account Lockout is one of the best new features in Active Directory Federation Services (AD FS) in Windows Server 2016. Use it to combat Denial of Service (DoS) attacks and distributed Denial of Service (dDoS) attacks.

Join us!

You are invited. You can register for VeeamON Virtual here.

The post Join us for VeeamON Virtual 2019 appeared first on The things that are better left unspoken.

AppManagEvent2019

Friday October 11, 2019. was a busy day for me. I started off by driving to Utrecht to park at my common parking spot at Jaarbeurs P4. I park here every two weeks for a customer in Utrecht’s city center. This time, I walked into the Jaarbeurs building for a different reason: to present at Professional Development Systems’ 2019 edition of AppManageEvent in Utrecht.

I was well on time and had chats with Jeff Wouters (Methos IT), Coert Bosker (PDS) and Roel van Buuren (Liquit). We all headed to the keynote, where Sami Laiho was surprised for his (actual) 40th birthday.

Then, it was time to present my session ‘Identity, the solid base for your organization’s future’ in room Expedition.

After my session, I had to split to get to Haarlem for Office 365 and SharePoint Connect 2019 – Community Edition. I answered some questions, received my speaker gift and thanked the organization before getting back to my car.

Thank you

Thank you to PDS for organizing AppManagEvent 2019 and inviting me as a speaker. Thank you to all the attendees, especially the people in my session.

The post Pictures of AppManagEvent 2019 appeared first on The things that are better left unspoken.

Hybrid Identity

Why look at Domain and OU Filtering

When installing Azure AD Connect with Express Settings, all objects in the on-premises Active Directory environment are synchronized to Azure AD. This may include objects that you don’t need in Azure AD and it may include sensitive objects that you don’t want in Azure AD.

Over the years, many organizations have segmented their Active Directory environments using (sub-) domains and Organizational Units (OUs). This existing segmentation can be reused with Azure AD Connect to provide a means to segment the organization into:

Domains, containers and OUs to include in the scope of Azure AD Connect, and thus synchronize to Azure AD, and;
Domains, containers and OUs to leave on-premises.

Reasons why

You might want to exclude domains, containers and OUs from the scope of Azure AD Connect to keep objects on-premises only, because:

The objects are privileged accounts on-premises and you want to divide on-premises privileges from cloud privileges. In this you’ll create separate privileged accounts to use with the cloud privileges;
The objects are groups that you use to provide access to on-premises resources, without any strategy to migrate these resources to the cloud, or with a distinct strategy to migrate the resources over at a later stage (and start synchronizing the groups at the later stage);
You have no interest in the Hybrid Azure AD Join feature and want your devices to be merely Active Directory domain-joined. In this case, OUs and containers with devices do not need to be in scope for Azure AD Connect.
The objects are sensitive, like the objects in the Domain Controllers OU (for those rare Windows Server installations that have the userCertificate attribute filled…), etc.

Possible negative impact (What could go wrong?)

As organizations evolve, so do their needs. The comfort of being ‘all-in’ in terms of objects in Azure AD might be a reason to become and remain ‘all-in’. There will be no need to reconfigure Azure AD Connect to add the domains, containers and/or OUs in scope for Azure AD Connect to enable new scenarios.

In organizations, the people responsible for Azure AD Connect, might not be the same people who manage Active Directory. When the latter group thinks up a new OU structure and doesn’t notify the Azure AD Connect people, objects may start falling out of scope, and automatically get deleted in Azure AD, hurting productivity.

Getting Ready

To use Domain and OU Filtering to limit the objects in scope for Azure AD Connect, meet the following requirements:

System requirements

Make sure you run the latest generally available version of Azure AD Connect.

Privilege requirements

You’ll need to have local privileges on each Windows Server running Azure AD Connect. You’ll need to be member of the local ADSyncAdmins group, or a member of the custom local group you may have selected as the Azure AD Connect Administrators group, during the installation of Azure AD Connect.

On the Azure AD side of things, you’ll need an account that has the Global administrator role assigned.

Additionally, make sure the Windows PowerShell Module for Active Directory is installed on each of the Azure AD Connect installations, to be able to run the below scripts.

Who to communicate to

As an Azure AD Connect admin, make sure you communicate to the people managing the on-premises Active Directory environment(s) and the people managing Azure AD for your organization.

How to do it

There are two scenarios in which you may use Domain and OU Filtering to limit the objects in scope for Azure AD Connect:

Existing Azure AD Connect configurations
New Azure AD Connect configurations

Existing Azure AD Connect configurations

For existing Azure AD Connect configurations, there are two challenges associated with configuring Domain and OU Filtering:

Objects appear to have been deleted from Azure AD when removed from the scope of Azure AD Connect, but instead they are stored in the Azure AD Recycle Bin for 30 days. After these 30 days, the objects are kept in a purge stage for 14 days. It may take up to 44 days to actually remove objects out of scope of Azure AD Connect from Azure AD.
When you remove domains, containers and Organizational Units (OUs) from scope, you may hit Azure AD Connect’s Export Object Deletion Threshold. When this happens, follow the steps outlined in HOWTO: Properly set and manage Azure AD Connect’s Export Deletion Threshold.

Perform the below steps to reconfigure an existing Azure AD Connect installation with Domain and OU Filtering to limit the objects in scope for Azure AD Connect:

Log on to the Windows Server installation that hosts Azure AD Connect.
Click on the Azure AD Connect shortcut on the Desktop or the Start Menu.
Alternatively, launch:

C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe
On the Welcome to Azure AD Connect page, click Continue.

On the Additional tasks page, click on Customize synchronization options.
Click Next.
On the Connect to Azure AD page, sign in with an Azure AD-based account with Global Administrator or Company Administrator privileges.
Optionally, perform multi-factor authentication, and/or elevate the account to Global Administrator when using Azure AD Privileged Identity Management (PIM)
When you want to remove entire Active Directory forests from the scope of Azure AD Connect, remove them on the Connect your directories page. Make sure to also remove or reconfigure any service account used by Azure AD Connect in that forest. Click Next when done.

On the Domain and OU filtering page, select the directory you want to configure filtering for, and select Sync selected domains and OUs. Then, in the field below, tick any domain and/or Organizational Unit (OU) you want to include in the scope of Azure AD Connect.
On the Optional features page, click Next.
On the Ready to configure page, click Configure.
On the Configuration complete page, click Exit to exit the Azure AD Connect configuration wizard and have the synchronization schedule resume.

Perform the above steps on any Staging Mode Azure AD Connect installation you might have, too.

