This April, I’m returning to Croatia to speak at WinDays 19 at the Šibenik Convention Center, part of Amadria Park. It’s been almost 2 years since I delivered a presentation in Croatia and it feels great to appear on the schedule for Windows 19 Technology, again.

About WinDays

WinDays is the leading Croatian business and technology conference, celebrating its 19th anniversary this year.  The conference brings together more than 2,000 attendees from Croatia and the region, as well as the most prestigious international and regional speakers and lecturers from the world of business and technology.

WinDays 19 is held from 2nd till 5th April 2019 in Šibenik and is divided into two sections: WinDays19 Business Conference, held on 2nd and 3rd April, and WinDays19 Technology Conference, which will be held from 3rd till 5th April 2019.

About my session

I will be delivering one 45-minute session as part of WinDays 19 Technology:

Hardening Hybrid Identity in the real world

Thursday April 4 2019 4PM – 4:45PM, Room Sibenik 5, level 400

As organizations rely heavily on Active Directory and embrace Azure AD, proper configurations of their setups becomes more important: as Azure AD is often built upon Active Directory, you need a solid base. As Azure AD offers more functionality, it too should be tuned.

To avoid the tyranny of the default settings, in some situations, we’ll look at properly securing on-premises Active Directory Domain Services environments and hardening Azure AD tenants to match their levels of security.

Will I see you there?

Related blogposts

Pictures of WinDays 17 
Pictures of WinDays 16 in Porec, Croatia  
Pictures of WinDays XV

The post I’m speaking at WinDays 19 appeared first on The things that are better left unspoken.

Currently, there’s four Windows PowerShell modules to manage settings and objects in Microsoft’s Azure Active Directory:

1. MSOnline
2. AzureAD
3. AzureADPreview
4. AzureAD.Standard.Preview

MSOnline

The MSOnline Module, with its *-MSOL* cmdlets, was the first Windows PowerShell Module for Azure Active Directory. It started life as a PowerShell Module to manage all Microsoft Online Services, hence the name. Microsoft refers to this module as version 1.0.

The cmdlets in the MSOnline PowerShell Module use its own non-public-callable API. Currently, the MSOnline module is the most complete module for CRUD of common objects in the directory.

AzureAD

The AzureAD Module, with its *-AzureAD* cmdlets, was introduced on November 17th, 2016. Its full name is Azure Active Directory PowerShell for Graph, which gives away the reasoning behind the existence of this PowerShell module next to the MSOnline module: The AzureAD PowerShell module started life as a result of the vision that all the CRUD functionality should be available through public APIs. The Graph API was the API chosen. Microsoft refers to this module as version 2.0. Its current version is version 2.0.2.4.

The AzureAD module, and its dependencies, can be installed and updated using PowerShellGet from the PowerShell Gallery. It requires PowerShell 3.0 or above.

To install the AzureAD Module run Install-Module AzureAD

In comparison to other PowerShell modules, the AzureAD Module is updated by running Install-Module again. Other PowerShell modules use Update-Module…

Starting in 2017, Microsoft has been offering new Azure AD-oriented cmdlets for functionality in the AzureAD module only. Cmdlets to manage the Azure AD App Proxy, for instance, are not available in the MSOnline module.

For all intents and purposes, the AzureAD module can be seen as the Generally Available (GA) module. It should be the module admins should use for management in production environment. However, some functionality is only available in the MSOnline module and Microsoft Support might ask to run Get-MSOL* cmdlets in certain scenarios. Luckily, the MSOnline and AzureAD modules can be installed side-by-side.

AzureADPreview

The AzureADPreview module is offered as an installable module, and is the module offered in the Azure Cloud Shell. Microsoft refers to it as version 2.0-preview. Its version, today, is version 2.0.2.5, published October 3, 2018.

The AzureADPreview module, and its dependencies, can be installed and updated using PowerShellGet from the PowerShell Gallery. It requires PowerShell 3.0 or above.

To install the AzureADPreview Module run Install-Module AzureADPreview

The AzureADPreview module, today, is different to the AzureAD module in that it references the beta Graph API..

On one system, the AzureAD and AzureADPreview modules cannot be installed side-by-side, but both modules can individually co-exist with the MSOnline module.

AzureAD.Standard.Preview

The AzureAD.Standard.Preview module, or in full: the Azure Active Directory .Net Standard Preview Module is a Private Preview release of Azure Active Directory .NetStandard Module, available in PSGallery Internal only.

Its current version is version 0.1.599.7, published on August 30th, 2018.

The post The state of Azure AD PowerShell today appeared first on The things that are better left unspoken.

Today’s release of version 3.0.0.422 of Veeam Backup for Office 365 (VBO) offers many new features and benefits, but none as significant as the ability to use multi-factor authentication for the admin account when configuring and reconfiguring VBO.

Let me explain why.  

Azure AD Privileged access, today

Microsoft is working hard to further harden Azure Active Directory tenants, so the roughly 18 million organization depending on it, don’t get disappointed by Azure AD-based security breaches and don’t have to worry about attacks on their infrastructure.

One of the newest technologies Microsoft is developing is Baseline Policies. Using baseline policies, fields of attention will be addressed automatically and continually. The first baseline policy, which is now in public preview, is the Baseline Policy: Require MFA for admins.

Currently, this baseline policy is in public preview and non-enforced. However, Microsoft is planning to turn this baseline policy on, automatically, in the near future.

About the Baseline Policy: Require MFA for admins (Preview)

The Baseline Policy: Require MFA for admins (Preview) in Azure AD requires multi-factor authentication for the following directory roles:

• Global administrators (also known as Company administrators)
  This role permits access to all administrative features across Azure AD and Office 365. This is the most powerful role.
• SharePoint administrators
  This role permits access to the SharePoint online admin center. This includes the ability to create, delete, and assign permissions to site collections and manage OneDrive for Business.
• Exchange administrators
  This role permits management of Exchange Online. This includes the ability to grant Send As and Send on Behalf permissions to users for other user’s mailboxes.
• Conditional Access administrators
  This role grants the ability to manage Azure Active Directory conditional access settings. To deploy Exchange ActiveSync conditional access policy in Azure, the user must also be a Global Administrator.
• Security administrators
  This role grants the ability to read security and audit information, and to manage the Privileged Identity Management service and the Identity Protection Center (requires Azure AD Premium P2).

These roles have a high potential to be misused. To verify the authentication for users with these roles within your tenant, additional authentication is required in the form of Azure Multi-Factor Authentication (Azure MFA)

Veeam Backup for Office 365 and the Baseline Policy

Veeam Backup for Office 365 version 2 requires a service account with the SharePoint administrators role. This service account is impacted by the Baseline Policy: Require MFA for admins (Preview) and the service account keeps popping up at organizations that use VBO and use my script to assess the impact that the new Baseline Policy for Admins in Azure AD might have. Up till today, they had no other option than to disable the Baseline Policy, or to exclude the VBO service account.

That stops today.

Call to action

If your organization uses Veeam Backup for Office 365, please upgrade to Veeam Backup for Office 365. Lightning speed backups, data protection reports and flexible retention options are also thrown in the mix, but in my opinion the multi-factor authentication support and the fact that Veeam Backup for Microsoft Office 365 v3.0.0.422 now connects to Office 365 securely by leveraging a custom application in Azure AD along with an MFA-enabled service account with its app password to create secure backups is the best reason to upgrade.

Security first!

Known issues when upgrading

Please be aware of the following upgrade notes:

• Upgrade from the beta version of the application is not supported.
• After upgrading from version 1.5 or 2.0 to 3.0, the nearest scheduled job run is displayed in the console as performing a Full sync, though actually it performs Incremental sync. The amount of transferred data, however, will show that only changes are being synchronized during that job session.
• If you have edited the Config.xml file for Veeam Backup for Microsoft Office 365 manually, these modifications will not be preserved after the upgrade. You may need to make new custom settings (if necessary).

