KnowledgeBase: You can’t use the AzureADKerberos PowerShell Module on Azure AD Connect installations in a custom installation location

Azure AD Connect

During the installation of Azure AD Connect, you can select the option to use an alternative location. In this case, the Microsoft Azure AD Sync folder is stored in the alternative location, but the Microsoft Azure AD Connect folder isn’t.

The situation

When you work with Hybrid Cloud Trust, you need the AzureAdKerberos PowerShell module. This module is located in the C:\Program Files\Microsoft Azure AD Connect\AzureADKerberos folder.

You import the PowerShell module using the following line of Windows PowerShell:

Import-module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1"

The issue

You experience an error and the module isn’t imported.

The cause

You experience this issue when you’ve selected the option to use an alternative location when you installed Azure AD Connect.

This option is provided during installation. On the Install required components page of the Azure Active Directory Synchronization Configuration Wizard admins have the option to Specify a custom installation location. However, this option merely moves the Microsoft Azure AD Sync folder, not other Azure AD Connect folders…

AzureADKerberos.psd1 expects its *.dll files to be in the C:\Program Files\Microsoft Azure AD Sync folder. Within the file, the location for the four *.dll files is designated as ..\..\ in the file:

AzureADKerberos.psd1 contents

The solution

Change the four locations in the AzureADKerberos.psd1 file to point to the the custom installation location. Save the file. Then import it without errors.

0  

An Elevation of Privilege vulnerability in Active Directory affects Certification Authorities (Critical, CVE-2022-34691)

Windows Server

This week, on its Patch Tuesday for August 2022, Microsoft released a patch that addresses a critical vulnerability (CVE-2022-34691) in Active Directory Domain Services (AD DS).

 

About the vulnerability

An Elevation of Privilege (EoP) vulnerability exists in Active Directory Domain Services (AD DS). The vulnerability can be exploited over the network with low complexity and low privileged required.

An attacker who successfully exploited this vulnerability could gain domain administrator privileges.

 

COMMON VULNERABILITY SCORING

With a CVSS v3.1 score of 8.8/7.7, the vulnerability is rated Critical.

 

Affected Operating Systems

The following Operating Systems are vulnerable:

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
  • Windows Server, version 20H2

A system is vulnerable only if Active Directory Certificate Services (AD CS) is running on the domain. This means that most commonly implemented Certification Authorities (CAs) currently used are vulnerable to attacks.

In multi-tier Certification Authority implementation with an offline root CA, the root CA may not be vulnerable as the server is not a member of Active Directory.

 

Call to action

I urge you to install the necessary security updates on Windows Server installations, acting as Certification Authorities (CAs), based on Active Directory Certificate Services (AD CS), in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, acting as Certification Authorities (CAs), based on Active Directory Certificate Services (AD CS).

 

Further steps

This vulnerability is a member of the same family of other critical Active Directory Certificate Services NTLM Relay Vulnerabilities, like PrintNightmare (CVE-2021-1675 and CVE-2021-34527), PetitPotam (CVE-2021-36942), ShadowCoerce and DFSCoerce.

Therefor, the steps outlined for Certificate-based authentication changes on Windows domain controllers should also be performed to further secure Certification Authorities (CAs) and Domain Controllers and mitigate sign-in errors.

0  

TODO: Periodically reset the password for the KRBTGT_AzureAD account when using Hybrid Cloud Trust

Microsoft offers Hybrid Cloud Trust as a way to offer people with synchronized Work or School accounts on Azure AD-joined device seamless single sign-on access to Active Directory-integrated resources. When they sign in with Windows Hello for Business (WHfB), the Active Directory-integrated functionality doesn’t prompt for username and password.

How Hybrid Cloud Trust works

Under the hood, Hybrid Cloud Trust creates:

  • A read-only domain controller account named AzureADKerberos in the Domain Controllers Organizational Unit (OU).
  • An account named krbtgt_AzureAD in the Users container.

When the person sign ins, Azure AD automatically provides a partial Kerberos ticket-granting tickets (TGTs) that is redeemed to a full TGT when the user accesses Kerberos-integrated on-premises resources and there is a line of sight to at least one Windows Server 2016-based read/write Domain Controller.

The partial TGT is signed and encrypted with the password for the krbtgt_AzureAD account. Obviously, the password needs to be identical in both the Active Directory and Azure AD stores for the functionality to work.