New Azure AD Connect configurations

Perform the below steps to configure a new Azure AD Connect installation with Domain and OU Filtering, for instance with Pass-through Authentication:

Log on to the Windows Server installation that you intend to run Azure AD Connect.
You might want to reconsider using a Domain Controller for this, as it is not the most brilliant of ideas.
Download Azure AD Connect.
Double-click AzureADConnect.msi.
On the Welcome screen, select the I agree to the license terms and privacy notice. option.
Click the Next button.
On the Express Settings screen, click the Customize button.

On the Install required components screen, click Install.
On the User sign-in screen, select the Pass-through authentication option and the Enable single sign-on option.
Click Next.
On the Connect to Azure AD screen, enter the credentials of an account in Azure AD that has been assigned the global administrator role.
Click the Next button.
Optionally, perform multi-factor authentication, and/or elevate the account to Global Administrator when using Azure AD Privileged Identity Management (PIM).

On the Connect your directories screen, click Add directory.
The AD forest account pop-up window appears.
Sign in with an account that is a member of the Enterprise Admins group in the Active Directory forest.
Click OK.
Back in the Microsoft Azure Active Directory Connect windows, click Next.
On the Azure AD Sign-in configuration screen, click Next.

On the Domain and OU filtering page, select the directory you want to
configure filtering for, and select Sync selected domains and OUs. Then,
in the field below, tick any domain and/or Organizational Unit (OU) you want to
include in the scope of Azure AD Connect.
Click Next.
On the Uniquely identifying your users screen, click Next.
On the Filter users and devices screen, click Next.
On the Optional features screen, click Next.
On the Enable single sign-on screen, click the Enter credentials button.
A Windows Security pop-up appears to enter the credentials for the specified forest. Enter the credentials of an account that is a member of the Domain Admins group for the Active Directory domain for which Seamless Single Sign-on will be configured, or an account that is a member of the Enterprise Admins group in the Active Directory forest, that contains the domain in which Seamless Single Sign-on will be configured.
Click OK.
Click Next.
Back in the Microsoft Azure Active Directory Connect windows, click Next.
On the Ready to configure screen, click Install.

On the Configuration complete screen, click Exit to close the Microsoft Azure Active Directory Connect window and to start synchronization to Azure AD.

Concluding

The Azure AD app and attribute filtering page in the Azure AD Connect Configuration Wizard is only visible when an admin chooses to Customize the Azure AD Connect implementation, instead of using the easy ‘4-click’ Express Settings flow for the Azure AD Connect Configuration Wizard.

While Express may be fast, it might not be the best implementation scenario for most organizations.

What’s Microsoft Q&A?

Microsoft Q&A Preview is a global, community-driven platform for timely, high-quality technical answers. Q&A will be replacing MSDN and TechNet forums.

I will be the first to note that the technology behind the MSDN and former TechNet forums are outdated. Search has never been Microsoft’s strong point on these platforms.

Why I think Microsoft Q&A is better

Authentication

Signing in to the MSDN Forums is tied to my Microsoft Account. It’s one of the last remnants of my former me, before I joined the dark side of Office 365 in terms of acounts. Microsoft Q&A Preview uses the same user authentication as Microsoft Docs and Learn content, and allows me to sign in with my Work or School account.

One Integrated experience

As Microsoft Q&A Preview is built on the same platform as Microsoft Docs and Microsoft Learn, we can now give people clearer paths between documentation, learning content, and answers. Additionally, Stack Overflow integration is underway.

Mobile-friendly

Microsoft Q&A Preview is mobile-friendly. This is a big difference between it and the MSDN Forums. It also means that accessibility is new much greater, allowing for people with disabilities to better use their equipment.

Azure AD is among the first services

Yes, you may point out that Azure AD being among the first services to go live with Microsoft Q&A is like a fourth argument in favor of Microsoft Q&A Preview… However, there’s more.

As Microsoft Q&A went into preview on October 30th, 2019, A lot of my favorite Azure AD technologies are part of the launch phase: Azure Active Directory, Azure Active Directory Domain Services, Azure Active Directory B2C and Azure Information Protection.

Join us!

We will be answering questions on Azure AD on Microsoft Q&A Preview from now on, too. If you prefer to use the MSDN Forums on Azure AD, than you can also do so, for now.

The post Join Azure AD in the Microsoft Q&A Preview appeared first on The things that are better left unspoken.

Microsoft Ignite 2019

Microsoft Ignite 2019 North America in Orlando is only two weeks away and many of us have begun filling their session builder with interesting sessions, corresponding to their interests and knowledge.

I decided to compile a list of the Active Directory, Azure Active Directory and Enterprise Mobility + Security (EM+S) related sessions at Ignite 2019. I’ve compiled the list below, divided per Ignite session type and arranged by date, since Ignite offers 75-minute breakout sessions, 45-minute breakout sessions and 20-minute theater sessions over five days.

Note:
All below sessions are streamed live from Ignite. These can be viewed using a free Microsoft Tech Community account, linked to an Office 365 or Microsoft Account.

Breakout sessions (75 minutes)

TK03 Microsoft’s roadmap for security, compliance, and identity

Monday, November 4, 11:00 AM – 12:15 PM EST

Kirk Koenigsbauer (Microsoft)
Ann Johnson (Microsoft)
Bret Arsenault (Microsoft)

WRK3029R Secure and manage your identities with Azure Active Directory

Tuesday, November 5, 12:30 PM – 1:45 PM EST
Wednesday, November 6, 10:45 AM – 12:00 PM EST
Thursday, November 7, 9:00 AM – 10:15 AM EST
Friday, November 8, 10:45 AM – 12:00 PM EST
Adam Harbour (Microsoft)

BRK2157 Exam Prep | MS-100: Microsoft 365 Identity and Services

Tuesday, November 5, 2:15 PM – 3:30 PM EST
Ed Baker

Breakout sessions (45 minutes)

Identity: The control plane for your digital transformation, now and into the future

Monday, November 4, 2:00 PM – 2:45 PM EST
Joseph Paradi, Manreet Nijjar, Thomas Sawyer & Nitika Gupta (Microsoft)

BRK2130 Azure Active Directory: New features and roadmap

Tuesday, November 5, 9:00 AM – 9:45 AM EST
Alex Simons (Microsoft) Star , Melanie Maynes (Microsoft) & Sadie Henry (Microsoft)

BRK3110 Winning strategies for identity security and governance

Tuesday, November 5, 10:15 AM – 11:00 AM EST
Alex Weinert (Microsoft) Star and Joseph Dadzie (Microsoft)

