Pictures of TechMentor Redmond 2018

Microsoft Campus

Last week, I travelled to Microsoft Campus in Redmond to present at TechMentor. I was kindly invited by Sami Laiho and Dave Kawula, the two chairs of this event, for two identity-related sessions.

On Wednesday August 8th, I stepped on a plane towards Seattle Tacoma Airport at Amsterdam Schiphol Airport. Delta gave me a good seat for this 10-hour flight and I got some serious work done. I arrived at the Bellevue Hyatt Regency late and because of the 9-hour time difference, I went straight to sleep as soon as I laid my head on the pillow…

Enjoying seat 27A on a Delta Airbus A330-326. Lots of legroom! (click for larger photo) The welcoming view of the Hyatt Regency in Bellevue (click for larger photo)

The next morning, we were off to the Microsoft Campus! The bus took us from the hotel straight to Microsoft’s Executive Briefing Center (EBC) in Building 33.

Goodmorning Seattle! (click for larger photo)
Building 33 on campus: Microsoft's Executive Briefing Center (click for larger photo, by Mike)TechMentor's Agenda-at-a-Glance (click for original photo)

I enjoyed a little breakfast and some soda. I checked out the agendas for the rooms and then prepared for my sessions in the speaker room (Lassen). With our TechMentor credit cards, Dave Kawula, Orin Thomas and I decided to get some lunch in Building 9.

Challenges with virtualizing Domain Controllers (click for larger photo by Sami Laiho)Challenges with virtualizing Domain Controllers (click for larger photo by Sami Laiho)

At 2:15PM, I started with the first of my two presentations in room St. Helens. For 75 minutes, we discussed the security implications of virtualizing Active Directory Domain Controllers.

Presenting Azure AD Connect, from my Point of View (click for larger photo)Presenting on Azure AD Connect (click for larger photo by Sami Laiho)

At 3:45PM it was time for Azure AD Connect to shine in room Cascade. All the way through 5:05PM we had fun talking about synchronizing objects and attributes to Azure AD and how to put the mS-DS-ConsistencyGUID to good use when restructuring Active Directory forests.

We took the bus back to the Hyatt Regency in Bellevue and decided to go grab dinner at the Cheesecake Factory, before going to bed early. I decided I deserved a beer for delivering two nice sessions and knocking ‘Speaking on Microsoft Campus’ off my bucket list.

Microsoft Building 92 (click for larger photo)Microsoft's Visitor Center

The next morning I went to campus early again, but decided to enjoy Microsoft Campus, the Microsoft Visitor Center and the renewed Microsoft Store on Campus. I had never been to the Pacific Northwest in this time of year and decided to soak up the sun and 30 degrees (Celsius) temperatures. I took a walk from the Microsoft EBC (Building 33) to Building 92, crossing most of the Microsoft Campus. While in the Microsoft Store, I couldn’t help myself and got a Surface Go.

Back at Building 33, I took the bus back to the hotel and went to bed early to get ready for the trip back.

Benelux Speakers at the parking in the Hyatt Regency (click for larger photo)

Coincidentally, all four TechMentor speakers from the BeNeLux; Peter de Tender, Sven van Rijen en Peter Daalmans and I, booked the same flight back to Amsterdam, so we made our way to the airport together, enjoyed Delta’s Sky lounge together and enjoyed the flight back together.

Thank you! Thumbs up

Thanks to all the people attending, sitting in on my sessions and, of course, the people who stuck around after my sessions for the interesting discussions. Thanks to the TechMentor community for making this trip enjoyable, and of course, the speakers who are always fun to hang out with.


I’m speaking at VMware VMworld US 2018

VMworld US 2018

I’m proud to announce that I have been invited by VMware to present at VMworld US 2018 in Las Vegas, where we’ll celebrate VMware’s 20th birthday with 20,000+ attendees.

I have been asked to host a workshop on virtualizing Active Directory Domain Services with Deji Akomolafe, and present a 60-minute break-out session with Matt Liebowitz.


About VMware VMworld

VMworld is a global conference for virtualization and cloud computing, hosted by VMware. It is the largest virtualization-specific event. Each year, there is a VMworld US and a VMworld Europe event, addressing VMware’s two main target geographies.

VMworld US 2018 is hosted at the Mandalay Bay Convention Center in Las Vegas, Nevada for the fourth consecutive time from Sunday August 26, 2018 to Thursday August 30, 2018. Previously it was hosted in San Francisco and Los Angeles, after its inaugural edition in San Diego in 2004.