Periodically reset the password

Kerberos was never designed for untrusted networks like the Interne. There have been and might still be vulnerabilities in the Kerberos protocol and/or implementation. When the password for the krbtgt or krbtgt_AzureAD account is leaked, an attacker can impersonate any user within Active Directory. Therefor, just like other krbtgt accounts, the password for the krbtgt_AzureAD account needs to be reset periodically.

However, resetting the password for the krbtgt_AzureADaccount is different to resetting the password for the krbtgt in the Active Directory domain, used by all read/write domain controllers, and the krbtgt_* passwords per read-only domain controller. These passwords merely need to be replicated within Active Directory. The password for the krbtgt_AzureAD account needs to be changed both in Active Directory and in Azure AD.

The New-KrbtgtKeys.ps1 script warns if it stumbles upon the krbtgt_AzureAD account and explicitly doesn’t reset its password. The script cannot be used, but fortunately, there is a way to reset the password for this account.

What could go wrong?

When the password is reset for krbtgt_AzureAD and krbtgt accounts in your Active Directory environment, current sessions won’t be affected. The previous password is retained and used to decrypt and validate Kerberos tokens that were encrypted and signed with the previous password.

Note:
This means that the password for krbtgt_AzureAD and krbtgt accounts should not be reset more often than once every week, unless the goal is to end all Kerberos sessions.

Reset the password for KRBTGT_AzureAD

Perform these steps to reset the password for the krbtgt_AzureAD account:

  • Sign in interactively to a Windows Server installation that runs Azure AD Connect with an account that is a member of the Enterprise Admins group.
  • Start an elevated Windows PowerShell session and perform the following lines of PowerShell.

Note:
Change the value for contoso.com to the DNS name of the Active Directory domain where the krbtgt_AzureAD account resides.


Import-module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1"

$domain = "contoso.com"


$cloudCred = Get-Credential -Message 'Provide the credentials for an account that is a member of the Global Administrators group in Azure AD.'


Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred

 

  • When prompted for multi-factor authentication by Azure AD, provide the credentials for the account is a member of the Global Administrators group in Azure AD.

Call to Action

Please use the same frequency for resetting the krbtgt_AzureAD account as you reset the krbtgt account in your Active Directory environment. Microsoft recommends resetting the password for these accounts every 30 days. Auditors may flag the password when it is older than 180 days.

0  

What's New in Azure Active Directory for July 2022

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for July 2022:

What’s New

Here’s what’s new:

No more waiting, provision groups on demand into your SaaS applications General Availability

Service category: Provisioning
Product capability: Identity Lifecycle Management

Pick a group of up to five members and provision them into your third-party applications in seconds. Get started testing, troubleshooting, and provisioning to non-Microsoft applications such as ServiceNow, ZScaler, and Adobe.

Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD General Availability

Service category: Microsoft Graph API
Product capability: Identity Security and Protection

Microsoft is delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication (MFA) when federated with Azure AD. When enabled for a federated domain in the Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD MFA by imitating that a multi-factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, federatedIdpMfaBehavior.

Microsoft highly recommends enabling this new protection when using Azure AD MFA as your organization’s multi-factor authentication solution for federated users.

Tenant-based service outage notifications General Availability

Service category: Other
Product capability: Platform

Azure Service Health supports service outage notifications to tenant admins for Azure Active Directory issues. These outages will also appear on the Overview page in the Azure AD Admin portal with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in tenant administrator roles.

Multiple Passwordless Phone sign-in Accounts for iOS devices Public PReview

Service category: Authentications (Logins)
Product capability: User Authentication

End users can now enable passwordless phone sign-in for multiple accounts in the Authenticator App on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to the Microsoft Authenticator app and use passwordless phone sign-in for all of them from the same iOS device.

ADFS to Azure AD: SAML App Multi-Instancing Public PReview

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Admins can now configure multiple instances of the same application within an Azure AD tenant. It's now supported for both Identity Provider (IdP), and Service Provider (SP) initiated single sign-on requests. Multiple application accounts can now have a separate service principal to handle instance-specific claims mapping and roles assignment.

ADFS to Azure AD: Apply RegEx Replace to groups claim content Public PReview

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Up until recently, admins had the capability to transform claims using many transformations. However, using regular expression for claims transformation wasn't exposed. With this public preview release, admins can now configure and use regular expressions for claims transformation using the portal.