Further reading

What’s new in v3 of Veeam’s Office 365 backup 
NEW Veeam Backup for Microsoft Office 365 v3   
Veeam Backup for Office 365 v3 Product overview    
Veeam Backup for Office 365 v3 User guide  
Veeam Backup for Office 365 v3.0.0.422 Release notes

The post Veeam Backup for Office 365 now offers support for the Baseline Policy ‘Require MFA for Admins’ appeared first on The things that are better left unspoken.

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for March 2019:

What’s Planned

Updates to condition evaluation by Exchange ActiveSync (EAS) Breaking change

Service category: Conditional Access
Product capability: Access Control

Microsoft is in the process of updating how Exchange ActiveSync (EAS) evaluates the following conditions:

• User location, based on country, region, or IP address
• Sign-in risk
• Device platform

If, as an admin, you’ve previously used these conditions in your Conditional Access policies, be aware that the condition behavior might change. For example, if you previously used the user location condition in a policy, you might find the policy now being skipped based on the location of your end-users.

What’s New

Identity Experience Framework and custom policy support in Azure Active Directory B2C Generally Available

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Admins can now create custom policies in Azure AD B2C, including the following tasks, which are supported at-scale and under Microsoft’s Azure Service Level Agreement (SLA):

• Create and upload custom authentication user journeys by using custom policies.
• Describe user journeys step-by-step as exchanges between claims providers.
• Define conditional branching in user journeys.
• Transform and map claims for use in real-time decisions and communications.
• Use REST API-enabled services in custom authentication user journeys. For example, with email providers, CRMs, and proprietary authorization systems.
• Federate with identity providers who are compliant with the OpenIDConnect protocol. For example, with multi-tenant Azure AD, social account providers, or two-factor verification providers.

New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In March 2019, Microsoft has added these 14 new apps with Federation support to the Azure AD App Gallery:

• ISEC7 Mobile Exchange Delegate
• MediusFlow
• ePlatform
• Fulcrum
• ExcelityGlobal
• Explanation-Based Auditing System
• Lean
• Powerschool Performance Matters
• Cinode
• Iris Intranet
• Empactis
• SmartDraw
• Confirmit Horizons
• TAS 

New Zscaler and Atlassian provisioning connectors in the Azure AD gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Automate creating, updating, and deleting user accounts for the following apps with the new provisioning connectors from the Azure AD Gallery:

• Zscaler
• Zscaler Beta
• Zscaler One
• Zscaler Two
• Zscaler Three
• Zscaler ZSCloud
• Atlassian Cloud

Restore and manage deleted Office 365 groups in the Azure AD portal

Service category: Group Management
Product capability: Collaboration

Admins can now view and manage deleted Office 365 groups from the Azure AD portal. This change helps them to see which groups are available to restore, along with letting them permanently delete any groups that aren’t needed by the organization.

Single sign-on for Azure AD SAML-secured on-premises apps through the Azure AD Application Proxy public preview

Service category: App Proxy
Product capability: Access Control

Admins can now provide a single sign-on (SSO) experience for on-premises, SAML-authenticated apps, along with remote access to these apps through the Azure AD Application Proxy.

Client apps in request loops will be interrupted to improve reliability and user experience

Service category: Authentications (Logins)
Product capability: User Authentication

Client apps can incorrectly issue hundreds of the same login requests over a short period of time. These requests, whether they’re successful or not, all contribute to a poor user experience and heightened workloads for the IDP, increasing latency for all users and reducing the availability of the Identity Provider (IdP).

What’s Changed

New Audit Logs user experience now available

Service category: Reporting
Product capability: Monitoring & Reporting

Microsoft has created a new Azure AD Audit logs page to help improve both readability and how admins search for information. To see the new Audit logs page, select Audit logs in the Activity section of Azure AD.

New warnings and guidance to help prevent accidental administrator lockout from misconfigured Conditional Access policies

Service category: Conditional Access
Product capability: Identity Security & Protection

To help prevent administrators from accidentally locking themselves out of their own tenants through misconfigured Conditional Access policies, Microsoft has created new warnings and updated guidance in the Azure portal.

Improved end-user Terms of use experiences on mobile devices

Service category: Terms of Use
Product capability: Governance

Microsoft has updated their existing Terms of Use (ToU) experiences to help improve how admins review and consent to Terms of Use on a mobile device. End-users can now zoom in and out, go back, download the information, and select hyperlinks.

New Azure AD Activity logs download experience available

Service category: Reporting
Product capability: Monitoring & Reporting

Admins can now download large amounts of activity logs directly from the Azure portal. This update lets them:

• Download up to 250,000 rows.
• Get notified after the download completes.
• Customize the file name.
• Determine the output format, either JSON or CSV.

The post What’s New in Azure Active Directory for March 2019 appeared first on The things that are better left unspoken.

In a domain that is configured to use the File Replication Service, the SYSVOL folder is not shared after you in-place upgrade a Windows Server 2019-based Domain Controller from an earlier version of Windows. Until this directory is shared, Domain Controllers do not respond to DCLOCATOR requests for LDAP, Kerberos, and other Domain Controller workloads.

The situation

In a domain that uses the legacy File Replication Service(NTFRS) for the Active Directory System Volume (SYSVOL), you in-place upgrade a Domain Controller to Windows Server 2019.

The issue

When you try to migrate the domain to Distributed File System (DFS) Replication, the following issues occur:

• All Windows Server 2019-based Domain Controllers in the domain stop sharing the SYSVOL folder and stop responding to DCLOCATOR requests.
• All Windows Server 2019-based Domain Controllers in the domain have the following event log errors:
• Event ID 8013 with source DFS Replication
• Event ID 8028 with source DFS Replication

When you run dfsrmig.exe /GetMigrationState, this command generates the following output for all Windows Server 2019 Domain Controllers:

The following domain controllers have not reached Global state (‘Prepared’): Domain Controller (Local Migration State) – DC Type ===================================================
<Computer name> (‘Start’) – Writable DC Migration has not yet reached a consistent state on all domain controllers. State information might be stale due to Active Directory Domain Services latency.

The cause

The File Replication Service (FRS) was deprecated in Windows Server 2008 R2 and is included in later operating system releases for backwards compatibility only.

Starting in Windows Server 2019, promoting new Domain Controllers requires DFS Replication (DFSR) to replicate the contents of the SYSVOL share. If you try to promote a Windows Server 2019-based computer in a domain that still using FRS for SYSVOL replication, the following error occurs:

Verification of prerequisites for Domain Controller promotion failed. The specified domain domain.tld is still using the File Replication Service (FRS) to replicate the SYSVOL share. FRS is deprecated. The server being promoted does not support FRS and cannot be promoted as a replica into the specified domain. You MUST migrate the specified domain to use DFS Replication using the DFSRMIG command before continuing. For more information, see https://go.microsoft.com/fwlink/?linkid=849270

However, in-place upgrading a Windows Server 2012 R2 or Windows Server 2016-based Domain Controller to Windows Server 2019 does not enforce this block.

When you then run dfsrmig.exe /SetGlobalState to migrate SYSVOL replication to DFSR, all upgraded Windows Server 2019 Domain Controllers are stuck in the Start phase and cannot complete the transition to the Prepared or later phases. Therefore, the SYSVOL and NETLOGON folders for the Domain Controllers are no longer shared, and the Domain Controllers stop responding to location questions from clients in the domain.

The solution

There are several workarounds for this issue, depending on which migration global state you specified earlier.

Issue occurs in the Preparing or Redirecting phase

1. If you have already run dfsrmig.exe /SetGlobalState 1 or dfsrmig.exe /SetGlobalState 2 previously, run the following command as a Domain Admin:
            
   dfsrmig.exe /SetGlobalState 0
            
2. Wait for Active Directory replication to propagate throughout the domain, and for the state of Windows Server 2019 Domain Controllers to revert to the Start phase.
3. Verify that SYSVOL is shared on those Domain Controllers and that SYSVOL is replicating as usual again by using NTFRS.
4. Make sure that at least one Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016-based Domain Controller exists in that domain. Verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source Domain Controllers and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 Domain Controllers in the next step. For more information, see Troubleshooting Active Directory Replication Problems.
5. Demote all Windows Server 2019-based Domain Controllers to member servers. 
   This is a temporary step.
6. Migrate SYSVOL to DFSR normally on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016 Domain Controllers.
7. Re-promote the Windows Server 2019-based member servers to Domain Controllers.