About my sessions

I’ll make three main appearances during VMware VMworld US 2018, besides the obvious parties and gatherings Winking smile


Implementing Microsoft AD on VMware Technologies

VAP3771WU, Sunday August 26 8AM – 5PM, Workshop

On Sunday, we will host the first ever VMworld Active Directory Domain Services (AD DS) Workshop. While other technologies like Microsoft SQL Server and SAP have had Virtualized Application Workshops for several VMworld events as additional VMworld packages, this is the first of its kinds!

Active Directory Domain Services (ADDS) is one of the most critical components of a Windows IT infrastructure. VMware’s Microsoft Applications Virtualization Lead, Deji Akomolafe, and one of the leading ADDS experts in the field and I will deliver this technical workshop. Together, we take you through the journey of virtualizing AD DS, avoiding common pitfalls, and recovering from common failures and problems associated with running AD DS in your enterprise. Demos include hands-on troubleshooting, correction, stabilization, and optimization of a defective AD DS forest and multiple domains. Topics will include virtualization and the AD DS database, replication, time synchronization and convergence, fault domains, common challenges, and general best practices.


Virtualize Active Directory the right way!

VAP1898BU, Monday August 27 1PM – 2PM, Breakout

Active Directory Domain Services (ADDS) allow organizations to deploy a scalable and secure directory service for managing users, resources, and applications. Virtualization of AD DS has been supported for many years now, but has required careful management to avoid pitfalls around replication, time management, and access. While Windows Server 2012 provides greater support for virtualization by including virtualization-safe features and support for rapid Domain Controller deployment, Windows Server 2016 added more virtualization and cloud-focused security enhancements with features such as the Host Guardian Service and Shielded VMs.

In this session, Matt Liebowitz and I share our many do’s and don’ts and show VMware vSphere’s enhanced security feature, VM Encryption for vSphere – VMCrypt, which provides persistent, OS-agnostic VM data encryption across the virtual infrastructure.


Meet the Experts

MTE5029, Monday August 27 4:15PM – 5PM, Foyer Table 2

Join me to get your Active Directory Domain Services virtualization questions answered. You and a small group of your peers can interact directly to gain the deep, hands-on experience you need. This is me white-boarding, answering your toughest challenges and providing best-practice advice.


Join us!

Join me while I take the stage with Deji and Matt or experience my fabled white-boarding skills in a 1 on 1 setting.

Don’t miss out and register for VMware VMworld US 2018.


Azure’s Access Control Service is retiring in three months time


This is your wake-up call

One of Azure’s oldest Identity-related services, Azure’s Access Control Service (ACS) will cease to exist soon. There are replacements. If your organization is still using ACS, you will need to migrate this functionality to Azure AD,  Azure AD B2C, AD FS and/or 3rd party solutions.


About the Access Control Service

The Microsoft Azure Access Control Service (or ACS) is a cloud-based service that provides a way of authenticating and authorizing users to gain access to web applications and services.

Using ACS, admins can easily orchestrate the authentication and much of the authorization of  users using identity providers like Facebook, Google, Yahoo and Microsoft Accounts using standards like SAML, OAuth and Open ID Connect.


From ACS to Azure AD

If that sounds awfully familiar, then you’re probably thinking of Azure AD B2C as a Microsoft technology that offers the same functionality. However, that’s just one part of the story, because B2C aims for non-organizational users, where all the functionality of the Azure Access Control Service (ACS) for users within your (affiliate) organizations is rolled into Azure AD itself, as described here by Alex Simons, back in February 2015.

Since then, Microsoft has made big strides to achieve feature-parity between Azure AD, Azure AD B2C and Azure ACS. One of the last features on that road(map) was the ability to define custom policies in Azure AD B2C to integrate with any SAML, Open ID Connect or OAuth-based provider, next to its built-in policies.

In many areas, the functionality of Azure AD surpasses ACS, like with role-based access  control (RBAC) as illustrated by this TechNet Wiki article on Azure Recovery Services.

As ACS provides access, as a prerequisite, applications need the logic to work with it. ACS offers .Net Framework, PHP, Python, Java and Ruby support. Many (Microsoft) services and applications have adopted its functionality in their code. Microsoft has standardized all of their support into the Azure Active Directory Authentication Libraries (ADAL), offering downloadable libraries, source code, samples and references to developers looking to adopt Azure Active Directory.