Trusts for User Forests in Azure AD Domain Services Public PReview

Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Admins can now create trusts on both user and resource forests.

On-premises Active Directory Domain Services (AD DS) users can't authenticate to resources in the Azure AD DS resource forest until admins create an outbound trust to their on-premises AD DS environment(s).

An outbound trust requires network connectivity to the virtual network on which Azure AD Domain Services is deployed . On a user forest, trusts can be created for on-premises Active Directory forests that aren't synchronized to Azure AD DS.

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Admins can now automate creating, updating, and deleting user accounts for Tableau Cloud.

New Federated Apps available in the Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2022 Microsoft has added the following new applications in the Azure AD App gallery with Federation support:

  1. Lunni Ticket Service
  2. TESMA
  3. Spring Health
  4. Sorbet
  5. Rainmaker UPS
  6. Planview ID
  7. Karbonalpha
  8. Headspace
  9. SeekOut
  10. Stackby
  11. Infrascale Cloud Backup
  12. Keystone
  13. LMS・教育管理システム Leaf
  14. ZDiscovery
  15. ラインズeライブラリアドバンス (Lines eLibrary Advance)
  16. Rootly
  17. Articulate 360
  18. Rise.com
  19. SevOne Network Monitoring System (NMS)
  20. PGM
  21. TouchRight Software
  22. Tendium
  23. Training Platform
  24. Znapio
  25. Preset
  26. itslearning MS Teams sync
  27. Veza
  28. Trax

What’s Changed

Here’s what’s changed:

Cross-tenant access settings for B2B collaboration General Availability

Service category: Business to Business (B2B) collaboration
Product capability: B2B/B2C collaboration

Cross-tenant access settings enable admins to control how users in their organization(s) collaborate with members of external Azure AD organizations. Now admins have granular inbound and outbound access control settings that work on a per organization, user, group, and application basis. These settings also make it possible for admins to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD-joined devices.

Expression builder with Application Provisioning General Availability

Service category: Provisioning
Product capability: Outbound to SaaS Applications

Accidental deletion of users in apps or in the on-premises directory could be disastrous. Microsoft is excited to announce the general availability of the accidental deletions prevention capability. When a provisioning job would cause a spike in deletions, it will first pause and provide you visibility into the potential deletions. Admins can then accept or reject the deletions and have time to update the job’s scope if necessary.

Azure AD Domain Services – Fine Grain Permissions Public PReview

Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Previously, to set up and manage an Azure AD Domain Services instance, admins needed top level permissions of Azure Contributor and the Azure AD Global Administrator role.

Now for both initial creation, and ongoing administration, you can utilize more fine grain permissions for enhanced security and control.

Improved app discovery view for My Apps portal Public PReview

Service category: My Apps
Product capability: End User Experiences

An improved app discovery view for My Apps is in public preview. The preview shows users more apps in the same space and allows them to scroll between collections. It doesn't currently support drag-and-drop and list view. Users can opt into the preview by clicking Try the preview and opt out by clicking Return to previous view.

New Azure AD Portal All Devices list Public PReview

Service category: Device Registration and Management
Product capability: End User Experiences

Microsoft is enhancing the All Devices list in the Azure AD Portal to make it easier to filter and manage your organization’s devices. Improvements include:

  • Infinite scrolling
  • More devices properties can be filtered on
  • Columns can be reordered via drag and drop
  • Select all devices

ADFS to Azure AD: Persistent NameID for IDP-initiated Apps Public PReview

Service category: Enterprise Apps

Product capability:
Single Sign-on (SSO)

Previously the only way to have a persistent NameID value was to configure the user attribute with an empty value. Admins can now explicitly configure the NameID value to be persistent along with the corresponding format.

ADFS to Azure AD: Customize attrname-format​ Public PReview

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

With this new parity update, admins can now integrate non-gallery applications such as Socure DevHub with Azure AD to have single sign-on (SSO) via SAML.

0  

Azure AD Connect v2.1.16.0 ensures Automatic Upgrades are possible

Ever since Microsoft announced the deprecation of Azure AD Connect version 1.x, many organizations have migrated to Azure AD Connect v2.x. However, one of the big features that have been missing from version 2.x is the ability to automatically upgrade to newer versions.