Issue occurs in the Eliminating phase

The FRS elimination phase cannot be rolled back by using dfsrmig.exe. If have already specified FRS elimination, you can use either of the following workarounds.

Option 1

If you still have one or more Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016-based Domain Controllers in that domain, verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source Domain Controllers and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 Domain Controllers in the next step. For more information, see Troubleshooting Active Directory Replication Problems.

1. Demote all Windows Server 2019-based Domain Controllers. 
   This is a temporary step.
2. Migrate SYSVOL to DFSR as usual on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016 Domain Controllers.
3. Re-promote the Windows Server 2019-based member servers to Domain Controllers.

Option 2

If all Domain Controllers in the domain are running Windows Server 2019, perform these steps:

1. Open AdsiEdit (AdsiEdit.msc)
2. In the AdsiEdit tool, change the following distinguished name value and attribute on the PDC Emulator:
             
   CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=tld
   msDFSR-Flags = 0
           
3. Wait for Active Directory replication to propagate throughout the domain.
4. On all Windows Server 2019 DCs, change the DWORD type registry value Local State to 0:

   Registry Setting: Local State
   Registry Path:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating SysVols
   Registry Value: 0
   Data Type: REG_DWORD
              

5. On all Windows Server 2019 Domain Controllers, restart the following services by running the following lines of Windows PowerShell:

   Restart-Service NetLogon
   Restart-Service DFSR

6. Verify that SYSVOL has shared on those Domain Controllers and that SYSVOL is replicating as usual again by using FRS.
7. Promote one or more Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016-based Domain Controller in that domain.  Verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source Domain Controllers and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 Domain Controllers in the next step. For more information, see  Troubleshooting Active Directory Replication Problems.
8. Demote all Windows Server 2019-based Domain Controllers to member servers.
   This is a temporary step.
9. Migrate SYSVOL to DFSR as usual on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016-based Domain Controllers.
10. Re-promote the Windows Server 2019-based member servers to Domain Controllers.
11. Optional: Demote the Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016-based Domain Controllers that you added in step 7.

Concluding

NTFRS is an old technology, but many organizations still seem to cling onto it. It’s not hard to migrate, but it just needs to be done. We’ve been putting this tasks on agendas of Active Directory admins for a while now, but regret seeing that this slight code defect means admins that haven’t performed this action yet, may now start experiencing troubles.

Troubleshooting NTFRS without burflags? Wow.

Further reading

4493934 SYSVOL DFSR Migration fails after you in-place upgrade a Domain Controller to Windows Server 2019 
SYSVOL Replication Migration Guide: FRS to DFS Replication
SYSVOL Replication Migration Guide: FRS to DFS Replication (downloadable)
Streamlined Migration of FRS to DFSR SYSVOL

The post Knowledgebase: In-place Upgrading Domain Controllers to Windows Server 2019 while still using NTFRS breaks SYSVOL Replication and DSLocator appeared first on The things that are better left unspoken.

Whether you are an Active Directory novice or an experienced IT professional, enroll in my upcoming free online course for step-by-step instructions and industry best practices for Active Directory management.

These sessions are also a great way to get ready for Exam 70-742.

Note:
These webinars cover only 3 out of 5 topics for Microsoft exam 70-742: the Active Directory Domain Services (AD DS) ones. You will need to find a source for Active Directory Federation Services (AD FS), AD LDS and AD RMS to fully prepare for the exam.

Three webinars

1. Active Directory 101: Install and Configure AD Domain Services

Tuesday April 23 2019 1PM EDT / 7PM CEST

This webinar covers the first section of the Exam 70-742. We’re focusing on effective installation and administration of Active Directory. Apart from step-by-step training, the session also explores the potential pitfalls of AD configuration and the ways to ensure reinforced security of your IT environment.

Watch this webinar to explore:

• How to install and configure domain controllers
• Best practices in creation of AD users and computers
• How to effectively approach AD groups and Organizational Unit (OU) management
• Netwrix Auditor’s reporting functionality to help you mitigate cyber risks and enforce good IT hygiene

2. Active Directory 101: Manage and maintain AD Domain Services

Thursday April 25 2019 1PM EDT / 7PM CEST

Once the Active Directory Domain Controllers are configured and groups are set in place, it’s time to explore the options you have for monitoring AD changes. Watch this webinar to prepare for the second section of Exam 70-742, dedicated to continuous management of Active Directory.

During this session, you will learn:

• Main techniques to configure service authentication and account policies
• Top methods to maintain Active Directory
• How to configure Active Directory in a complex enterprise environment
• How to determine which changes in your environment merit inspection with Netwrix Auditor

3. Active Directory 101: Create and Manage Group Policy

Tuesday April 30 2019 1PM EDT / 7PM CEST

Proper Group Policy setup and management can ensure continuous uninterrupted functionality of any organization. This session covers the third section of Exam 70-742 about Group Policy management and explains how Group Policy auditing can mitigate the risk of security breaches and compliance failures.

By the end of this session, you will know:

• How to create and manage Group Policy Objects
• Top methods to configure Group Policy processing, settings and preferences
• How to deliver complete visibility into all security and configuration changes in Group Policy

Join me!

Advance your career as a systems administrator and start aiming to attend the live sessions, or get access by the recordings if you cannot join online.

Register here.

Note:
These webinars are offered free of charge, thanks to the sponsoring by Netwrix. By signing up for these webinars you agree to their privacy policy.

About Netwrix

Netwrix is a private IT security software company. They offer IT auditing solutions for systems and applications across your IT infrastructure. Netwrix  specializes in change, configuration and access auditing software with its Netwrix Auditor solution. Netwrix is a partner of Microsoft, VMware, EMC, NetApp and HP ArcSight.

If you’ve worked in highly-secure highly-regulated IT environments, you’re probably familiar with the Netwrix brand, because their Active Directory auditing solution is one of the best out there.

The post I’m presenting my Active Directory 101 course with Netwrix again appeared first on The things that are better left unspoken.

In the first week of April, I traveled to Šibenik to deliver a session at WinDays 19 Technology.

My trip started with a flight from Amsterdam Schiphol Airport to Zagreb’s new Franjo Tuđman Airport. I had reserved a car and drove it to Amadria Park in Šibenik, where I arrived around 8PM.

I ran into Sasa Kranjac, Goran Žarinac, Catalin Gheorghiu, Rastko Đorđević and André Melancia on my way in, but decided to get a meal before going to the WinDays party. We eventually arrived at the party, but left after one drink… Well, at least I did.

The next morning, I went to pick up the bag, explore the rooms and just mingle with the attendees of the WinDays Conference. I sat down in a quiet corner and prepared my slides and demos, while doing some work for a customer.

Before my session, I decided to clear my head. Walk around the resort for an hour, and saw Marin Frankovic with a couple of his former colleagues. I joined them for a couple of minutes, before heading off to room Šibenik 5 at the Convention Center.

After my presentation, we went for diner, I met with Adis Jugo and some other speakers and we had great conversations. I went to bed early, because I needed to leave early on Friday morning to Zagreb Airport.

I left at 4 AM. I got at Zagreb Airport at 8 AM and got on the plane to Paris Charles de Gaulle Airport. After breakfast in Paris, another plane took me to Amsterdam. I did some more work for a customer before I had dinner with my family and closed off the week.

Thank you!

Thank your for inviting me as a WinDays speaker once again, and to all the people attending, sitting in on my session and, of course, the people who stuck around after these sessions for the interesting discussions.

The post Pictures of WinDays 19 appeared first on The things that are better left unspoken.

On May 9, 2019, Heliview Congresses and Training organizes an Identity and Access Management Congress. I’m delivering a 25-minute session on distributed identities, using Microsoft technologies.

About Heliview Congresses and Training

Heliview Congresses and Training Dutch offers managers and senior specialists a stage to share and consume knowledge in their field of expertise. Additionally, personal networking is highly encouraged during their events throughout the Netherlands and Belgium.