Goodbye ACS

Now, its time to say ‘Goodbye’ to Azure’s Access Control Service (ACS). On November 7, 2018, ACS will be retired and shut down, causing all requests to the service to fail.

This retirement affects any organization that has created one or more ACS namespaces in their Azure subscriptions.

Are you affected?

There’s an easy way to find out. However, since ACS was not migrated to the ‘new’ Azure Portal, you will need to use the Azure ACS PowerShell Module.

First, install the PowerShell Module from the PowerShell Gallery using the following one-liner:

Install-Module -Name Acs.Namespaces

With the PowerShell Module installed, connect to the Access Control Service management endpoint, using the following one-liner:


Now, use the following one-liner to list any ACS Namespaces:


If your Azure subscription features ACS Namespaces, follow the ACS migration guidance to migrate the functionality to Azure AD, Azure AD B2C, Active Directory Federation Services (AD FS) or even 3rd party functionality from Auth0 and Ping Identity.

If your apps and services do not use ACS, then you have no action to take.



Three months might prove to be just the right amount of time for organizations to migrate off Azure’s Access Control Service (ACS).

Further reading

ACS Overview
The future of Azure ACS is Azure Active Directory
Upcoming changes to the Microsoft Access Control Service
4 month retirement notice: Access Control Service


Veeam Backup for Office 365 version 2 expands on earlier Cloud Protections

Veeam in the datacenter

Back in May 2017, we wrote about Veeam Backup for Office 365 as you organization’s contingency plan for Exchange Online. Last month, Veeam released version 2 of its Backup for Office 365 product with new features and scope for Office 365 contingency planning.

Version 2 expands on the functionality of previous versions of Veeam Backup for Office 365. Rightly so, because Veeam Backup for Office 365 is hugely popular: Over 35,000 organizations already use Veeam to backup their over 41,000 Office 365 mailboxes.


What’s New in Version 2

Data Protection for SharePoint

While Exchange Online might be the first service many organizations onboard as they enter Office 365, there are a couple of definite use cases for organizations to use SharePoint Online. Note that the Teams product, uses SharePoint Online by default for file storage.

Veeam Backup for Office 365 version 2 not supports backing up and restoring SharePoint Online, next to SharePoint Server on-premises. Just like in version 1, admins can use the respective Veeam Explorer to granularly restore individual items (documents, calendars, libraries and lists) to their original location, to SharePoint Online or to SharePoint on-premises. This allows for full SharePoint hybrid connectivity.

DatA Protection for OneDrive for Business

In the cloud model, file shares and folder redirection don’t make that much sense. Sure, Microsoft offers Work Folders as a solution for organizations that need to rely on the file server-based information security measures for individuals’ files, by synchronizing the contents of a folder using https instead of using SMB, but many organizations adopt a combination of Microsoft’s Azure AD Join, Enterprise State Roaming and OneDrive for Business when they introduce Windows 10.

Besides the logic inside Veeam Backup for Office 365 version 2 to properly discover and backup data inside OneDrive for Business, a new Veeam Explorer is introduced with Veeam Backup for Office 365 version 2: the Veeam Explorer for Microsoft OneDrive for Business.

Admins can perform in-place restores, including restoring to another OneDrive user or another folder in OneDrive and export files as an original or zip file.

New themes

Veeam Backup for Office 365 version 2 now offers themes. While Veeam Green is, obviously, the default theme, Veeam Backup for Office 365 version 2 offers a choice between Sea Green, Marine Blue and Ocean Graphite as color palettes too. This gets Veeam Backup for Office 365 version 2 in line with the Veeam Backup & Replication 9.5 user experience, that offers the same functionality for admins that might want to distinguish production servers from test or acceptance servers that way.

Update Notifications

Veeam Backup for Office 365 version 2 provides admins with a new mechanism that checks for a newer version of the application every 24 hours by sending requests to the Veeam auto-update server.


Things to Note

While Veeam Backup for Office 365 version 2 offers many new features, there are a couple of things I feel you need to aware of:

Azure AD data

Veeam Backup for Office 365 focuses on data. While Veeam Backup for Office 365 version 2 will backup and allow you to restore data in Office 365, it does not offer a solution for backing up and restoring information on user accounts, groups, etc. There is no Veeam Explorer for Microsoft Azure Active Directory. While these objects and many of their attributes are likely synchronized from an on-premises Active Directory Domain Services environment, some are not. Noteworthy information you might lose, despite leveraging Veeam Backup for Office 365 version 2 are B2B user information, licensing information, multi-factor authentication information and group memberships. While data can be reattached to recreated accounts using Veeam Backup for Office 365 version 2, admins might need to recreate, readjust or restore accounts, groups and/or group memberships first.