Azure AD Connect v2.1.15.0 was the first v2.x to be announced with Automatic Upgrades functionality, on July 6th 2022. However, the Azure AD Connect team identified a bug where the Automatic Upgrade functionality fails when the service account is in userPrincipalName format.

 

What’s New

Azure AD Connect v2.1.16.0 enables Automatic Upgrade functionality, even when the service account is in userPrincipalName format.

During installation, the Azure Active Directory Synchronization Configuration Wizard allows admins to Use an existing service account to run the service (and connect to the SQL database) on the Install required components page. Here, the provided example uses Azure AD Connect’s rather specific user name format CONTOSO.COM\username and not the userPrincipalName format, which would look like username@contoso.com.

The above configuration merely applies to Azure AD Connect installations that have used this option and to Azure AD Connect installations where the service account was changed at a later time.

 

Version information

Version 2.1.16.0 of Azure AD Connect was made available for download as a 144 MB weighing AzureADConnect.msi on August 2nd, 2022.

You can download the latest version of Azure AD Connect here.

0  

What's New in Microsoft Defender for Identity in July 2022

Microsoft Defender for Identity

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

What’s New

In July 2022, two new versions of Microsoft Defender for Identity were released:

  1. Version 2.184, released on July 10, 2022
  2. Version 2.185, released on July 18, 2022

These releases introduced the following functionality:

NEW SECURITY Assessments

Since version 2.184, Defender for Identity now includes unsecure domain configuration assessments.

Microsoft Defender for Identity continuously monitors your environment to identify domains with configuration values that expose a security risk, and reports on these domains to assist you in protecting your environment.

Npcap instead of WinPcap

Starting with version 2.184, the Defender for Identity installation package will now install the Npcap component instead of the WinPcap drivers.

Wrongfully detected MacOS devices

In version 2.185, an issue was fixed where the Suspected Golden Ticket usage (nonexistent account) (external ID 2027) detection would wrongfully detect macOS devices.

Disable user now separated into disable and suspend

The Defender for Identity team decided to divide the Disable User action on the user page into two different actions:

  1. Disable User
    This disables the user in Active Directory.
  2. Suspend User 
    This disables the user in Azure AD.

The time it takes to sync from Active Directory to Azure Active Directory can be crucial, so now defenders can choose to disable users one after the other, to remove the dependency on the synchronization between Active Directory and Azure AD.

Note: 
A user disabled only in Azure AD will be overwritten by Active Directory, if the user is still active in Active Directory.

IMPROVEMENTS AND BUG FIXES

Both July 2022 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.

0  

On-premises Identity-related updates and fixes for July 2022

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

This is the list of Identity-related updates and fixes we saw for July 2022:

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5015808 JUly 12, 2022

The July 12, 2022 update for Windows Server 2016 (KB5015808) updating the OS build number to 14393.5246, is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that causes Microsoft NT Lan Manager (NTLM) authentication using an external trust to fail. This issue occurs when a domain controller that runs the January 11, 2022 or later Windows updates, services the authentication request, is not in a root domain, and does not hold the Global Catalog (GC) role. The affected operations might log the following errors:

The security database has not been started

The domain was in the wrong state to perform the security operation

0xc00000dd (STATUS_INVALID_DOMAIN_STATE)

  • It addresses an issue that causes the domain controller holding the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role in the root domain to generate warning and error events in the System log. This issue occurs when the PDCe incorrectly tries to scan outgoing-only trusts.

 

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5015811 JUly 12, 2022

The July 12, 2022 update for Windows Server 2019 (KB5015811) updating the OS build number to 17763.3165 is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that causes a domain controller to incorrectly write Key Distribution Center (KDC) event 21 in the System event log. This occurs when the KDC successfully processes a Kerberos Public Key Cryptography for Initial Authentication (PKINIT) authentication request with a self-signed certificate for key trust scenarios (Windows Hello for Business and Device Authentication).
  • It addresses an issue that causes NTLM authentication using an external trust to fail. This issue occurs when a domain controller, that contains the January 11, 2022 or later Windows updates, services the authentication request, is not in a root domain, and does not hold the Global Catalog role. The affected operations might log the following errors:

The security database has not been started

The domain was in the wrong state to perform the security operation

0xc00000dd (STATUS_INVALID_DOMAIN_STATE)

KB5015880 July 21, 2022 Preview

The July 12, 2022 update for Windows Server 2019 (KB5015880) updating the OS build number to 17763.3232 is a preview update that includes the following Identity-related improvements:

  • It provides the option to configure an alternate login ID for the Azure Multi-Factor Authentication (MFA) Active Directory Federation Services (AD FS) adapter for on-premises scenarios.  By default, the adapter configuration will not ignore alternate login ID (IgnoreAlternateLoginId = $false) unless explicitly set to $true.
  • It enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, domain controllers will not authenticate them.