Heliview Congresses and Training also offers training. For 2019 they have several topics on their schedule, including cyber resilience, data quality, IT outsourcing, data privacy and security awareness.

Heliview Congresses and Training was founded in 1983.

About the IAM Congress

The Identity & Access Management Congress is a yearly congress on Enterprise Identity and Access Management. The 2019 IAM Congress is the 14th edition.

The Identity & Access Management Congress offers an up to date overview and the underlying developments on Identity & Access Management. Identity and Access Management (IAM) provides the right people with the right access at the right time. Good enterprise IAM solutions are user-friendly, compliant, safe and allow for cost savings.

Heliview Congresses and Training organizes the 2019 Identity & Access Management Congress on May 9, 2019 at NBC in Nieuwegein, the Netherlands.

About my presentation

I’m presenting a 25-minute session on:

The Future of IAM according to Microsoft? Decentralized IDs

Break-out 1B, 11AM – 11:25AM

Microsoft is no longer the evil corporation out to world domination. Their current open source and cloud strategies, but also their recent legal battles, provide Microsoft with the title of European example of privacy and transparency.

As part of the ID2020 foundation, Microsoft aims to open standards that allow for identity that is secure by default: Decentralized Identities.

Decentralized Identities, from Microsoft’s point of view, empower people with complete control over their identities based on blockchain technology, the way they interact and what specific parts of their identities and verifiable claims they share. Of course, with complete control comes complete responsibility…

I’ll discuss the ins and outs of decentralized identities. As Microsoft Partner, SCCT has information and access to this new technology and offers a glimpse of the future of IAM to organizations, based on new standards.

Join us!

As an employee of an organization that contemplates the use of new Identity and Access Management (IAM) solutions, you can join the Heliview IAM Congress for free. Alternatively, you can buy a € 645 ticket, without 1 on 1 talks or questionnaire. This price tag also applies to advisors, consultants and students.

You can sign up here Dutch.

Further reading

Pictures of Heliview’s 2018 People-centric IT event  
I’m speaking at the 2018 Heliview People-centric IT Event  
Pictures of Heliview’s 2018 IAM Congress    
I’m speaking at the 2018 Heliview IAM Congress

The post I’m speaking at the 2019 Heliview IAM Congress appeared first on The things that are better left unspoken.

Last week, Microsoft released the long impending release of Azure AD Connect version 1.3.20.0 on the Azure AD Connect Version Release History page. Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

Highlights

The highlights for this release are two new Generally Available features: Exchange Mail Public Folders and the Unified Groups Writeback feature.

This release is not yet made available for Auto Upgrades of Azure AD Connect, but new installations and manual upgrades can be performed using the 1.3.20.0 release

What’s New

• Add support for Domain Refresh
• Exchange Mail Public Folders feature goes GA
• Improve wizard error handling for service failures
• Added warning link for old UI on connector properties page.
• The Unified Groups Writeback feature is now GA
• Improved SSPR error message when the DC is missing an LDAP control
• Added diagnostics for DCOM registry errors during install
• Improved tracing of PHS RPC errors
• Allow EA creds from a child domain
• Allow database name to be entered during install (default name ADSync)
• Upgrade to ADAL 3.19.8 to pick up a WS-Trust fix for Ping and add support for new Azure instances
• Modify Group Sync Rules to flow samAccountName, DomainNetbios and DomainFQDN to cloud – needed for claims
• Modified Default Sync Rule Handling – read more here.
• Added a new agent running as a windows service. This agent, named “Admin Agent”, enables deeper remote diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support case. This agent is not installed and enabled by default. For more information on how to install and enable the agent see What is the Azure AD Connect Admin Agent?.
• Updated the End User License Agreement (EULA)
• Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process.
• Added an Azure AD trust management task that provides two options: analyze/update trust and reset trust.
• Changed the AD FS Azure AD Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Azure AD domain updates).
• Changed the install new AD FS farm behavior so that it requires a .pfx certificate by removing the option of using a pre-installed certificate.
• Updated the install new AD FS farm workflow so that it only allows deploying 1 AD FS and 1 WAP server. All additional servers will be done after initial installation.

Whats Fixed

• Fixed the SQL reconnect logic for ADSync service
• Fixed to allow clean Install using an empty database in a SQL Server Always On Availability group
• Fixed PowerShell Permissions script to refine Group Writeback permissions
• Fixed VSS Errors with LocalDB
• Fixed misleading error message when object type is not in scope
• Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Azure AD Connect
• Fixed PHS bug on Staging Server when Connector Credentials are updated in the old UI
• Fixed some memory leaks
• Miscellaneous Autoupgrade fixes
• Miscellaneous fixes to Export and Unconfirmed Import Processing
• Fixed a bug with handling a backslash in Domain and OU filtering
• Fixed an issue where ADSync service takes more than 2 minutes to stop and causes a problem at upgrade time.

Version information

This is version 1.3.20.0 of Azure AD Connect.
The first release in the 1.3 branch for Azure AD Connect was signed off on on March 25th, 2019.It was made available for download on April 24th, 2019

Download

You can download Azure AD Connect here.
The download weighs 90,1 MB.

The post Azure AD Connect v1.3.20.0 offers the next level of identity synchronization appeared first on The things that are better left unspoken.

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for April 2019:

What’s New

Azure Active Directory (Azure AD) entitlement management is now available Public preview

Service category: Identity Governance
Product capability: Identity Governance

Azure AD entitlement management, now in public preview, helps customers to delegate management of access packages, which defines how employees and business partners can request access, who must approve, and how long they have access. Access packages can manage membership in Azure AD and Office 365 groups, role assignments in enterprise applications, and role assignments for SharePoint Online sites. Entitlement management requires Azure AD Premium P2 licenses.

Configure a naming policy for Office 365 groups in Azure AD portal Public preview

Service category: Group Management
Product capability: Collaboration

Administrators can now configure a naming policy for Office 365 groups, using the Azure AD portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization.

You can configure naming policy for Office 365 groups in two different ways:

1. Define prefixes or suffixes, which are automatically added to a group name.
2. Upload a customized set of blocked words for your organization, which are not allowed in group names (for example, “CEO, Payroll, HR”).

Azure AD Activity logs are now available in Azure Monitor General availability

Service category: Reporting
Product capability: Monitoring & Reporting

To help address feedback about visualizations with the Azure AD Activity logs, Microsoft introduces a new Insights feature in Log Analytics. This feature helps administrators gain insights about Azure AD resources by using interactive templates, called Workbooks. These pre-built Workbooks can provide details for apps or users, and include:

• Sign-ins. Provides details for apps and users, including sign-in location, the in-use operating system or browser client and version, and the number of successful or failed sign-ins.
• Legacy authentication and conditional access. Provides details for apps and users using legacy authentication, including Multi-Factor Authentication usage triggered by conditional access policies, apps using conditional access policies, and so on.
• Sign-in failure analysis. Helps you to determine if sign-in errors are occurring due to a user action, policy issues, or your infrastructure.
• Custom reports. Admins can create new, or edit existing Workbooks to help customize the Insights feature for their organization.

New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In April 2019, we’ve added these 21 new apps with Federation support to the app gallery:

• SAP Fiori
• HRworks Single Sign-On
• Percolate
• MobiControl
• Citrix NetScaler
• Shibumi
• Benchling
• MileIQ
• PageDNA
• EduBrite LMS
• RStudio Connect
• AMMS
• Mitel Connect
• Alibaba Cloud (Role-based SSO)
• Certent Equity Management
• Sectigo Certificate Manager
• GreenOrbit
• Workgrid
• monday.com
• SurveyMonkey Enterprise
• Indiggo

New access reviews frequency option and multiple role selection

Service category: Access Reviews
Product capability: Identity Governance

New updates in Azure AD access reviews allow you to:

• Change the frequency of your access reviews to semi-annually, in addition to the previously existing options of weekly, monthly, quarterly, and annually.
• Select multiple Azure AD and Azure resource roles when creating a single access review. In this situation, all roles are set up with the same settings and all reviewers are notified at the same time.