BRK3113 New frontiers in identity standards

Tuesday, November 5, 11:30 AM – 12:15 PM EST
Pamela Dingle (Microsoft) Star

SECO10 Secure your enterprise with a strong identity foundation

Tuesday, November 5, 11:30 AM – 12:15 PM EST
Sue Bohn (Microsoft)

BRK2271 Identity in the cloud world: A comprehensive tour

Tuesday, November 5, 2:00 PM – 2:45 PM EST
Jonathan Hart (Microsoft)

BRK3194 Azure Active Directory cloud authentication doesn’t just mean “sign-in”

Wednesday, November 6, 9:00 AM – 9:45 AM EST
John Craddock Light bulb

SECI10 Identity and access management best practices from around the world

Wednesday, November 6, 9:00 AM – 9:45 AM EST
Ramiro Calderon (Microsoft) and Stefan van der Wiele (Microsoft)

SECI20 Shut the door to cybercrime with identity-driven security

Wednesday, November 6, 10:15 AM – 11:00 AM EST
Mark Morowczynski (Microsoft) Star and Rohini Goyal (Microsoft)

AFUN90 Azure identity fundamentals

Wednesday, November 6, 11:45 AM – 12:30 PM EST
Sonia Cuff (Microsoft)

BRK3195 Azure AD B2B versus multi-tenant apps: Notes from the field

Thursday, November 7, 10:15 AM – 11:00 AM EST
John Craddock Light bulb

BRK3112 Love all your identities – Building digital relationships with your customers and partners

Thursday, November 7, 2:00 PM – 2:45 PM EST
Elisabeth Olson (Microsoft) and Jose Antonio Rojas (Microsoft)

BRK2132 How Microsoft uses Azure Active Directory Identity Protection and Conditional Access to protect its assets

Thursday, November 7, 4:30 PM – 5:15 PM EST
Caleb Baker (Microsoft), Sarah Handler (Microsoft) and Sarah Scott (Microsoft)

BRK4007 Microsoft identity platform best practices for developers

Friday, November 8, 9:00 AM – 9:45 AM EST
Kyle Marsh (Microsoft)

Theater sessions (20 minutes)

THR3065 Application proxy: The hidden gem of Microsoft 365

Monday, November 4, 1:40 PM – 2:00 PM
Raymond Comvalius Star

THR2237 A world without passwords

Monday, November 4, 2:15 PM – 2:35 PM EST
Tuesday, November 5, 9:35 AM – 9:55 AM EST (Repeat)
Sarah Scott, (Microsoft)

THR3080 Gain fine-grained access controls of your administrative roles with Azure Active Directory Custom Roles

Monday, November 4, 2:15 PM – 2:35 PM EST
Arturo Lucatero (Microsoft)

THR2002 Authentication without passwords in 20 minutes

Monday, November 4, 2:50 PM – 3:10 PM EST
Thursday, November 7, 3:05 PM – 3:25 PM EST
Brian Reid

Compromise is co$$$$tly! Detect account compromise early and stop the attackers in their tracks with O365 ATP

Tuesday, November 5, 10:55 AM – 11:15 AM EST
Ross Adams, Microsoft Star

THR1117 Implementing a zero trust security model at Microsoft

Tuesday, November 5, 11:30 AM – 11:50 AM EST
Brian Fielder (Microsoft)

THR2084 Five easy steps to securing Azure AD Identities

Tuesday, November 5, 12:05 PM – 12:25 PM EST
Jesper Jensen

THR3079 Govern access for employees and partners with Azure Active Directory Identity Governance

Wednesday, November 6, 11:30 AM – 11:50 AM EST
Rahul Prakash (Microsoft) and Joseph Castellanos (Microsoft)

THR3135 Secure customer identity and access management using Azure Active Directory B2C

Thursday, November 7, 11:30 AM – 11:50 AM EST
Adam Stoffel (Microsoft) and Jose Antonio Rojas (Microsoft)

THR2217 Email is the easy part: Five pitfalls to avoid in tenant-to-tenant migrations

Thursday, November 7, 12:05 PM – 12:25 PM EST
Paul Robichaux

THR2232 The top ten most common Active Directory security issues, their impact, and remediation

Wednesday, November 6, 12:40 PM – 1:00 PM EST
Sean Metcalf Light bulb

THR3078 Migrate to modern authentication with Azure Active Directory

Thursday, November 7, 1:15 PM – 1:35 PM EST
Jairo Cadena (Microsoft) and Jithesh Raj (Microsoft)

Tip!

When you’re not attending Microsoft Ignite, this year, use the above list of Identity-related sessions to convince your manager next year, or watch the live streams (available for all of the above sessions) or recordings (available after roughly 24 hours of the end of the session).

When you are attending Ignite and are into identity, please use the above list to add some identity flavor to your session builder: especially the sessions I’ve denoted with a star are worth your time.

The post Identity-related sessions at Microsoft Ignite 2019 in Orlando appeared first on The things that are better left unspoken.

SharePoint Saturday Belgium 2019

In October, I presented at several conferences. One conference stood out of the rest, because of its community: SharePoint Saturday Belgium on October 19th, 2019.
An event organized by fellow MVPs from the Belgian Information Worker User Group, offering sessions by mostly fellow-MVPs; yes, this is gold.

After an Azure Friday at a customer in Gouda, I drove to Brussels. The SharePoint Saturday Belgium organization hosted a speaker night event at Brewery Den Kriek.
I was aiming to catch the bus at Brussels North station to the venue, but unfortunately saw it heading to the brewery before my eyes. I tagged along and arrived at the venue not much later. We enjoyed drinks and food from an authentic Belgian Frietkot.

It was nice to see people from all over the world enjoy fine Dutch and Belgian cuisine and reminded me of the time we took Jeff Woolsey, Chris Jackson and Jeffrey Snover to a Dutch snack bar in Scheveningen, the Netherlands. Good times. Winking smile

Heading back into Brussels without traffic was smooth. I had a good night’s rest and drove to the venue early to catch the keynote and prepare my slides and demos.

At 3:10 PM I took to the stage in Room 4. I presented a 360-degrees overview of identity in Microsoft 365 and Azure for 50 minutes.

After my session, the crowd gathered for the closing keynote of the event. We were all thanked for making SharePoint Saturday Belgium 2019 another success for BIWUG.

Bye SharePoint Saturday Belgium…

Next year, there will be no SharePoint Saturday Belgium. The BIWUG organization stops hosting the event. The good news is, that they are planning an entirely new event with an entirely new name. Let’s find out what it’ll be like. I’m curious.