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5015827 JUly 12, 2022

The July 12, 2022 update for Windows Server 2022 (KB5015827), updating the OS build number to 20348.825, is a monthly cumulative update that includes the following Identity-related improvements:

  • It adds the ability to call SetCredentialsAttribute in user mode for SECPKG_ATTR_CLIENT_CERT_POLICY.
  • It adds support for Transport Layer Security (TLS) 1.3 in Windows client and server Lightweight Directory Access Protocol (LDAP) implementations.
  • It provides a Group Policy setting that administrators can use to enable the use of the Ctrl + S (Save As) keyboard shortcut in Microsoft Edge IE Mode: InternetExplorerModeEnableSavePageAs
  • It addresses an issue that affects some certificates chains to Root Certification Authorities that are members of the Microsoft Root Certification Program. For these certificates, the certificate chain status can be:

This certificate was revoked by its certification authority.

  • It addresses an issue that causes a domain controller to incorrectly write Key Distribution Center (KDC) event 21 in the System event log. This occurs when the KDC successfully processes a Kerberos Public Key Cryptography for Initial Authentication (PKINIT) authentication request with a self-signed certificate for key trust scenarios (Windows Hello for Business and Device Authentication).
  • It addresses an issue in which creating Install from Media (IFM) media for Active Directory fails and generates the following error:

-2101 JET_errCallbackFailed

  1. It addresses an issue that occurs when the Active Directory Lightweight Directory Service (LDS) resets the password for userProxy objects. The password reset fails with the following error:

00000005: SvcErr: DSID-03380C23, problem 5003 (WILL_NOT_PERFORM), data 0

  • It addresses an issue that causes the LocalUsersAndGroups configuration service provider (CSP) policy to fail when you modify the built-in Administrators group. This issue occurs if the local Administrator account isn't specified in the membership list when you perform a replace operation.
  • It addresses an issue that causes NTLM authentication using an external trust to fail. This issue occurs when a domain controller, that contains the January 11, 2022 or later Windows updates, services the authentication request, is not in a root domain, and does not hold the Global Catalog role. The affected operations might log the following errors:

The security database has not been started

The domain was in the wrong state to perform the security operation

0xc00000dd (STATUS_INVALID_DOMAIN_STATE)

KB5015879 July 19, 2022 Preview

The July 19, 2022 update for Windows Server 2022 (KB5015879) updating the OS build number to 20348.859 is a preview update that includes the following Identity-related improvements:

  • It addresses an issue that might cause Windows to stop working when you enable Windows Defender Application Control with the Intelligent Security Graph feature turned on.
  • It addresses an issue that causes the Windows profile service to fail sporadically. The failure might occur when signing in. The error message is:

gpsvc service failed to sign in. Access denied

  • It provides the option to configure an alternate login ID for the Azure Multi-Factor Authentication (MFA) Active Directory Federation Services (AD FS) adapter for on-premises scenarios.  By default, the adapter configuration will not ignore alternate login ID (IgnoreAlternateLoginId = $false) unless explicitly set to $true.
  • It enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, domain controllers will not authenticate them.
0  

Requirements to use Passwordless Phone Sign-in for multiple Work or School accounts

Azure Active Directory

This week, Microsoft announced the availability of Passwordless Phone Sign-in for multiple Work or School accounts in the Microsoft Authenticator app on Apple iOS-based devices.

For the Public Preview of this feature, meet the following requirements to be able to use the Authenticator App for Passwordless Sign-ins to multiple Work or School accounts during the Public Preview stage:

Note:
Requirements may change between the Public Preview and General Availability for this feature. Also, Microsoft can choose to pull back this feature when it no longer fits its roadmap or when it poses security and/or scalability risks.

 

iOS Device settings

Meet the following requirements when it comes to the iOS-based device you use:

Password

The iOS device needs to require a password, Touch ID or Face ID to unlock the device.