Increased security using the app protection-based conditional access policy in Azure AD Public preview

Service category: Conditional Access
Product capability: Identity Security & Protection

App protection-based conditional access is now available by using the Require app protection policy. This new policy helps to increase your organization’s security by helping to prevent:

• Users gaining access to apps without a Microsoft Intune license.
• Users being unable to get a Microsoft Intune app protection policy.
• Users gaining access to apps without a configured Microsoft Intune app protection policy.

New support for Azure AD single sign-on and conditional access in Microsoft Edge Public preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Microsoft has enhanced the Azure AD support for Microsoft Edge, including providing new support for Azure AD single sign-on and conditional access. If you’ve previously used Microsoft Intune Managed Browser, you can now use Microsoft Edge instead.

What’s Changed

Azure AD Connect email alert system(s) are transitioning, sending new email sender information for some customers

Service category: AD Sync
Product capability: Platform

Azure AD Connect is in the process of transitioning our email alert system(s), potentially showing some customers a new email sender. To address this, administrators must add azure-noreply@microsoft.com to their organization’s whitelist or they won’t be able to continue receiving important alerts from your Office 365, Azure, or your Sync services.

UPN suffix changes are now successful between Federated domains in Azure AD Connect

Service category: AD Sync
Product capability: Platform

Administrators can now successfully change a user’s userPrincipalName suffix from one federated domain to another federated domain in Azure AD Connect. This fix means they should no longer experience the following error message during the synchronization cycle or receive a notification email stating:

FederatedDomainChangeError

Unable to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services.

The post What’s New in Azure Active Directory for April 2019 appeared first on The things that are better left unspoken.

The new Active Directory Administration Cookbook is now available.
[ Packt ] [ Amazon ] [ Tomlinsons ] [ Fnac ] [ Lehmanns ]

For the last seven months, I worked with Packt Publishing to write the fourteen chapters in this 620-page book, containing all the essential howtos  and their gotchas for managing both on-premises Active Directory and Azure AD.

It has been an honor to work with them.

About Packt Publishing

Founded in 2004, Packt Publishing is a print on demand publishing company based in Birmingham, UK and Mumbai, India. Many of its book offerings concern information technology or software. It offers print books as well as e-books in several formats.

It takes a village…

Writing a book is something that requires a lot of time and patience. I could not have pulled this off without the help of my family, my colleagues and the people at Packt Publishing. Brian Svidergol, who you might know as the author of the previous Active Directory cookbook, was a tremendous help throughout the process and a great technical reviewer. My employer, SCCT, continues to provide the unique mix I need to combine work and community. Without the help from all these great people, this book would never have taken place.

Further steps

My long term goal of people being able to be effective with Active Directory, without breaking the bank inches closer with the release of this book. I feel beginning AD admins may benefit the most from it, so I’m in talks to get copies of the book in their hands.

Enjoy!

The post Get your copy of the Active Directory Administration Cookbook today appeared first on The things that are better left unspoken.

I’m proud to announce that I’ll be presenting two sessions at this year’s NT Konferenca in Slovenia.

About NT Konferenca

NT Konferenca is the biggest Slovenian technological conference. Last year the event was visited by over 2.200 attendees and the event is not expecting any less this year!

The 24th NT Konferenca event takes place from May 21st to May 23rd 2019 in Grand Hotel Bernardin in Portorož, Slovenia.

NT Konferenca is not just about IT trends and solutions. It is also about the ways how to include them in everyday business processes and how to effectively use them in business challenges in order to reach objectives in a more rapid, time-efficient and affordable way.

About my sessions

I’ll be presenting two sessions on Tuesday May 21st, 2019:

Your Identity Roadmap to 2022

No-one wants to admit they made a costly mistake when they choose the wrong technology. Now, for identity, you don’t have to worry about that. In this session, we’ll tell you all about the products that are available, the strategies you can follow and the smart actions you can take. Today.

AD FS on Windows Server 2012 R2, MFA Server, Relying Party Trusts on your AD FS environment and implementations of Hybrid Identity based on Azure AD Connect…
If you have any of these or are in the planning stages, then this is a session for you!

The Identity team at Microsoft is shaking up their product portfolio and it’s time to pay attention! On the outside it looks like IT Pros only gain choices, but the team will kill off some of these roads going forward. It’s time to make the right choices to avoid disappointments. From all the hints by the teams, all the marketing buzz and proper announcements, my team and I have distilled the bottom line. So, join this session to gain an overview of your organizations’ identity roadmaps for 2022.

From the trenches: Eight common mistakes with Hybrid Identity

Do you wish a seasoned expert would tell you all the mistakes to avoid before you begin your Hybrid Identity journey? Or do you need substantial, real-world proven tips for your current setup of Active Directory and Azure AD? Then this session is for you!

When you link your on-premises Active Directory Domain Services (AD DS) environment to Azure AD, you create Hybrid Identity. Colleagues depend on a reliable, yet cost effective deployment of the technologies and trustworthy processes… it’s our jobs as IT Pros to make it happen.

This session covers the eight most common mistakes I see in the field in organizations that have deployed Hybrid Identity. Learn from their mistakes, whether you’ve already deployed Hybrid Identity and want to make your implementation more robust or holding off deploying Hybrid Identity to not step into these pitfalls.

Join us!

Tickets are still available for NT Konferenca.
Register here and join me for these sessions.

The post I’m speaking at NT Konferenca 2019 appeared first on The things that are better left unspoken.

I’m proud to share that I’ll be presenting at Techorama Belgium for my third year in a row as an accepted speaker for Techorama Belgium 2019.

About Techorama

Techorama Belgium is a yearly international technology conference that takes place at Kinepolis Metropolis Antwerp. Techorama welcomes 1700 attendees, a healthy mix between developers, IT Professionals, Data Professionals and SharePoint professionals. Techorama’s commitment is to create a unique conference experience with quality content and the best speaker line-up.

Techorama Belgium 2019 is held from May 20, 2019 to May 22, 2019.

About my session

I’m presenting a 60-minute session as part of the Modern Workplace track:

Going Password-less on-premises, how hard can it be?

Wednesday May 22, 2019 4:30PM-5:30PM, Room 10

Password-less… Microsoft’s marketing machine makes a bold case for it… when you’re with your head in the clouds. But what’s the real story for hybrid scenarios? What’s the deal for pure on-premises environments?

Find out in this session how far you can take your password-less journey!

Microsoft has spun up its latest Identity-related marketing vehicle: password-less. With Azure AD, we’re seeing high adoption of features like Windows Hello for Business, Single Sign-On and even some FIDO2 adoption. However, when Hybrid Azure AD Join rears its ugly head, things get a bit more complicated… and don’t even get us started on going password-less on-premises!

Let’s get a closer look at Windows Hello for Business, authentication assurance, trust types and all the on-premises requirements to fulfil to get to this promise of a world with lesser passwords.

Join us!

Techorama Belgium 2019 has almost sold out. You can still buy one of the last tickets here. When you’re among the lucky people to have grabbed a ticket, join me for this session.

We’ll have a lot of fun!

Further reading

Pictures of Techorama Belgium 2018
I’m speaking at Techorama Belgium 2018
Pictures of Techorama 2017
I’m speaking at Techorama Belgium 2017

The post I’m speaking at Techorama Belgium 2019 appeared first on The things that are better left unspoken.

Last week, Heliview organized its annual Identity and Access Management (IAM) congress at the Nieuwegein Business Center.

To set up our booth, Carlo and I arrived early. We swiftly set it up and then enjoyed a cup of tea as the start of our day. This also allowed for some time to canvas the room.

At 11AM, I presented a 25-minute session on Decentralized Identities. I took questions after the session, while the next speaker set up. We also received a lot of positive feedback after the session.

During the day we had a lot of interesting conversations with both existing and potential customers. It strengthened their belief in the Microsoft cloud solution for providing and governing identity and access control leveraging Azure Active Directory.

After the closing keynote by Maria Genova, drinks were served. After 6PM, we tore down our booth and headed home. Content.

Thank you!

Thank you to Heliview for organizing yet another successful IAM congress and inviting me as a speaker once again, and to all the people attending, sitting in on my session and, of course, the people with whom we had interesting discussions.

