Roughly a year ago, I shared how to properly delegate Directory permissions to Azure AD Connect service accounts. One of the issues you might encounter with those steps is that you privileged accounts and previously-privileged accounts might present permission-issue errors in Azure AD Connect’s Synchronization Service Manager: Initially, I didn’t include these accounts into the … Continue reading "How to solve Azure AD Connect synchronization errors for objects with adminCount attributes set to 1"
Category: Delegation of Control
Delegation of Control
Ten Things You should know about vCenter Identity Provider Federation
vCenter in VMware vSphere 7 introduces support for role-based access control (RBAC), based on standards-based federation. While this sounds fantastic, there are a couple of things you should know about this vCenter Identity Provider Federation feature, before you blindly implement it. vCenter 7.0 or later The vCenter Identity Provider Federation feature is only available … Continue reading "Ten Things You should know about vCenter Identity Provider Federation"
vSphere 7’s vCenter Server Identity Provider Federation feature allows for MFA
In this series on virtualizing Active Directory on VMware vSphere, we’ve discussed earlier how to set up a straight-forward vCenter delegation model for running virtual Domain Controllers safely. Today, I want to discuss a new feature in VMware vSphere 7 that improves the lives of Identity and Access Management (IAM) professionals working with both technologies: … Continue reading "vSphere 7’s vCenter Server Identity Provider Federation feature allows for MFA"
Ten things you should know about Azure AD Administrative Units
An Administrative Unit (AU) is an Azure AD resource that can be a container for other Azure AD resources. Administrative units allow an organization to grant admin permissions that are restricted to a department, region, or other segment of the organization. Admins can use Administrative Units to delegate permissions to regional administrators or to set … Continue reading "Ten things you should know about Azure AD Administrative Units"
KnowledgeBase: The Device Administrator Role is not available on the Roles and Administrators pane in the Azure Portal
Swimming against the stream of all Azure Roles being available in the Roles and administrators pane of the Azure AD Portal, the Device administrator role is missing here. Now, let’s explore how to add additional administrators to Azure AD-joined devices. About Azure AD Join Organization-owned Windows-based devices used to be joined to Active Directory. … Continue reading "KnowledgeBase: The Device Administrator Role is not available on the Roles and Administrators pane in the Azure Portal"
Ten things you need to know about Assigning Groups to Azure AD Roles
Last week, Alex Simons announced on behalf of his team the Public Preview of assigning groups to Azure AD roles with a blogpost titled Assigning groups to Azure AD roles is now in public preview! on the Microsoft Tech Community. Ten things you need to know Assigning groups to Azure AD Roles sounds perfect, but … Continue reading "Ten things you need to know about Assigning Groups to Azure AD Roles"
Security Thoughts: Microsoft Local Administrator Password Solution (LAPS, KB3062591)
As you might recall, Microsoft offered a solution to systems administrators to set the local administrator password on domain-joined devices using Group Policy Preferences, but ended the solution, almost a year ago, when the encoding mechanism was decoded and an attack was created towards this vulnerability (CVE-2014-1812). Introducing LAPS Yesterday, Microsoft introduced version 6 … Continue reading "Security Thoughts: Microsoft Local Administrator Password Solution (LAPS, KB3062591)"
KnowledgeBase: You receive a "Your request could not be processed" error when using Azure Self-service Password Reset (SSPR)
Recently, after deploying Azure Self-service Password Reset (SSPR) for a customer, I discovered some odd behavior. After we worked through the error tree, we finally worked out the issue. Since it wasn’t documented yet (many other errors are!) at Microsofts KnowledgeBase, here it is. The situation In an organization with an on-premises Active Directory … Continue reading "KnowledgeBase: You receive a "Your request could not be processed" error when using Azure Self-service Password Reset (SSPR)"
I’m still an ADPrep kinda guy
In Windows Server 2012, Microsoft introduced the new streamlined Active Directory Domain Services Configuration Wizard, that in most Microsoft documentation is labeled the successor to dcpromo.exe. I’m a big fan of the new wizard, but there’s one feature I don’t use: the automatic Active Directory preparation steps it can perform for you to update the … Continue reading "I’m still an ADPrep kinda guy"
New features in Active Directory Domain Services in Windows Server 2012, Part 19: Offline Domain Join Improvements
With Windows 7 and Windows Server 2008 R2 Microsoft introduced a new Active Directory feature called Offline Domain Join (ODJ). This feature allows for clients to be joined to an Active Directory domain, without the need of having a direct connection to any of the Domain Controllers for the Active Directory domain.