Authenticator App

Install Microsoft Authenticator v6.5.99, or above on an Apple device that runs iOS v12, or up. If the Microsoft Authenticator app is already installed, ensure that its version is at least v6.5.99.

To determine the version, perform these steps:

  • Open the Authenticator app on the iOS device.
    Unlock the app using biometrics or PIN, if the app is protected.
  • In the left top corner click the menu.
  • From the menu, click Help.
  • In the About section of help topics, the Version field indicates the version of the installed Microsoft Authenticator app.

Enable the option for Microsoft to collect use data.

Perform these steps to do so:

  • Open the Authenticator app on the iOS device..
  • Unlock the app using biometrics or PIN, if the app is protected.
  • In the left top corner click the menu.
  • From the menu, click Settings.
  • In the Usage data section of settings, enable the Allow Microsoft to gather non-personally identifiable usage data to improve the app. Learn more in the FAQs available under the Help menu. option.

Azure AD registration

After installation of the Microsoft Authenticator app, the iOS-based device needs to be registered to the Azure AD tenants that host each work or school account that you want to use for Passwordless Phone Sign-in.

Perform these steps to register an iOS device to an Azure AD tenant:

  • Open the Authenticator app on the iOS device.
    Unlock the app using biometrics or PIN, if the app is protected.
  • In the left top corner click the menu.
  • From the menu, click Settings.
  • Click Device Registration.
  • The Device Registration page shows all Azure AD tenants the device is registered to.
    Determine the Azure AD tenants the device is registered with. Click the in the top right corner to add an Azure AD tenant to the list.
  • Provide the email address for the work or school account in the Azure AD tenant.
  • Click Register.
  • In the sign-in experience provide the means to perform multi-factor authentication.
  • The list on the Device Registration page now shows the Azure AD tenant you added.

 

Azure AD settings

Meet the following requirements when it comes to each of the Azure AD tenants that host each work or school account that you want to use for Passwordless Phone Sign-in:

Combined Security Information

The Users can use the combined security information registration experience option needs to be enabled in Azure AD (for at least the persons in scope for this feature).

To check and/or enable this setting, perform the following steps:

  • Sign in to the Azure AD Portal with an account that has the Global administrator role or the User administrator role.
  • Perform multi-factor authentication, if prompted.
  • If the Azure AD tenant is configured with Azure AD Privileged Identity Management (PIM) and the Global administrator or User administrator role require elevation, perform the steps and provide the required information to elevate the role.
  • In the left navigation pane, click Azure Active Directory.
  • In Azure Active Directory's navigation menu, click User settings.
  • On the User settings page in the main pane, follow the Manage user preview settings link.
  • Enable the Users can use the combined security information registration experience option, by selecting All for all users, or Selected to select a group in scope for this feature. If you selected Selected specify a group to scope the feature.
  • Click Save at the top of the pane.

Note:
This setting will be automatically enabled for All in Azure AD tenants starting September 30th, 2022.

Authentication Method settings

The Microsoft Authenticator authentication method needs to be enabled in Azure AD (for at least the persons in scope for this feature).

To check and/or enable the authentication method, perform the following steps:

  • Sign in to the Azure AD Portal with an account that has the Global administrator role or the Authentication Policy administrator role.
  • Perform multi-factor authentication, if prompted.
  • If the Azure AD tenant is configured with Azure AD Privileged Identity Management (PIM) and the Global administrator or Authentication Policy administrator role require elevation, perform the steps and provide the required information to elevate the role.
  • In the left navigation pane, click Azure Active Directory.
  • In Azure Active Directory's navigation menu, click Security.
  • In the Security navigation menu, click Authentication Methods. The Policies menu item in the Authentication Methods' menu is selected, by default.
  • In the main pane, click the Microsoft Authenticator policy.
  • In the Basics section, select Yes for the Enable option, to enable the authentication method.
  • In the Target section, select All users or Select users. If you select Select users, specifu a group to scope the feature.
  • The selected group appears underneath the Target option. Click the kebab menu at the end of the group and select Configure from the context menu. Ensure that Authentication mode is set to Any or Passwordless.

 

Account settings

The Work or School accounts that will be used with Passwordless sign-in will need to have Azure multi-factor authentication registered. When multi-factor authentication is not registered for the account, visit aka.ms/mfasetup to configure it for the account.