Thank you

Thank you to BIWUG for organizing SharePoint Saturday Belgium 2019 and inviting me as a speaker. Thank you to all the attendees, especially the people in my session.

The post Pictures of SharePoint Saturday Belgium 2019 appeared first on The things that are better left unspoken.

Hybrid Identity

Why look at Attribute Filtering

When installing Azure AD Connect with Express Settings, all objects in the on-premises Active Directory environment are synchronized to Azure AD with the attributes that allow for all hybrid implementations, including Exchange Hybrid and SharePoint Hybrid. This means that, by default, 151 attributes are synchronized for user (and inetorgperson) objects, if they contain values.

Reasons why

Some of these attributes may contain information that is sensitive for your organization, like secret research project names. Other attributes may contain personal data that is not needed (and therefore, in the spirit of GDPR, unwanted) in Azure AD.

Using Azure AD App Filtering in Azure AD Connect, you can limit the number of attributes synchronized from the on-premises Active Directory environment to Azure AD.

Possible negative impact (What could go wrong?)

As organizations evolve, so do their needs. The comfort of being ‘all-in’ in terms of attributes in Azure AD might be a reason to become and remain ‘all-in’. There will be no need to reconfigure Azure AD Connect when new Hybrid scenarios are introduced to include the attributes needed for the new scenario.

Attribute Filtering comes in two flavors:

Azure AD App Filtering
Based on 1st-party Azure AD-integrated applications, sets of attributes are available to mix and match. Only the attributes that are required by the specific Azure AD app, or hybrid scenario are synchronized to Azure AD
Attribute Filtering
Beyond Azure AD App Filtering, admins can restrict the attributes that are synchronized for objects in scope for Azure AD Connect. Only three attributes are required by the user interface (accountEnabled, sourceAnchor and userPrincipalName).

When you use Attribute Filtering, attributes are filtered for all objects and object types in scope. However, some attributes are required for certain objects, like the cn attribute for groups. When multiple object types use this attribute and one object type requires it, then it should be included in the synchronization for all object types.

Attribute Filtering is not supported by Microsoft.
If you run into trouble, Microsoft will require you to synchronize the minimum number of attributes for your hybrid scenarios through Azure AD App Filtering, before offering help.

Getting Ready

To use Attribute Filtering to limit attributes for the objects in scope for Azure AD Connect, meet the following requirements:

System requirements

Make sure you run the latest generally available version of Azure AD Connect.

Privilege requirements

On the Azure AD side of things, you’ll need an account that has the Global administrator role assigned.

Additionally, make sure the Windows PowerShell Module for Active Directory is installed on each of the Azure AD Connect installations, to be able to run the below scripts.

Who to communicate to

As an Azure AD Connect admin, make sure you communicate to the people managing the on-premises Active Directory environment(s) and the people managing Azure AD for your organization.

How to do it

There are two scenarios in which you may use Azure AD App Filtering and Attribute Filtering to limit the objects in scope for Azure AD Connect:

Existing Azure AD Connect configurations
New Azure AD Connect configurations

Existing Azure AD Connect configurations

For existing Azure AD Connect configurations, there are two challenges associated with configuring Azure AD App Filtering and Attribute Filtering:

Attributes that have previously been synchronized from on-premises Active Directory to Azure AD remain present in Azure AD. They are not removed or defunct.
Attributes that have previously been synchronized are typically unmanageable in Azure AD.

Perform the below steps to reconfigure an existing Azure AD Connect installation with Azure AD App Filtering to limit the objects in scope for Azure AD Connect:

Log on to the Windows Server installation that hosts Azure AD Connect.
Click on the Azure AD Connect shortcut on the Desktop or the Start Menu.
Alternatively, launch:C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe
On the Welcome to Azure AD Connect page, click Continue.
On the Additional tasks page, click on Customize synchronization options.
Click Next.
On the Connect to Azure AD page, sign in with an Azure AD-based account with Global Administrator or Company Administrator privileges.
Optionally, perform multi-factor authentication, and/or elevate the account to Global Administrator when using Azure AD Privileged Identity Management (PIM)
On the Domain and OU filtering page, make the appropriate selections to limit the objects in scope for Azure AD Connect.
On the Optional features page, select the Azure AD app and attribute filtering option.
Click Next.

On the subsequent Azure AD apps page, select one or more Azure AD Apps from the list of Office 365 ProPlus, Exchange Online, SharePoint Online, Lync Online, Azure RMS, Intune, Dynamics CRM and 3rd party application.
Click Next.
Alternatively, select the option I want to restrict the list of applications. This will remove all selections. After clicking Next, the Azure AD attributes page allows you to select specific attributes if you also enable the I want to further limit the attributes exported to Azure AD option.

The View the list of attribute as comma-separates values link can be used to gain a list of attributes, which ones are exported, and which ones are mandatory.

Click Next on the Azure AD attributes page.
On the Ready to configure page, click Configure.
On the Configuration complete page, click Exit to exit the Azure AD Connect configuration wizard and have the synchronization schedule resume.

Perform the above steps on any Staging Mode Azure AD Connect installation you might have, too.

New Azure AD Connect configurations

Perform the below steps to configure a new Azure AD Connect installation with Azure AD App Filtering and Attribute Filtering, for instance with Pass-through Authentication:

Log on to the Windows Server installation that you intend to run Azure AD Connect.
You might want to reconsider using a Domain Controller for this, as it is not the most brilliant of ideas.
Download Azure AD Connect.
Double-click AzureADConnect.msi.
On the Welcome screen, select the I agree to the license terms and privacy notice. option.
Click the Next button.
On the Express Settings screen, click the Customize button.