The post Pictures of the 2019 Heliview IAM Congress appeared first on The things that are better left unspoken.

This blogpost details how to setup and configure Microsoft’s on-premises Azure Multi-factor Authentication (MFA) Server product in an existing environment.

It details how to install and configure the base components: The MFA Server, the Web Service SDK and the User Portal.

Before you begin

Before you begin, you should have access to the following information:

• The DNS domain name of your organization’s Active Directory Domain Services (AD DS) environment
• Credentials for an account that is a member of the Domain Admins group in Active Directory
• Credentials for an account that has the Global administrator role assigned in Azure AD

Of course, it’s a good idea to make a back-up of your Domain Controllers and test one of the backups in a separate networking environment to make sure you’re able to restore.

Overview

The implementation performed, resembles the Stretched deployment in terms of the supported Azure MFA Server deployment scenarios, discussed earlier:

Requirements

For this scenario, two Windows Server installations are needed:

1. MFA1 – This server becomes the Azure MFA Back-end Server (Master)
2. WEB1 – This server becomes the Azure MFA Web Server

These servers will have to have .NET Framework 4 installed and be made members of an existing Active Directory environment. For the purpose of this blogpost, two Windows Server 2016-based installations will be deployed.

Microsoft disabled the ability to create MFA Providers in Azure AD per September 1^st, 2018. If you haven’t registered an MFA Provider before this date, all user accounts in scope for MFA Server need to be synchronized from Active Directory to Azure AD. The easiest way to do this, is using Azure AD Connect with Express Settings. Afterward, Azure AD Premium (P1) licenses need to be assigned to them (or an overarching license that includes this license, like Azure AD Premium Premium (P2), or Microsoft 365 E3)

As part of basic information security, traffic to the MFA User Portal and to the MFA Web Service SDK is encrypted. For this purpose, we will need valid TLS certificates. Install corresponding TLS certificates in the Personal stores of the Local Machine on both MFA1 and WEB1.

Download MultiFactorAuthenticationServerSetup.exe from the MFA Server download page and place it on the disks of server MFA1.

Step 1: Install and configure MFA Server on MFA1

The Central MFA Server component communicates with the cloud-based MFA Point of Presence (PoP) to perform authentications and with on-premises systems like RADIUS clients and Domain Controllers.

Perform the following steps to install and configure Microsoft’s on-premises Azure Multi-factor Authentication (MFA) Server product on Windows Server MFA1:

1. Sign into Windows Server MFA1, using an account that is a member of the Domain Admins group and assigned local administrative privileges on the server.
2. Open File Explorer.
3. Navigate to the folder where you’ve placed the Azure MFA Server installation files:
                  
   
                  
4. Double-click MultiFactorAuthenticationServerSetup.exe.
5. In the Open File – Security Warning pop-up window, click Run.
                  
   
                  
6. In the Multi-Factor Authentication Server pop-up window (depicted above), click Install to install the Visual C++ “14” Runtime Libraries.
7. For Microsoft Visual C++ 2017 Redistributable (x86), select the I agree to the license terms and conditions option and click Install afterward. Click Close when setup is successful.
8. Repeat the above step for the x64 package.
   The Multi-factor Authentication Server screen will appear.
   (This may take a while…)
9. On the License Agreement page, select the I Agree option.
10. Click Next >.
                   
    
                   
11. On the Select Installation Folder page (see above), click Next >.
12. On the Installation Complete page, click Finish.
                   
    
                   
    The Multi-Factor Authentication Server management user interface appears, as depicted above.
13. The first thing to configure is the activation of the MFA Server, as the Activate screen is shown. Here, we have to enter activation credentials. On server MFA1, or on an Internet-connected workstation, perform the following actions to create the activation credentials:
1. Open a web browser and navigate to the Azure Portal.
2. Sign in with an account that has the Global administrator role assigned.
   Perform Azure-based multi-factor authentication, when prompted.
3. In the left navigation menu, click Azure Active Directory.
4. In the Azure AD navigation menu, scroll down to the Security section.
5. Click MFA.
6. In the scenario where an MFA Provider is present:
1. In the Multi-Factor Authentication navigation menu, click Providers.
2. Select a provider in the list of MFA providers to open its settings.
3. In the navigation menu for the MFA Provider, click Server Settings.
4. In the MFA Provider’s Server Settings, follow the Generate link.
7. In the scenario of Hybrid Identity:
1. In the Multi-Factor Authentication navigation menu, click Server settings.
2. Follow the Generate link.
14. Copy the generated activation credentials into the Multi-Factor Authentication Server management user interface.
15. Click Activate within 10 minutes of generating the credentials, as the credentials automatically expire after this time period.
              
    
                
16. In the Multi-Factor Authentication Server pop-up window (depicted above), click Yes to enable and configure replication by running the Multi-Server Configuration Wizard.
                  
    
                     
    The Multi-Server Configuration Wizard appears (see the above screenshot).
17. On the Enable Replication Between Servers, click Next >.
18. On the Secure Communication page, unselect the Certificates option.
19. Click Next >.
                  
    
                     
20. On the Active Directory page, click Next >.
                          
    
                          
21. On the Multi-Server Configuration Complete page, click Finish.

The server will reboot.

Step 2: Configure AD Sync on MFA1

The central MFA Server component uses its own database to store information on user objects. The best approach in a Microsoft-oriented environment is to configure automatic synchronization of user objects from Active Directory to MFA Server’s phonefactor.pfdata database.

After installation and reboot, perform these steps on Windows Server MFA1 to configure Active Directory synchronization:

1. Sign into Windows Server MFA1, using an account that is a member of the Domain Admins group and assigned local administrative privileges on the server.
2. Open the Multi-Factor Authentication Server management user interface from the Start Menu.
3. In the left icon pane, select Directory Integration.
4. Navigate to the Synchronization tab:
               
   
                
5. On the Synchronization tab, enable the Enable synchronization with Active Directory option. Additionally, enable the Remove users no longer in Active Directory option.

Step 3: Configure the Web Service SDK on MFA1

To allow other MFA Server components, like the MFA User Portal and the MFA AD FS Adapter, to communicate with the central MFA Server component, install and configure Internet Information Services (IIS) and the Web Service Software Development Kit (SDK) on Windows Server MFA1:

1. Open an elevated PowerShell window, and execute the following line of PowerShell:
                         
   Install-WindowsFeature Web-WebServer,Web-Http-Redirect,
   Web-Basic-Auth,Web-Asp-Net45,Web-Metabase -IncludeManagementTools
                           
2. Close the PowerShell window.
3. Open the Multi-Factor Authentication Server management user interface from the Start Menu.
4. In the left icon pane, select Web Service SDK.
                  
   
               
5. Click the Install Web Service SDK… button.
                       
   
                   
   The Multi-Factor Authentication Web Service SDK window appears (see above).
6. On the Select Installation Address click Next >.
7. On the Installation Complete page, click Close.
8. Close the Multi-Factor Authentication Server management user interface.

Step 4: Create the Web Service SDK service account and configure the service

To accommodate authentication to the Web Service SDK, a service account is needed, that is also a member of the PhoneFactor Admins group. Then, the Web Service SDK Application Pool needs to be configured with this service account.

Perform these steps on a Domain Controller, a domain-joined Windows Server with the Active Directory Domain Services Remote Server Administration Tools (RSAT) or a domain-joined Windows installation with the Remote Server Administration Tools (RSAT) installed:

1. Use an account that is a member of the Domain Admins group, or has delegated permissions to create user objects in Active Directory.
2. Open the Active Directory Administrative Center from the Start Menu.
3. At the top of the left navigation menu, switch to Tree view.
4. Navigate to the Users container.
5. In an empty space, right-click and select New, then User from the context menu.
                    
   
                      
   The Create User: window appears, as depicted above.
6. Type a Full name: and User SamAccountName: for the service account.
7. Type the password for the service account twice.
8. Select the Other password options option, and select Password never expires.
9. Select the Protect from accidental deletion option.
10. Scroll down to the Member Of section.
11. Click the Add… button.
              