0  

A Critical Vulnerability in Netwrix' Auditor may lead to Active Directory and Azure AD compromise

Netwrix

On June 6th, 2022, Netwrix released Auditor v10.5. In this version, a remote code execution vulnerability is addressed. Since Auditor is typically executed with extensive privileges in an Active Directory environment, an attacker would be able to compromise the Active Directory forest and/or Azure AD tenant.

 

About Netwrix

Netwrix logoNetwrix empowers information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

 

About the vulnerability

A vulnerability exists in an unsecured .NET remoting service that's accessible on TCP port 9004 of the Windows Server on which Netwrix Auditor is installed. This service running on this port (among other ports) allows for core communications between the Domain Controllers (and other monitored systems, services and/or applications) and the Windows Server running Netwrix Auditor.

An insecure object deserialization issue in this service allows for remote code execution in the context of the Netwrix Auditor service, that runs as SYSTEM on the Windows Server. The vulnerability is present in all supported versions of Netwrix Auditor prior to version 10.5.

Depending on the systems, services and/or applications configured for monitoring with Auditor, malicious commands can be issued toward these monitored resourced. Typically, file servers, Exchange servers, Azure AD and Active Directory are monitored resources. Of these resources, Active Directory and Azure AD are the most critical.

 

About Auditor's AD Permissions

For Netwrix Auditor to perform its Active Directory monitoring, typically only read permissions are required throughout the Active Directory forest.  The Write Members permission can also be delegated. Netwrix Auditor and the Netwrix Access Information Center it feeds therefore allow for least administrative privileges to be applied.

In terms of a data leak, this means that in a sufficiently managed environment, an attacker could read all personal information for user accounts in Active Directory. However, in environments where the recommended practice of applying least administrative privileges has not been followed, you may expect a member of theDomain Admins and/or Enterprise Admins group to function as the Netwrix AD service account. In the latter case, compromise of the Active Directory forest is possible.

 

About Auditor's Azure AD Permissions

For Netwrix Auditor to perform its Azure AD monitoring, typically the following permissions are assigned to an application registration for Netwrix Auditor within Azure AD:

  • Directory.Read.All
  • Auditlog.Read.All
  • ActivityFeed.Read

In terms of a data leak, this means that in a sufficiently managed environment, an attacker could read all personal information for user accounts in Azure AD. However, Directory.Read.All also provides read permissions on multi-factor authentication information for people within the organization. This information could be used in attacks in combination with SIM swapping and other means of compromising multi-factor authentication as a security method.

 

Concluding

I urge you to update any Netwrix Auditor installations within your networking environments to version 10.5.

On a more personal note

I work with Netwrix, as their Active Directory and Azure AD solutions are generally awesome. Therefore, I feel it's also my responsibility to notify you of any issues with the solutions, as pointed out above. All software contains bugs. Having issues does not mean the software is bad, it means that people are genuinely concerned with the software they use and any bugs they may have.

Further reading

New Netwrix Auditor Bug Could Let Attackers Compromise Active Directory Domain
Netwrix Auditor Advisory

0  

The Second Edition of the Active Directory Administration Cookbook is now available

Active Directory Administration Cookbook, second edition

Slightly over three years ago, my first book was published. These past few months, I've been working with Packt to write my second book: the Active Directory Administration Cookbook, Second Edition.

Starting today, July 15th 2022, you can find physical copies of it on shelves at Amazon. What you'll find is 696 pages filled with 173 recipes for managing all aspects of Active Directory on Windows Server 2022 and all aspects of Hybrid Identity with Azure AD.

As you may have come to appreciate from the original edition of the Active Directory Administration Cookbook, all my recipes include zero-fluff, real-world and straight-to-the-point information on actually getting things done.

You've probably heard me say that when you're not ashamed for what you did or how you did things several years ago, you're doing it wrong. To me, writing the Second Edition of the Active Directory Administration Cookbook made that abundantly clear again.

That's why, you'll find DNS and AD CS as new topics alongside more familiar topics as AD FS and Azure AD in this book. You'll also find lots of previously confusing wording addressed and errors fixed. My two technical editors, Carl Webster and James Mendez helped me thoroughly with that.

Enjoy!

 

About Packt Publishing

packt-logoFounded in 2004, Packt Publishing is a print on demand publishing company based in Birmingham, UK and Mumbai, India. Many of its book offerings concern information technology or software. It offers print books as well as e-books in several formats.

6