On the Install required components screen, click Install.
On the User sign-in screen, select the Pass-through authentication option and the Enable single sign-on option.
Click Next.
On the Connect to Azure AD screen, enter the credentials of an account in Azure AD that has been assigned the global administrator role.
Click the Next button.
Optionally, perform multi-factor authentication, and/or elevate the account to Global Administrator when using Azure AD Privileged Identity Management (PIM).
On the Connect your directories screen, click Add directory.
The AD forest account pop-up window appears.
Sign in with an account that is a member of the Enterprise Admins group in the Active Directory forest.
Click OK.
Back in the Microsoft Azure Active Directory Connect windows, click Next.
On the Azure AD Sign-in configuration screen, click Next.
On the Domain and OU filtering page, make the appropriate selections to limit the objects in scope for Azure AD Connect.
Click Next.
On the Uniquely identifying your users screen, click Next.
On the Filter users and devices screen, click Next.
On the Optional features page, select the Azure AD app and
attribute filtering option.
Click Next.
On the subsequent Azure AD apps page, select one or more Azure AD Apps from the list of Office 365 ProPlus, Exchange Online, SharePoint Online, Lync Online, Azure RMS, Intune, Dynamics CRM and 3rd party application. Click Next.
Alternatively, select the option I want to restrict the list of applications. This will remove all selections. After clicking Next, the Azure AD attributes page allows you to select specific attributes if you also enable the I want to further limit the attributes exported to Azure AD option. Click Next on the Azure AD attributes page.
On the Enable single sign-on screen, click the Enter credentials button.
A Windows Security pop-up appears to enter the credentials for the specified forest. Enter the credentials of an account that is a member of the Domain Admins group for the Active Directory domain for which Seamless Single Sign-on will be configured, or an account that is a member of the Enterprise Admins group in the Active Directory forest, that contains the domain in which Seamless Single Sign-on will be configured.
Click OK.
Click Next.
Back in the Microsoft Azure Active Directory Connect windows, click Next.
On the Ready to configure screen, click Install.

On the Configuration complete screen, click Exit to close the Microsoft Azure Active Directory Connect window and to start synchronization to Azure AD.

Concluding

The Azure AD apps and Azure AD attributes pages in the Azure AD Connect Configuration Wizard is only visible when an admin chooses to Customize the Azure AD Connect implementation, instead of using the easy ‘4-click’ Express Settings flow for the Azure AD Connect Configuration Wizard.

While Express may be fast, it might not be the best implementation scenario for most organizations. Especially, when you take into account that values for attributes that have been synchronized in the past will not be cleared and not be manageable from the Azure AD Portal, Azure AD PowerShell or Graph API, until you completely decommission your Azure AD Connect implementation(s) for the tenant…

About the European SharePoint, Office 365 & Azure Conference

European SharePoint Office 365 & Azure Conference The European SharePoint, Office 365 & Azure Conference (ESPC) is Europe’s leading online community, providing educational resources and encouraging collaboration.

The European SharePoint, Office 365 and Azure Conference is part of QualTech Conferences and is based in Galway, Ireland.
QualTech has 18 years of experience in organizing leading European IT conferences.

For those of you who haven’t been before, or are thinking of attending; ESPC is a really fun, welcoming event with a big focus on the topics and learning. It brings together an amazing group of speakers, sponsors and delegates, including Microsoft Leaders, Product Team members and leading community RDs, MVPs and MCMs, so we can all help each other achieve great things with SharePoint, Office 365 or Azure.

About my sessions

I will deliver two sessions at the European SharePoint, Office 365 & Azure Conference:

GDPR: The Good, the Bad and the Ugly

Session code W24, Wednesday December 4, 2019, 11:45AM – 12:45PM, level 200

“GDPR is no laughing matter. However, when I present about it, there’s the occasional giggle and laugh in the room…”

Talking about GDPR shouldn’t be something to doze off with, it shouldn’t bore people. It’s far too important. Yet, many speakers achieve just that. Not this session! The best way to learn is to enjoy, so let’s enjoy!

When you attend my session, you:

Gain an overview of the GDPR requirements
Learn how Microsoft solutions offer possibilities to meet the GDPR requirements
Find out what not to do when it comes to GDPR

Your Identity Roadmap to 2022

Session code W49, Wednesday December 4, 2019, 4:45PM – 5:45PM, level 100

No-one wants to admit they made a costly mistake when they choose the wrong technology. Now, for identity, you don’t have to worry about that. In this session, we’ll tell you all about the products that are available, the strategies you can follow and the smart actions you can take today.

AD FS on Windows Server 2012 R2, MFA Server, Relying Party Trusts on your AD FS environment and implementations of Hybrid Identity based on Azure AD Connect. If you have any of these or you are in the planning stages, then this is a session for you! The Identity team at Microsoft is shaking up their product portfolio and it’s time to pay attention!

On the outside it looks like organizations only gain choices, but the team will kill off some of these roads going forward. It’s time to make the right choices to avoid disappointments. From all the hints by the teams, all the marketing buzz and proper announcements, we have distilled the bottom line.

So, join this session to gain an overview of your organizations’ identity roadmaps for 2022, and:

Learn about Microsoft’s Identity roadmap
Make non-regrettable Identity decisions
Prioritize Identity-related decisions

Register

You can register for the European SharePoint, Office 365 & Azure Conference here.

If you are planning to attend, don’t forget, you or your team can use my coupon code ESPC19SPK to receive a special 100 EUR discount.

I hope to see you there!

The post I’m speaking at the 2019 European SharePoint Conference appeared first on The things that are better left unspoken.

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for October 2019:

What’s Planned

Deprecation of the identityRiskEvent API for Azure AD Identity Protection risk detections

Service category: Identity Protection
Product capability: Identity Security & Protection

In response to developer feedback, admins for tenants with Azure AD Premium P2 subscription licenses in their Azure AD tenants can now perform complex queries on Azure AD Identity Protection’s risk detection data by using the new riskDetection API for Microsoft Graph.

The existing identityRiskEvent API beta version will stop returning data around January 10, 2020. If your organization is using the identityRiskEvent API, you should transition to the new riskDetection API.

Application Proxy support for the SameSite Attribute and Chrome 80

Service category: App Proxy
Product capability: Access Control

A couple of weeks prior to the Chrome 80 browser release, Microsoft plans to update how Application Proxy cookies treat the SameSite attribute. With the release of Chrome 80, any cookie that doesn’t specify the SameSite attribute will be treated as though it was set to SameSite=Lax.

To help avoid potentially negative impacts due to this change, Microsoft is updating Application Proxy access and session cookies by:

Setting the default value for the Use Secure Cookie setting to Yes.
Setting the default value for the SameSite attribute to None.

App registrations (legacy) and converged app management from the Application Registration Portal will no longer be available

Service category: N/A
Product capability: Developer Experience

In the near future, users with Azure AD accounts will no longer be able to register and manage converged applications using the Application Registration Portal (apps.dev.microsoft.com), or register and manage applications in the App registrations (legacy) experience in the Azure portal.

What’s New

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Microsoft has added additional capabilities to help admins customizing and sending claims in SAML tokens. These new capabilities include:

Additional claims transformation functions, helping admins to modify values sent in the claim
Ability to apply multiple transformations to a single claim
Ability to specify the claim source, based on the user type and the group to which the user belongs

New My Sign-ins page for end users in Azure AD

Service category: Authentications (Logins)
Product capability: Monitoring & Reporting

Microsoft has added a new My Sign-ins page (https://mysignins.microsoft.com) to users view their recent sign-in history to check for any unusual activity. This new page allows users to see:

If anyone is attempting to guess their password.
If an attacker successfully signed in to their account and from what location.
What apps the attacker tried to access.