    
                   
    The Select Groups pop-up window appears (see above).
12. Type the PhoneFactor Admins group.
13. Click Check Names.
14. Click OK.
15. Click OK to create the service account.
16. Sign out.

Perform the following steps on Windows Server MFA1:

1. Sign into Windows Server MFA1, using an account that is a member of the local administrators group.
2. Open the Internet Information Services (IIS) Manager from the Start Menu.
3. In the left navigation menu of IIS Manager, expand the Sites node.
4. Select the Default Web Site.
5. In the Actions pane to the right, click Bindings….
                    
   
                                
6. In the Site Bindings pop-up window, click Add…
                    
   
                    
7. In the Add Site Binding add a binding for https. Select the appropriate TLS certificate and click OK.
8. Back in the Site Binding window, click Close.
9. In the left navigation menu of IIS Manager, expand the Application Pools node.
10. In the main pane, select the MultiFactorAuthWebServiceSDK application pool.
11. In the Actions pane on the right, click Advanced Settings…
12. From the list of settings, under Process Model, select Identity.
13. Click the button with the three dots to the right of ApplicationPoolIdentity.
    
    The Application Pool Identity window appears.
14. Select Custom account.
    
    Click Set….
               
    
                 
    The Set Credentials pop-up window appears (see above).
15. Enter the User name: of the Web Service SDK service account in the format DOMAIN\ServiceAccount.
16. Enter the password for the service account twice.
17. Click OK.
18. Click OK.
19. Click OK.
20. Close Internet Information Services (IIS) Manager.

The Web Service SDK is now available via the following url: https://mfa1.domain.tld/multifactorauthwebservicesdk/

Step 5: Install the User Portal on WEB1

The MFA Server User Portal allows administrators, delegated service desk personnel and end-users to modify MFA settings and preferences. The User Portal will be installed on a separate Windows Server-based web server: WEB1.

Perform the following steps on Windows Server MFA1 to get the Multi-Factor Authentication Server User Portal Installer to Windows Server WEB1:

1. Open File Explorer.
2. Navigate to the installation folder of MFA Server. By default, this location is:
   C:\Program Files\Multi-Factor Authentication Server\
               
   
                
3. Copy MultiFactorAuthenticationUserPortalSetup64.msi.
4. Paste the Multi-Factor Authentication Server User Portal Installer on the disk of Windows Server WEB1.
5. Close File Explorer.
6. Sign out.

Perform these steps to install MFA Server’s User Portal on Windows Server WEB1:

1. Sign into Windows Server WEB1, using an account that is a member of the local administrators group.
2. Open an elevated PowerShell window, and execute the
   following line of
   PowerShell:
                         
   Install-WindowsFeature Web-WebServer,Web-Asp-Net45,Web-Metabase -IncludeManagementTools
                           
3. Close the PowerShell window.
4. Open File Explorer.
5. Navigate to the folder where you’ve placed the Multi-Factor Authentication Server User Portal Installer
   file:
                    
   
                       
6. Double-click MultiFactorAuthenticationUserPortalSetup64.msi.
                
   
                    
   The Multi-Factor Authentication User Portal appears (see above).
7. On the Select Installation Address page, click Next >.
8. On the Installation Complete page, click Close.
9. Open the Internet Information Services (IIS) Manager from
   the Start Menu.
10. In the left navigation menu of IIS Manager, expand
    the Sites node.
11. Select the Default Web Site.
12. In the Actions pane to the right, click
    Bindings….
13. In the Site Bindings pop-up window, click Add…
14. In the Add Site Binding add a binding for https. Select the appropriate TLS certificate and click OK.
15. Back in the Site Binding window, click Close.
16. Close Internet Information Services (IIS) Manager.
17. Switch to the File Explorer window.
18. Navigate to the file location with the User Portal files. By default, this location is:
    C:\inetpub\wwwroot\MultiFactorAuth
                    
    
                      
19. Open Web.Config in Notepad.
                   
    
                     
20. In the appSettings section, make four changes:
1. On line 9, change the value for USE_WEB_SERVICE_SDK from “false” to “true“.
2. On line 10, add the domain name and username for the service account that runs the application pool of the Web Service SDK, i.e. DOMAIN/Svc_MFASDK.
3. On line 11, add the password.
4. On line 60, in the ApplicationSettings section, change https://www.contoso.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx
   to the url of the Web Service SDK, i.e. https://mfa1.domain.tld/multifactorauthwebservicesdk/PfWsSDK.asmx
21. From Notepad’s File menu, select Save.
22. From Notepad’s File menu, select Exit.
23. Close File Explorer.
24. Sign out.

The MFA User Portal is now available via the following url:
https://web1.domain.tld/multifactorauth

Concluding

Having written how to install and configure MFA Server 6.3 on 4Sysops.com four years go, I’m amazed how much easier it is today to install Microsoft’s on-premises Azure Multi-Factor Authentication (MFA) Server, today.

Related blogposts

Supported Azure MFA Server Deployment Scenarios and their pros and cons 
Connecting to Azure MFA Server’s Web Service SDK using certificate authentication  
Choosing the right Azure MFA authentication methods    
Azure Multi-Factor Authentication Server 8.0.1.1 was released

The post HOWTO: Install Azure Multi-Factor Authentication (MFA) Server 8.0.1.1 appeared first on The things that are better left unspoken.

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

Today, let’s talk about plagiarism, because throughout the process of creating content for my book I was heavily accused of this…

The situation

Let me first point out, why my publisher decided to contact me to write the Active Directory Administration Cookbook. This blog, and my thirteen-year tenure, provided the publishing board with sufficient confidence that I could write a book on Active Directory and Azure AD.

Indeed, this blog contains a lot of information and HowTo’s on how to perform certain tasks in the worlds of Active Directory and Azure Active Directory…

The definition of plagiarism

Here’s the definition of plagiarism from dictionary.com:

noun

1. an act or instance of using or closely imitating the language and thoughts of another author without authorization and the representation of that author’s work as one’s own, as by not crediting the original author: It is said that he plagiarized Thoreau’s plagiarism of a line written by Montaigne.
2. a piece of writing or other work reflecting such unauthorized use or imitation: “These two manuscripts are clearly plagiarisms,” the editor said, tossing them angrily on the floor.

Imagine my surprise

I was happily writing chapters for my book and meeting my deadlines. In the meantime, my content editor would go through the content I produced and provide feedback.

One of the pieces of feedback I received for Chapter 1, literally, was:

I just ran the plagiarism tool to check the originality of the chapter. Around 20% content of the chapter has been found to be taken from your blog: https://dirteam.com/sander/

 

Please note that we cannot include any content in the book that’s freely available online even when it’s from the author’s own blog or website. There’s a number of problems here, the main issues being:

• Original content: If our content appears elsewhere for free, many customers would be disinclined to spend money on our products.
• Value: For those who do buy the book, they could feel that they’re not getting adequate value for money once they discover they could have already found this content elsewhere. This might drive them to leave poor reviews, and they might even interpret the unoriginal content as malicious plagiarism.

There are two solutions to this:

1. take down the blog post
2. Rewrite the content from scratch

The easiest solution would be the former, though either is acceptable. Please refer the attached plagiarism report for your reference.

This person actually wanted me to choose between two evils; take down the blogposts that are available for free here, while not even remotely resembling the type of content in the book, or adopt a different writing style and keep that up throughout the book so to distinguish my previous writing from the writing in the book…

In the end…

Of course, I didn’t delete blog posts.

Editors will use ‘plagiarism’ tools to check content. According to the definition, what I did wasn’t plagiarism. I adopted an improved writing style that is more clear and concise than the one I used here. You may have noticed elements of the new style in recent blogposts, already. With a growth mindset, I embraced the feedback and tried to apply it in a constructive manner.

In the end, the entire Chapter 1 is available for you to read on the website of the publisher, if you use the Preview Online button on their website.

Picture by Twitter trends 2019, used under CC BY 2.0 license. Adjusted in size.

Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

The post Experiences with Being Published, Part 1: Accusations of Plagiarism appeared first on The things that are better left unspoken.