Microsoft Teams

You can protect Microsoft Teams when the underlying storage of the Teams data is within SharePoint Online, Exchange Online or OneDrive for Business. While data can be protected and restored, the Teams tabs and channels cannot. After restoring the item, it can however be reattached manually.

Full Backups

Due to a change in indexing by Microsoft, some organizations using Veeam Backup for Office 365 version 2 might experience daily full backups, instead of incremental backups. Microsoft new indexing system, deployed to several Office 365 tenants, but not all, makes backups take a long time and consume more disk space. The immediate workaround is to open a case with Microsoft Support and ask them to be moved back to the legacy indexing system.

Multi-factor Authentication

The use of a service account for Veeam Backup for Office 365 is recommended. Minimally, this service account needs to be assigned the SharePoint Administrator for SharePoint and OneDrive for Business backups and restores, For Exchange Online backups and restores, the service account needs the ApplicationImpersonation, Organizations Configuration, View-Only Configuration, View-Only Recipients and MailboxSearch/MailRecipients roles.

You are strongly advised against using the Global Administrator role, because the service account cannot be configured with multi-factor authentication.



Veeam Backup for Microsoft Office 365 is licensed per Office 365 user in all tenants. 

New installations of Veeam Backup for Office 365 are Community Editions by default. This mode that allows you to process up to 10 user accounts in all organizations including 1 TB of Microsoft SharePoint data.  The Community license, which is not limited in time, nor implies any limitations in terms of program functionality. To install your paid, fully-functional product license, enter the license file information.

Installations of Veeam Backup for Office 365 version 1 and Veeam Backup for Office 365 version 1.5 can be upgraded to Veeam Backup for Office 365 version 2. After upgrading Veeam Backup for Office 365 itself, all backup repositories, backup proxies and backup jobs need to upgraded manually, because they will be marked as out of date.

When organizations have licenses for version 1, than version 2 can be downloaded and installed.


Version information

This is version of Veeam Backup for Office 365.
It was released on July 24, 2018

Further reading

Veeam Backup for Microsoft Office 365 v2: SharePoint and OneDrive support is here! 
Veeam Backup for Microsoft Office 365 v2 Release Notes [PDF]


Azure Multi-Factor Authentication Server was released

Microsoft Azure Multi-Factor Authentication

Roughly four months ago, we saw the release of a new major version of Microsoft’s Azure Multi-Factor Authentication (MFA) Server, version Last week, Microsoft released a minor version, dubbed version that addresses a couple of issues you might experience with version


What’s New

Incompatibility with Japanese Windows installations

The team fixed an issue that admins might experience when launching the Azure Multi-Factor Authentication (MFA) Server Admin Console on Japanese version of Windows.

Language selection for the User Portal

Azure Multi-Factor Authentication (MFA) Server’s User Portal is an additional component that allows end-users to make changes to their on-premises MFA registrations in a web-based environment. The User Portal is available in several languages and offers end-users a selection of languages for text messages, phone calls and other authentication-related settings.

The team fixed an issue with retaining the selected language in the User Portal.

Other minor bug fixes

While the above fixes could be classified as minor fixes, the team reports that they’ve fixed other minor issues in Azure Multi-Factor Authentication (MFA) Server as well.


Upgrade considerations

You must upgrade MFA Server and Web Service SDK before upgrading the User Portal, Mobile Portal or AD FS adapter. Read the guidance in the How to Upgrade section in this blogpost for more information.



You can download Azure Multi-Factor Authentication Server here.
The download weighs 128.2 MB.


Version information

This is version of Azure Multi-Factor Authentication (MFA) Server.
It was signed off on July 26, 2018.


What’s New in Azure Active Directory for July 2018

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new and changed functionality for Azure Active Directory for July 2018:


What’s New

Azure AD Activity Logs are now available through Azure Monitor

Service category: Reporting
Product capability: Monitoring & Reporting

The Azure AD Activity Logs are now available in public preview for the Azure Monitor (Azure’s platform-wide monitoring service). Azure Monitor offers organizations long-term retention and seamless integration, in addition to these improvements:

  • Long-term retention by routing your log files to your own Azure storage account.
  • Seamless integration with Security Incident and Event Management (SIEM) solutions, without requiring to write or maintain custom scripts.
  • Seamless integration with own custom solutions, analytics tools, and/or incident management solutions.