Migration of Azure AD Domain Services (Azure AD DS) from classic to Azure Resource Manager virtual networks

Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Admins can now perform a one-time migration of Azure AD Domain Services from a classic virtual network to an existing Resource Manager virtual network. After moving to the Resource Manager virtual network, admins will be able to take advantage of the additional and upgraded features such as, fine-grained password policies, email notifications, and audit logs.

Updates to the Azure AD B2C page contract layout

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Microsoft has introduced some changes to version 1.2.0 of the page contract for Azure AD B2C. In this updated version, admins can now control the load order for elements. This might help to stop the flicker that happens when the style sheet (CSS) is loaded.

Update to the My Apps page along with new Workspaces
Public preview

Service category: My Apps
Product capability: Access Control

Azure AD admins can now customize the way their organization’s users view and access the brand-new My Apps experience, including using the new Workspaces feature to make it easier for them to find apps. The new Workspaces functionality acts as a filter for the apps users already have access to.

Support for the monthly active user-based billing model General availability

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Azure AD B2C now supports monthly active users (MAU) billing. MAU billing is based on the number of unique users with authentication activity during a calendar month. Organizations can switch to this new billing method at any time.

Starting on November 1, 2019, all new organizations will automatically be billed using this method. This billing method benefits organizations through cost benefits and the ability to plan ahead.

What’s Changed

Users are no longer required to re-register during migration from per-user MFA to Conditional Access-based MFA

Service category: Multi-factor Authentication (MFA)
Product capability: Identity Security & Protection

Microsoft has fixed a known issue whereby when users were required to re-register if they were disabled for per-user Multi-Factor Authentication (MFA) and then enabled for MFA through a Conditional Access policy.

To require users to re-register, admins can select the Required re-register MFA option from the user’s authentication methods in the Azure AD portal.

Consolidated Security menu item in the Azure AD portal

Service category: Identity Protection
Product capability: Identity Security & Protection

You can now access all of the available Azure AD security features from the new Security menu item, and from the Search bar in the Azure portal. Additionally, the new Security landing page, called Security – Getting started, provides links to Microsoft’s public documentation, security guidance, and deployment guides.

The new Security menu includes:

Conditional Access
Identity Protection
Security Center
Identity Secure Score
Authentication methods
MFA
Risk reports – Risky users, Risky sign-ins, Risk detections

Office 365 groups expiration policy enhanced with autorenewal

Service category: Group Management
Product capability: Identity Lifecycle Management

The Office 365 groups expiration policy has been enhanced to automatically renew groups that are actively in use by its members. Groups will be autorenewed based on user activity across all the Office 365 apps, including Outlook, SharePoint, and Teams.

This enhancement helps to reduce group expiration notifications and helps to make sure that active groups continue to be available. If admins already have an active expiration policy for your Office 365 groups, they don’t need to do anything to turn on this new functionality.

Updated Azure AD Domain Services (Azure AD DS) creation experience

Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Microsoft has updated Azure AD Domain Services (Azure AD DS) to include a new and improved creation experience, helping admins to create a managed domain in just three clicks! In addition, admins can now upload and deploy Azure AD DS from a template.

The post What’s New in Azure Active Directory for October 2019 appeared first on The things that are better left unspoken.

Windows Server

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4524152 October 3, 2019

The October 3, 2019 update for Windows Server 2016 (KB4524152), updating the OS build number to 14393.3243 is an update that fixes an intermittent issue with the print spooler service that may cause print jobs to fail. Some apps may close or generate errors, such as the remote procedure call (RPC) error. This issue was introduced in the KB4522010 update for Internet Explorer on September 23, 2019.

KB4519998 October 8, 2019

The October 8, 2019 update for Windows Server 2016 (KB4519998), updating the OS build number to 14393.3274 is a security update.

Two NTLM authentication vulnerabilities discovered by security firm Preempt are fixed in this update, When abused, these vulnerabilities allow bypassing protections put in place by Microsoft to prevent NTLM relay attacks, including MIC (Message Integrity Code) protection, Enhanced Protection for Authentication (EPA) and target SPN validation. These vulnerabilities were assigned CVE IDs CVE 2019-1166 and CVE-2019-1338.

After applying this update or later (cumulative) updates, Windows Server installations are protected against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. However, Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627).

If your see “The request was aborted: Could not create SSL/TLS secure Channel” errors or events with Event ID 36887 logged in the System event log with the description, “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.”, then this is caused by the behavior in this update. Please refer to KB4528489 for troubleshooting information.

KB4519979 October 15, 2019

The October 15, 2019 update for Windows Server 2016 (KB4519979), updating the OS build number to 14393.3300 is a quality update. It includes the following identity-related improvements:

It addresses an issue that prevents Computer objects from being added to local groups using the Group Policy Preference “Local Users and Groups”. The Group Policy Editor returns the error message, “The object selected does not match the type of destination source. Select again.”
It addresses an issue that causes a query request of the Win32_LogonSession class for the StartTime to display the value of the epoch (for example, 1-1-1601 1:00:00) instead of the actual logon time.
It addresses an issue that prevents netdom.exe from displaying the new ticket-granting ticket (TGT) delegation bit for the display or query mode.
It addresses an intermittent issue in Active Directory Federation Services (AD FS) that fails to authenticate users. Additionally, AD FS redirects the browser back to the Microsoft Exchange Client Access services (CAS) with the wrong Audience uniform resource identifier (URI). Specifically, AD FS appends a slash to the Audience URI. Users see an error page and cannot access the Outlook Web App (OWA).
It addresses an issue with Lightweight Directory Access Protocol (LDAP) queries that have a memberof expression in the filter. The queries fail with the error, “000020E6: SvcErr: DSID-0314072D, problem 5012 (DIR_ERROR), data 8996.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4524148 October 3, 2019

The October 3, 2019 update for Windows Server 2016 (KB4524148), updating the OS build number to 17763.775 is an update that expands the out-of-band update dated September 23, 2019. This security update includes the Internet Explorer scripting engine security vulnerability (CVE-2019-1367) mitigation and corrects a recent printing issue some users have experienced since the September 23, 2019 update (KB4522015).

KB4519338 October 8, 2019

The October 8, 2019 update for Windows Server 2016 (KB4519338), updating the OS build number to 17763.805 is a security update.

