Ten Things You should know about vCenter Identity Provider Federation

vCenter in VMware vSphere 7 introduces support for role-based access control (RBAC), based on standards-based federation. While this sounds fantastic, there are a couple of things you should know about this vCenter Identity Provider Federation feature, before you blindly implement it.   vCenter 7.0 or later The vCenter Identity Provider Federation feature is only available … Continue reading "Ten Things You should know about vCenter Identity Provider Federation"

vSphere 7’s vCenter Server Identity Provider Federation feature allows for MFA

In this series on virtualizing Active Directory on VMware vSphere, we’ve discussed earlier how to set up a straight-forward vCenter delegation model for running virtual Domain Controllers safely. Today, I want to discuss a new feature in VMware vSphere 7 that improves the lives of Identity and Access Management (IAM) professionals working with both technologies: … Continue reading "vSphere 7’s vCenter Server Identity Provider Federation feature allows for MFA"

Ten things you should know about Azure AD Administrative Units

An Administrative Unit (AU) is an Azure AD resource that can be a container for other Azure AD resources. Administrative units allow an organization to grant admin permissions that are restricted to a department, region, or other segment of the organization. Admins can use Administrative Units to delegate permissions to regional administrators or to set … Continue reading "Ten things you should know about Azure AD Administrative Units"

KnowledgeBase: The Device Administrator Role is not available on the Roles and Administrators pane in the Azure Portal

Swimming against the stream of all Azure Roles being available in the Roles and administrators pane of the Azure AD Portal, the Device administrator role is missing here. Now, let’s explore how to add additional administrators to Azure AD-joined devices.   About Azure AD Join Organization-owned Windows-based devices used to be joined to Active Directory. … Continue reading "KnowledgeBase: The Device Administrator Role is not available on the Roles and Administrators pane in the Azure Portal"

Ten things you need to know about Assigning Groups to Azure AD Roles

Last week, Alex Simons announced on behalf of his team the Public Preview of assigning groups to Azure AD roles with a blogpost titled Assigning groups to Azure AD roles is now in public preview! on the Microsoft Tech Community. Ten things you need to know Assigning groups to Azure AD Roles sounds perfect, but … Continue reading "Ten things you need to know about Assigning Groups to Azure AD Roles"

Security Thoughts: Microsoft Local Administrator Password Solution (LAPS, KB3062591)

As you might recall, Microsoft offered a solution to systems administrators to set the local administrator password on domain-joined devices using Group Policy Preferences, but ended the solution, almost a year ago, when the encoding mechanism was decoded and an attack was created towards this vulnerability (CVE-2014-1812).   Introducing LAPS Yesterday, Microsoft introduced version 6 … Continue reading "Security Thoughts: Microsoft Local Administrator Password Solution (LAPS, KB3062591)"

KnowledgeBase: You receive a "Your request could not be processed" error when using Azure Self-service Password Reset (SSPR)

Recently, after deploying Azure Self-service Password Reset (SSPR) for a customer, I discovered some odd behavior. After we worked through the error tree, we finally worked out the issue. Since it wasn’t documented yet (many other errors are!) at Microsofts KnowledgeBase, here it is.   The situation In an organization with an on-premises Active Directory … Continue reading "KnowledgeBase: You receive a "Your request could not be processed" error when using Azure Self-service Password Reset (SSPR)"

I’m still an ADPrep kinda guy

In Windows Server 2012, Microsoft introduced the new streamlined Active Directory Domain Services Configuration Wizard, that in most Microsoft documentation is labeled the successor to dcpromo.exe. I’m a big fan of the new wizard, but there’s one feature I don’t use: the automatic Active Directory preparation steps it can perform for you to update the … Continue reading "I’m still an ADPrep kinda guy"

From the Field: the Case of Display Issues (garbled or missing Text) in Active Directory Administrative Center

I’ve been working with Active Directory Administrative Center (ADAC) for a while now, but didn’t have time to look at Delegation of Control lately. Yesterday I finally came round to configuring it and was baffled by a serious issue