Conditional access information added to the Azure AD sign-ins report

Service category: Reporting
Product capability: Identity Security & Protection

This update to the Azure AD Sign-ins Report lets admins see which policies are evaluated when a user signs in along with the policy outcome. In addition, the report now includes the type of client app used by the user, so admins can identify legacy protocol traffic. Report entries can also now be searched for a correlation ID, which can be found in the user-facing error message and can be used to identify and troubleshoot the matching sign-in request.


View legacy authentications through Sign-ins activity logs

Service category: Reporting
Product capability: Monitoring & Reporting

With the introduction of the Client App field in the Sign-in activity logs, organizations can now see users that are using legacy authentications. Admins will be able to access this information using the Sign-ins MS Graph API or through the Sign-in activity logs in the Azure AD portal, where admins can now use the Client App control to filter on legacy authentications.


New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2018, The Azure AD team has added these 16 new apps with Federation support to the app gallery:


New user provisioning SaaS app integrations

Service category: App Provisioning
Product capability: 3rd Party Integration

Azure AD allows organizations to automate the creation, maintenance, and removal of user identities in SaaS applications such as Dropbox, Salesforce, ServiceNow, and more. For July 2018, Microsoft has added user provisioning support for the following applications in the Azure AD app gallery:


Converged security info management for self-service password reset and Multi-Factor Authentication

Service category: Self-Service Password Reset
Product capability: User Authentication

This new feature lets users manage their security info (for example, phone number, email address, mobile app, and so on) for self-service password reset (SSPR) and Multi-Factor Authentication (MFA) in a single experience. Users will no longer have to register the same security info for SSPR and MFA in two different experiences. This new experience also applies to users who have either SSPR or MFA.

This is an opt-in public preview. Admins can turn on the new experience (if desired) for a selected group of users or all users in a tenant.


What’s Changed

Improvements to Azure AD email notifications

Service category: Other
Product capability: Identity lifecycle management

Azure Active Directory (Azure AD) emails now feature an updated design, as well as changes to the sender email address and sender display name, when sent from the following services:

  • Azure AD Access Reviews
  • Azure AD Connect Health
  • Azure AD Identity Protection
  • Azure AD Privileged Identity Management
  • Enterprise App Expiring Certificate Notifications
  • Enterprise App Provisioning Service Notifications

The email notifications will be sent from Be sure to check the Junk Email folder of your (admin) mailbox, and to update any mail flow rules you might have.


Visual updates to the Azure AD and MSA sign-in experience

Service category: Azure AD
Product capability: User Authentication

Microsoft has updated the user interface for Microsoft’s online services sign-in experience, such as for Office 365 and Azure. This change makes the screens less cluttered and more straightforward. For more information about this change, see the Upcoming improvements to the Azure AD sign-in experience blogpost, dated April 4th, 2018.


Updates to the Terms of Use (ToU) end-user interface

Service category: Terms of Use
Product capability: Governance

Microsoft has updated the acceptance string in the TOU end-user interface.

Current: In order to access [tenant] resources, you must accept the terms of use.
New: In order to access [tenant] resource, you must read the terms of use.

Current: Choosing to accept means that you agree to all of the above terms of use.
New: Please click Accept to confirm that you have read and understood the terms of use.


Pass-through Authentication supports legacy protocols and applications

Service category: Authentications (Logins)
Product capability: User Authentication

Pass-through Authentication (PTA) now supports legacy protocols and apps. These previous limitations are now fully supported:

  • User sign-ins to legacy Office client applications, Office 2010 and Office 2013, without requiring modern authentication.
  • Access to calendar sharing and free/busy information in Exchange hybrid environments on Office 2010 only.
  • User sign-ins to Skype for Business client applications without requiring modern authentication.
  • User sign-ins to PowerShell version 1.0.
  • The Apple Device Enrollment Program (Apple DEP), using the iOS Setup Assistant.


Use the Microsoft Authenticator app to verify your identity when you reset your password

Service category: Self-Service Password Reset
Product capability: User Authentication

This feature lets non-admins verify their identity while resetting a password using a notification or code from Microsoft Authenticator (or any other authenticator app). After admins turn this self-service password reset method on, colleagues who have registered a mobile app through or can use their mobile app as a verification method while resetting their password.

Mobile app notification can only be turned on as part of a policy that requires two methods to reset your password.


Azure AD Connect version 1.1.880.0 is now available

Azure AD Connect

Last Friday, Microsoft released Azure AD Connect version 1.1.880.0. This release of Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.