Overview of KB4519338

KB4520062 October 15, 2019

The October 15, 2019 update for Windows Server 2016 (KB4520062), updating the OS build number to 17763.832 is a quality update. It includes the following identity-related improvements:

It addresses an issue that prevents Computer objects from being added to local groups using the Group Policy Preference “Local Users and Groups”. The Group Policy Editor returns the error message, “The object selected does not match the type of destination source. Select again.”
It addresses an issue that causes a query request of the Win32_LogonSession class for the StartTime to display the value of the epoch (for example, 1-1-1601 1:00:00) instead of the actual logon time.
It addresses an issue that prevents netdom.exe from displaying the new ticket-granting ticket (TGT) delegation bit for the display or query mode.
It addresses an issue with Lightweight Directory Access Protocol (LDAP) queries that have a memberof expression in the filter. The queries fail with the error, “000020E6: SvcErr: DSID-0314072D, problem 5012 (DIR_ERROR), data 8996.
It addresses an issue in which an Active Directory Federation Services (AD FS) certificate is renewed and published by default each year. However, the client does not use them, which results in an authentication error.

The post On-premises Identity updates & fixes for October 2019 appeared first on The things that are better left unspoken.

Microsoft Ignite - November 4-8, 2019 - Orlando, Florida

Microsoft’s Identity Division made announcements and released functionality for Azure Active Directory during Microsoft Ignite 2019 (November 4th – November 8th, 2019) in Orlando, Florida:

Security

Azure AD Security Defaults Public Preview

Security Defaults is a set of basic identity security mechanisms, recommended by Microsoft. When enabled, these recommendation will be automatically enforced. Admins and users will be better protected from common identity-related attacks.

Note:
Security defaults are available right now, from the tenant properties blade in the Azure Portal. Security Defaults replace the Baseline Policies in Conditional Access. When you enable Security Defaults, the Baseline Policies disappear.

Azure MFA for free

Microsoft announced that Azure Multi-factor Authentication (MFA) is now free.
Azure MFA will be enabled as part of the new Security Defaults feature for all new Azure Active Directory tenants for Microsoft 365, Office 365, Dynamics, and Azure.

As of November 1, 2019, there will be no charges for using multi-factor authentication or password-less authentication.

Password-less authentication for free

Organizations with any Azure Active Directory plan can now use the Microsoft Authenticator app to securely access their apps without a password. Previously, only customers with a paid plan could use the app for password-less authentication.

Note:
The password-less authentication methods feature in Azure Active Directory launched in Public Preview last year; General Availability is expected in 2020.

Refreshed Azure AD Identity Protection General Availability

The new Azure AD Identity Protection is now generally available. It offers new detections and capabilities. These new User and Entity Behavioral Analytics (UEBA) capabilities and their enhanced signals, massively improved APIs for integration with Security Operations Center (SOC) environments, and a new user interface, make Azure AD admins and their security counterparts more efficient.

Conditional Access Report-only mode Public Preview

Conditional Access Report-only mode allows admins to evaluate the potential impact of new Conditional Access policies before rolling them out. Organization with an Azure Monitor subscription can monitor the impact of Conditional Access policies in report-only mode using the new Conditional Access insights workbook. In combination with the Global Reader role this allows for further visibility into settings and policies without added risk.

Integration

Azure Active Directory Connect cloud provisioning Soon

Microsoft announced Azure Active Directory Connect cloud. It will become available for preview soon.

Azure Active Directory Connect cloud provisioning allows customers to easily consolidate disconnected on-premises Active Directory forests and eliminate the need for on-premises Azure AD Connect installations, all while enabling greater availability of connectivity (such as multiple deployments to disconnected forests for redundancy) and lowering costs.

Azure Active Directory Connect cloud provisioning provides a lightweight, on-premises agent that enables provisioning from multiple, disconnected on-premises Azure Directory forests and move all the synchronization complexity and data transformation logic to the cloud.

Inbound user provisioning from SAP SuccessFactors Public Preview

Microsoft announced the public preview of inbound user provisioning from SAP SuccessFactors. With this feature, admins can implement end-to-end identity lifecycle management covering the entire spectrum of Joiner-Mover-Leaver scenarios using SuccessFactors as the “system of record”. New employees can get up and running on their first day, and admins can modify or revoke access automatically based on the employee’s role and status in SuccessFactors.

Azure AD Entitlement Management Generally Available

34% of security breaches involve inside access, according to a 2019 Verizon report on data breaches. Microsoft is helping organizations manage access to information with entitlements management for Azure Active Directory, now generally available.

Entitlements management simplifies employee and partner access requests, approvals, auditing, and workflows.
Additionally, it allows organizations to create access packages that make it easier for employees and partners to request access to the information they need while ensuring that only the right people have access to the appropriate resources.

Azure Active Directory MyApps portal updates with new look and features Public PReview

A revamped look and more capabilities for the Azure Active Directory MyApps portal give users a simplified experience with all apps in one place.
The new features, now in preview, include a mobile-first launching experience for all enterprise apps, workspaces for administrator-curated apps, and a unified app launching experience with Microsoft 365 surfaces across the Office.com portal, Office 365 search, and Office navigation.

Easier sign-in and better security for firstline workers Soon

Microsoft announced new identity features in Microsoft 365 to help empower firstline workers to access company resources and work securely, whether on a personal or shared device.
The features, in private preview and available later this year, include:

SMS sign-in that allows workers to sign in with their phone number and an SMS code for authentication, eliminating the need for passwords.
Global sign-out, rolling out later this year for Android devices, that enables workers to sign out of all their apps with just one click and help ensure that nobody else can use the same devices under their account.
Delegated user management that will enable scale and reduce stress on IT support by allowing firstline managers to manage users and credentials.

The capabilities will also be available on Teams, which also sees the rollout of off-shift access for firstline workers, which allows companies to grant Teams app access to firstline workers and still comply with designated work hours.

Interoperability

Azure Active Directory secure hybrid access with partners Soon

Microsoft announced secure hybrid access partnerships with Akamai, Citrix, F5 and Zscaler to simplify secure access to applications that use legacy protocols like header-based and Kerberos authentication.

With these new integrations, admins can apply the same risk-based Azure AD Conditional Access policies and Identity Governance processes to legacy authentication-based applications as to the rest of the digital environment.

MSAL for Python and Java Public Preview

Hot on the heels of the General Availability of Microsoft Authentication Libraries (MSAL) for Android, iOS and MacOS, Microsoft announced the Public Preview of the Microsoft Authentication Libraries (MSAL) for Java.