Hot on the heels of Azure AD Connect version 1.3.20.0, Microsoft released version 1.3.21.0 earlier this week to address an elevation of privilege vulnerability.

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

About the vulnerability  

The vulnerability, known as CVE-2019-1000, could allow an attacker to execute two Windows PowerShell cmdlets in the context of a privileged account, and perform privileged actions.

To exploit this, an attacker would need to authenticate to the Azure AD Connect server. The two cmdlets can be executed remotely only if remote access is enabled on the Azure AD Connect server.

This security update address the issue by disabling these cmdlets.

About the fix

The vulnerability is fixed in version 1.3.21.0 of Azure AD Connect.
This release of Azure AD Connect was signed off on on May 14th, 2019 and made available for download on that same date.

Download

You can download version 1.3.21.0 of Azure AD Connect here.
The download weighs 90,1 MB.

The post Azure AD Connect version 1.3.21.0 fixes an elevation of privilege vulnerability (CVE-2019-1000) appeared first on The things that are better left unspoken.

Lat week, on Wednesday May 22, I delivered a 60-minute presentation at Techorama Belgium 2019.

After a day of travel and, luckily, lunch at home, I arrived at the Antwerpen Kinepolis at 3PM. As the presentation was scheduled for 4:30PM, I was right on track to begin creating the slide deck for one of my favorite topics in Identity.

As I made my way to the speaker room, I ran into several people I know. I spoke to Vitorrio Bertocci, Michael van Horenbeeck and Aleksandar Nikolic while getting the ready-made slides into the Techorama PowerPoint template.

I started my session at 4:30PM and made the conscious decision, together with the audience, to stop 5 minutes prior to the end time, so people would have a chance to get a nice seat for the Closing Keynote with astronaut André Kuipers. As we had ample time to discuss going password-less on-premises, there was even time for a little Q&A during the session.

After the session, I headed straight home to enjoy a meal with my family. The upside of an event just around the corner of the Dutch border, means it’s only a 90-minute drive back home.

Thank you!

Thank you to the Techorama organization for organizing yet another successful event and inviting me as a speaker once again, and to all the people attending, sitting in on my session and, of course, the people with whom I had interesting discussions.

The post Pictures of Techorama Belgium 2019 appeared first on The things that are better left unspoken.

Microsoft’s Azure AD Connect version 1.3.20 was quickly superseded by version 1.3.21.0 to fix an elevation of privilege vulnerability, but it appears to exhibit unexpected behavior for some organization running it.

The situation

You have an Active Directory Domain Services (AD DS) environment, and you synchronize objects to an Azure AD tenant, leveraging Azure AD Connect, Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory. You have licensed Azure AD Premium and leverage Azure AD Connect Health to manage the Hybrid Identity implementation.

You have recently upgraded Azure AD Connect to version 1.3.21.0

You determine the version of Azure AD Connect in the Office 365 Portal:

1. You navigate a browser to the Office 365 Portal.
2. You sign in with an account that has administrative privileges. You perform multi-factor authentication, when prompted.
3. In the top left menu, you click on the waffle menu and select Admin from the menu.
4. In the left navigation menu of the Microsoft 365 admin center, you click on Azure Active Directory in the Admin centers section.
   The Azure Active Directory admin center opens in a new tab or window.
5. In the left navigation menu, click on Azure Active Directory.
6. In Azure Active Directory’s secondary navigation menu, click Azure AD Connect.
7. In Azure AD Connect’s main window follow the link to Azure AD Connect Health.
8. In Azure AD Connect’s secondary navigation menu, click Sync services.
9. In the main window, click the Azure AD tenant name to drill into its properties.
10. In the tenant’s Azure AD Connect Health pane, click Azure Active Directory Connect Servers.
11. In the Server List pane, click the name of the Windows Server on which you recently upgraded Azure AD Connect.
12. In the server’s blade, click the Properties tile.

The issue

The Office 365 portal does not reflect the updated version, even though Azure AD Connect upgraded successfully.

The solution

This behavior is unexpected.

To resolve this you need to import the AdSync module and then run the
Set-ADSyncDirSyncConfiguration Windows PowerShell cmdlet on the Windows Server running Azure AD Connect.

Perform these steps to resolve the issue on each of the Azure AD Connect installations in use:

1. Sign into the Windows Server running Azure AD Connect.
2. Open an elevated Windows PowerShell window.
3. Run the following line of Windows PowerShell:
          
   Import-Module ADSync
      
4. Next, run the following line of Windows PowerShell:
            
   Set-ADSyncDirSyncConfiguration -AnchorAttribute “”
               
5. Close the Windows PowerShell window.
6. Sign out.

Perform the above steps on each Windows Server running Azure AD Connect in your environment, when one or more Staging Mode Azure AD Connect installations are present.

Concluding

While the above issue is a cosmetic issue for most organizations, it might be an important issue for organizations that monitor the health of their Azure AD Connect installations through the Office 365 and Azure AD portal. In the latter case, it’s nice to know how to fix it.

Further reading

Azure AD Connect 1.3.21.0 fixes an elevation of privilege vulnerability (CVE-2019-1000) 
Azure AD Connect 1.3.20.0 offers the next level of identity synchronization  
Azure AD Connect 1.2.70.0 updates the non-standard connectors 
Azure AD Connect 1.2.69.0 fixes an issue with Device Write-Back 
Azure AD Connect 1.2.68.0 fixes an issue with the MSOnline PowerShell Module 
Azure AD Connect 1.2.67.0 fixes an issue with Password Writeback
Azure AD Connect moves to TLS 1.2-only with version 1.2.65.0

The post KnowledgeBase: Azure AD Connect upgrade is not reflected in the Office 365 Portal appeared first on The things that are better left unspoken.

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

Let’s talk about the tool I had to use and you, when you work together with a publisher, might need to use, too.

TypeCloud

My publisher uses a WordPress-based, web-based solution, called TypeCloud. My deadlines required me to provide my content in this tool. From the start, I worried about my productivity, but I was in for a bigger surprise.

At the start of the project, I thought I had ample time to meet my deadlines, as I was scheduled to spend roughly 35 hours on planes in a couple of weeks,  However, an online platform to work with means you can’t access it, when you don’t have an Internet connection… Resolving comments, impossible.

As this tool is WordPress-based, it uses WordPress’ one page lay-out with the classic editor. When writing chapters of 50 pages, this lay-out is extremely tiresome. When comparing this experience with Microsoft Word, where I would have five pages open side by side on a 38-inch widescreen monitor, it made no sense at all.

So, I decided to write my chapters offline in Microsoft Word and copy the contents over to TypeCloud, when done.

Not so fast…

The first thing I figured out was, that TypeCloud doesn’t really like Edge, Internet Explorer, Chrome or FireFox. Google’s Chrome seemed the only browser that kinda worked… However, even when using Chrome, though, when copying over text from Word to TypeCloud, lay-out got lost and heading levels 1 and 2 got converted to paragraphs. Several formatting options were only available in TypeCloud and needed to be adjusted manually. Screenshots needed to be uploaded manually and then linked to from TypeCloud. Also, I would better not mess with tables, because the browser would just freeze up.

Each chapter, next to creating the content, I struggled with TypeCloud for another six hours to get the content into the tool my publisher uses.

If it worked at all…

If it worked, I could meet my deadlines with a lot of frustration. But of course… there were outages and periods of time where the tool didn’t work 100%. I couldn’t meet one of my deadlines, because TypeCloud was down one weekend. Another weekend, I had trouble uploading screenshots, leading to remarks from the editor complaining about the lack of screenshots…

We’re all struggling

The publisher’s aim is to have one system where every letter for every book is stored with absolute integrity. That’s why their employees have to work with it, too. Some of them have even created enhancements to get sufficiently productive to meet their deadlines.

As there was no mention of TypeCloud in the contract, prospective writers should ask about tooling to use, before signing. It could just prevent wrecking fourteen Sunday nights.

Picture by Kunkelstein, used under CC BY-NC 2.0 license. Adjusted in size.

Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

The post Experiences with Being Published, Part 2: Tools, Tools, Tools appeared first on The things that are better left unspoken.