What’s Fixed

SQL Deadlock Issue

The Azure AD Connect team fixed a bug that would intermittently produce an error message for an auto-resolved SQL deadlock issue.

Accessibility Issues

The Azure AD Connect team fixed several accessibility issues for the Sync Rules Editor and the Sync Service Manager.

Registry access issue

The Azure AD Connect team fixed a bug where Azure AD Connect can not get registry setting information.

Forward/Back Issue

The Azure AD Connect team fixed a bug that created issues when the user goes forward/back in the Azure AD Connect configuration wizard.

Multi-thread handling issue

The Azure AD Connect team fixed a bug to prevent an error happening due to incorrect multi-thread handing in the Azure AD Connect configuration wizard.

LDAP error resolving issue

When an admin encounters an LDAP error when resolving security groups on the Group Sync Filtering page, Azure AD Connect now returns the exception with full fidelity. The root cause for the referral exception is still unknown and will be addressed by squashing a different bug.

Windows Hello for Business Certificate Issue

The Azure AD Connect team fixed a bug where permissions for Next Generation Cryptography (NGC) and non-NGC keys were not correctly set on the msDS-KeyCredentialLink attribute on user and/or device objects for Windows Hello for Business.

Set-ADSyncRestrictedPermissions issue

The Azure AD Connect team fixed a bug where Azure AD Connect did not call the Set-ADSyncRestrictedPermissions Windows PowerShell Cmdlet correctly.

Support for permission granting on Group Write-back

The Azure AD Connect team added support for permission granting on the Group Writeback feature in Azure AD Connect’s installation wizard.

method from PHS to AD FS switching issue

Previously, when changing the sign-in method from Password Hash Synchronization (PHS) to Active Directory Federation Services (AD FS), Password Hash Sync was not disabled. Starting in Azure AD Connect version 1.1.880.0, switching the sign-in method disables PHS.

IPv6 Verification in AD FS configuration

When Azure AD Connect is used to manage Active Directory Federation Services (AD FS), proper DNS resolvement for the AD FS service name is conducted. Previously, only IPv4 addresses were verified against IPv4-based DNS servers. The Azure AD Connect team added verification for IPv6 addresses in AD FS configuration, so organizations that only utilize IPv6 are now able to use this functionality, too.

Updated error messages

The Azure AD Connect team updated the notification message to inform that an existing configuration exists in Azure AD Connect.

In multi-domain and multi-forest environments, one Organizational Unit (OU) needs to be picked by an admin in one of the domains for device write-back. When device write-back fails to detect the container in an untrusted forest, a better error message and a link to the appropriate documentation are shown.

Deselecting an OU and then synchronization/writeback corresponding to that OU gives a generic sync error. This has been changed to create a more understandable error message.


What’s New

PingFederate Integration is GA

The Ping Federate integration in Azure AD Connect is now available for General Availability (GA). Learn more about how to federated Azure AD with Ping Federate.

More resilient AD FS RPT Change logic

Azure AD Connect now creates a backup of the “Office 365 Identity Platform’ relying party tryst (RPT) in Active Directory Federation Services (AD FS), every time an update is made and stores it in a separate file for easy restore if required. Learn more about the new functionality and Azure AD trust management in Azure AD Connect.

New troubleshooting tooling

New troubleshooting tooling has been introduced to help troubleshoot changing primary email addresses and accounts hidden from the global address list (GAL).

SQL Server Native Client update

Azure AD Connect was updated to include the latest SQL Server 2012 Native Client.

Seamless Single Sign-On by Default

When an admin switches the  user sign-in method to Password Hash Synchronization (PHS) or Pass-through Authentication (PTA) in the “Change user sign-in” task, the Seamless Single Sign-On (S3O) checkbox is enabled by default.

Added support for Windows Server Essentials 2019

Azure AD Connect can now be installed on Windows Server Essentials 2019. This version of Windows Server 2019, aimed at Home offices and small business. Currently, there is no information available on this specific version of Windows Server 2019.
Windows Server 2019 is currently in Preview.

Azure AD Connect Health Agent

The Azure AD Connect Health agent that is installed by default with every Azure AD Connect installation is updated to version This version corrects the race condition in the Azure AD Connect Health Sync Monitor service that caused 100% CPU on Azure AD Connect installations with the latest windows updates installed.