Azure AD Domain Services Resource Forest Public Preview

If you are looking to move your legacy authentication-based applications to the cloud, you can use the new Azure Active Directory Domain Services resource forest functionality, now in public preview.It allows organizations to create an instance of Azure AD DS that has a one-directional trust with the on-premises Active Directory domains and eliminates the need to synchronize password hashes to Azure AD DS.

Microsoft also made several enhancements to Azure AD Domain Services including additional availability zones, improved load balancer, Azure workbooks, audit logs, and a new set up experience.

Future of Identity

Microsoft has developed a Proof of Concept (PoC) for a decentralized identity system with the UK National Health Service (NHS), based on its research for an identity that lets individuals bring a digital identity with verifiable claims through blockchain technology.

NHS sponsors the project to help graduating doctors spend more time with patients, and less time onboarding and managing credentials.

The post What’s new in Azure Active Directory at Microsoft Ignite 2019 appeared first on The things that are better left unspoken.

VMworld Europe 2019 at Fira Gran Via

Deji Akomolafe invited me over to Barcelona last week, to present two sessions with him at VMware’s VMworld Europe 2019 event.

After I had spend Tuesday November 5th at one of my favorite customers, I drove to the airport to take my first flight to Paris Charles de Gaulle airport. I had a short layover, that was truly magnificent to enjoy a French dinner at Air France’s lounge. Then, we flew onward to Barcelona, where we landed shortly before 7 PM.

I took a cab to Fire Gran Via and got there just in time to pick up my VMworld badge. I needed it to get access to my evening activities, so was glad to be there just before registration closed at 7:30 PM.

I headed to my first activity, that was organized by the vExpert program. Near the incredible W Hotel, near the beach, we gathered and had some nice conversations, including conversations with Pat Gelsinger, VMware’s CEO, who joined us.

After the vExpert meeting, I headed to the Benelux party, together with the RedLogic vExperts. It was a busy party at Fabrica Moritz. I talked to my countrymen and -women at this party. Then, I headed for the Veeam party. I talked to Nikola Pejková, as I was interested in how her presentation on the Veeam Vanguard program went at the Community stage.

As the Hotel Catalonia Plaza is just around the corner of the Veeam party, I crawled over and checked in to enjoy a nice warm bed.

The next morning, on Wednesday November 6th, I joined Deji in the speaker room. Deji shared his intention to reintroduce rubber chickens at identity sessions (of DEC origin) so we devised a strategy to share them. We then discussed the session and the flow in the slides.

We walked up to room 32 and were present 30 minutes early. Unfortunately, the keynote went over time, so we had to cut our 60-minute session short by 10 minutes. That’s okay, we were only trying to discuss 70 minutes of Active Directory goodness in 60 minutes anyway…

With feedback like “The best from Monday till now :)” and “very entertaining speakers”, I think we still managed to provide good information on virtualizing Active Directory on top of VMware vSphere.

After the session, I visited the Expo Hall and enjoyed some nice chats with a couple of vendors, including Microsoft. Microsoft brought their proposition to run VMware vSphere on physical servers in Azure datacenters to VMworld. So we had a good chat on that. At 5 PM it was time for the Hall Crawl. It was followed by VMworld Fest. I enjoyed the food, but chose to leave drinks be; there was another session planned for Thursday.

Again, I arrived early at VMworld. This time, I met up with Remko Deenink. We studied together in 2007, so it was about time to get up to speed with what we’re both doing. It was nice seeing Remko again.

At 10:30 AM, Deji and I kicked off the 4-hour workshop on architecting and implementing Active Directory on vSphere. For this session, we had all the time we needed to properly discuss time synchronization, the VM-GenerationID, Virtualization-safer Active Directory, Domain Controller Cloning, Domain Controller scaling, DNS and VM encryption. Sufficient time for me to snap some pictures of Deji, too.

After the session, I had to leave for the airport to catch my flight back to the Netherlands, but not before I recorded a short Identity Guy movie from the roof of the hotel.

Thank you!

Thank you to VMware for organizing VMworld Europe 2019 and to Pat Gelsinger for taking the time to discuss technology, partnerships and the future. Thank you, Deji. Thank you to all the attendees, especially the people in our sessions.

The post Pictures of VMworld Europe 2019 appeared first on The things that are better left unspoken.

Why look at the Intranet Sites?

Intranet Sites vs. Trusted Sites (with Default settings)

Possible negative impact (What could go wrong?)

Getting ready

The URLs to add

https://<YourADFSFarmName>

How to add the URLs to the Local Intranet zone

Concluding

Further reading

Windows Server 2016

KB4516044 September 10, 2019

KB4522010 September 23, 2019

KB4516061 September 24, 2019

Windows Server 2019

KB4512578 September 10, 2019

KB4522015 September 23, 2019

KB4516077 September 24, 2019

Why look at the Trusted Sites?

Possible negative impact (What could go wrong?)

Getting ready

The URLs to add

*.live.com

*.microsoft.com

*.microsoftonline.com

*.windows.net

ajax.aspnetcdn.com

microsoft.com

microsoftline.com

microsoftonline-p.net

onmicrosoft.com

*.msappproxy.net

Other Office 365 services

How to add the URLs to the Trusted Sites zone

Concluding

Further reading

The situation

The issue

My troubleshooting

Am I logged in with a domain account or a local account?

Can I resolve the domain in DNS?

Can I communicate to the Domain Controllers?

What does Azure AD Connect think it actually is?

The solution

Concluding

Further reading

Thank you

Why look at the Export Deletion Threshold

Getting ready

Properly managing the Export Deletion Threshold

Set the threshold at 10% of your objects

Set it once for all your Azure AD Connect installations

Monitor threshold-related incidents

1. Event log

2. Error in Azure AD Connect Synchronization Service

3. Azure AD Connect Health

4. Email

How to view the Threshold Configuration

How to disable the Export Deletion Threshold

How to enable and set the Deletion Threshold

How to overcome hitting the Deletion Threshold

Your changes are desired

Your changes are undesired

Concluding

Further reading

About the Dutch Windows Management User Group (WMUG)

About the WMUG 2019-5 Meetup

About my presentation

Azure AD Connect; How did you think it went?

Join us!

Why look at Extranet Smart Account Lockout

Getting ready

System requirements

Privilege requirements

Who to communicate to

How to do it

Coming up with the right values

For AD FS Farms using SQL Server

Enabling Extranet Smart Account Lockout

Rol-back

Concluding