Version Azure AD Connect Health Agent for AD FS and AD DS are also available as separate downloads to resolve identical issues on Web Application Proxies (WAPs), AD FS Servers and Domain Controllers that are monitored using Azure AD Connect Health.

More resilient modified Sync Rule overwrite logic

During an upgrade, if the Azure AD Connect installer detects changes to the default sync rules, the admin is prompted with a warning before overwriting the modified rules. This will allow the user to take corrective actions and resume later.

Previously if there was any modified out-of-box rule, then manual upgrade was overwriting those rules without giving any warning to the admin and the sync scheduler was disabled without informing user. Now, the admin will be prompted with a warning before overwriting the modified out-of-box sync rules. The admin will have the choice to stop the upgrade process and resume later after taking corrective action(s).

Error for MD5 Hash Generation in FIPS-compliant environments

Azure AD Connect now provides a better handling of a FIPS compliance issue, providing an error message for MD5 hash generation in a FIPS-compliant environments and a link to documentation that provides a work around for this issue.

Grouped Federation Tasks

All federation additional tasks are now grouped under a single sub-menu for ease of use.

ADSyncConfig PowerShell Module revamped

A new revamped ADSyncConfig Windows PowerShell Module (AdSyncConfig.psm1) is introduced in Azure AD Connect version 1.1.880.0, that now includes AD Permissions functions. These functions were moved from the old ADSyncPrep.psm1 Windows PowerShell module, which may be deprecated shortly.


Version information

This is version 1.1.880.0 of Azure AD Connect.
It was signed off on on July 20, 2018.


When will you get it?

This release is currently distributed to Azure AD Connect tenants that have enabled auto-upgrade. When sufficient auto-upgrade tenants have upgraded to eliminate the possibility of a bad Azure AD Connect version, Microsoft will release Azure AD Connect version 1.1.880.0 for general download here.



Azure AD Connect version 1,1.880.0 offers numerous fixes, that make your life as a Hybrid Identity admin more enjoyable, including the 100% CPU issue with the Azure AD Connect Health Sync Monitor service. On a high note, PingFederate Support is now GA with this version.


I’m doing a webcast with Redmond Magazine on typical Disaster Recovery gaps in Hybrid Active Directory environments



A while back, I was invited by Redmond Magazine to work with them on a webcast. As I feel Redmond Magazine is still one of the leading publications for Microsoft-oriented IT Pros, I agreed wholeheartedly.

August 1st 2018 marks the calendar for our first mutual experience!


About Redmond Magazine

Redmond MagazineRedmond Magazine is the authoritative, independent voice of the Microsoft IT community, and provides real-world technical, product, news, and industry information for experienced IT professionals working within a Windows platform computing environment.

RedmondMag’s readers are the decision drivers of the industry and include IT managers, network managers, network administrators and system administrators. To provide them with the information, strategies, and behind-the-scenes insight into Microsoft and the Windows computing platform enables them to make better informed decisions regarding their organizations’ IT infrastructures.


About the webinar

The webinar is hosted by Redmond Magazine on August 1st, 2018 at 11 AM Pacific Time:

Disaster Recovery Gaps in Hybrid AD Environments

Sander Berkouwer, Microsoft MVP
Keri Farrell, Quest Software

Many organizations have embraced hybrid identity strategies, where they extend their on-premises Active Directory Domain Services environment to Azure AD.

Let’s look at how admins have typically performed this task, and why their real-world setups differ from Microsoft’s marketing materials. Learn how Azure AD is not (and cannot be) seen as a 100% slave to Active Directory and how this impacts your backup and restore strategy both in terms of changes and deletions.

Backing up AD, but not Azure AD? You might be in trouble…


Join us!

Register today to join us!
This webinar is offered free of charge.

The webcast is sponsored by Quest.


I’m speaking at TechMentor Redmond 2018

TechMentor Redmond 2018: Geek Of Thrones

Presenting at the Microsoft Campus in Redmond has been an item on my bucket list, for a while. In three weeks time, I’m getting the opportunity to do just that, at TechMentor Redmond 2018!


About TechMentor Events

TechMentor offers quality education and exposure to what’s now, new and next in the IT world. Since 1998, TechMentor has delivered immediately usable training to IT professionals.

Leveraging highly respected and professional presenters, TechMentor delivers how-to technical information on deploying, managing and supporting Microsoft products and technologies.


About TechMentor Redmond 2018:
‘Geek of Thrones’

On August 6 through August 10, 2018, TechMentor returns to Microsoft Headquarters in Redmond, WA for TechMentor Redmond 2018: ‘Geek of Thrones’. In today’s IT world, more things change than stay the same. For its 20th birthday, TechMentor is more committed than ever to providing immediately usable IT education, with the tools you need today, while preparing you for tomorrow – keep up, stay ahead and avoid Winter, ahem, Change.


About my presentations

I will be delivering two presentations:

TH13 – Security Implications of Virtualizing Active Directory Domain Controllers

Thursday August 9 2:15PM – 3:30 PM, St. Helens

Active Directory Domain Controllers hold the keys to your kingdom. So how do you virtualize these castles of identity, without compromising on the requirements of your organization?

This session shares the best practices and process recommendations for hardening, backing up, restoring and managing virtualized Domain Controllers on both Hyper-V, Azure Stack and in Azure Infrastructure-as-a-Service VMs, from the field.


TH19 – Azure AD Connect Inside and Out

Thursday August 9 3:45PM – 5 PM, Cascade 

New hybrid cloud scenarios introduce new identity challenges. But how do you overcome these? How do you properly design and implement Hybrid Identity in real world scenarios?

In this demo-packed session, I’ll turn Microsoft’s free Hybrid Identity ‘bridge’ product, Azure AD Connect, inside out, showing all the good stuff, but also the gory details!
This session is one no Active Directory admin should miss!


Join us!

You owe it to yourself, your company and your career to be at TechMentor Redmond 2018! This is your chance to experience 5 full days of sessions and in-depth workshops taught by 3rd party instructors, leading independent IT analysts and Microsoft team members. Register for TechMentor Redmond 2018: ‘Geek of Thrones’ now.


Veeam Availability Suite adds support for the latest technology

Veeam Availability`Suite 9.5 Update 3a

This week, we’ve seen the availability of Veeam Availability Suite Update 3a. This update addresses several minor issues. However, it also add support for the latest and greatest that Veeam Vanguards and Veeam admins work with.


Veeam Backup and Replication 9.5 Update 3a

Veeam B&R is the cornerstone of Veeam’s Availability Suite.

This Monday, the Release Notes for Veeam Backup & Replication 9.5 Update 3a were published

Its ‘Update 3a’ (build seems like only a little update to the ‘Update 3’ release, but remember that I feel Update 3 was, in fact, a big release offering a lot of new and improved functionality, including the ability to centrally manage Veeam agents.

Update 3a brings support for:

  • VMware vSphere 6.5 Update 2 Preliminary
  • VMware vSphere 6.7
  • Vmware vCloud Director 9.1
  • VMware Cloud on AWS version 1.3
  • Microsoft Windows Server Semi-Annual Channel (SAC) releases:
    • Windows Server, version 1803 Standard Edition
    • Windows Server, version 1803 Datacenter Edition
  • Microsoft System Center Virtual Machine Manager 1801

Windows Server version 1709 was supported with Veeam B&R Update 3, already.

To get the most out of their life cycles, more and more organizations upgrade earlier to the latest vSphere, vCloud Director, Windows 10 and Windows Server releases. Ensuring that these platforms are supported for backup is an important check on their checklists.


Veeam Agent for Microsoft Windows

When Veeam introduced its Agent for Microsoft Windows, it meant it broke free of the virtualization space and entered the mainstream world of backup and restore solutions that support virtualized, multi-cloud and non-virtualized resources, while still offering industry-best support to virtualized workloads.

With its integration in Veeam Availability Suite 9.5 Update 3 for centralized management, the Veeam Agent for Microsoft Windows became a key part of Veeam’s Availability Suite.

Veeam Agent for Windows 2.2 now offers support for:

  • Windows Server Semi-Annual Channel (SAC) releases: Windows Server version 1803
  • Windows 10 1803 (RS4, April 2018 update)

Windows Server version 1709 and Windows 10 1709 (RS3, Fall Creators Update) were supported with Veeam B&R Update 3, already.


Veeam Agent for Linux

Version 2 of Veeam’s Agent for Linux was the first version of the product to be manageable through Veeam Availability Suite. This allows you to streamline the discovery, deployment and centralized management of these agents.

Veeam Agent for Linux version 2.0.1 works with Veeam Availability Suite 9.5 Update 3a.

This recently released version supports any Linux kernel from version 2.6.32 and above as long as you use the default kernel of your distribution. Notable newly supported Linux distribution versions by Veeam Agent for Linux 2.0.1 include:

  • Oracle Linux (UEK) R4 U6, R4 U7
  • Oracle Linux (RHCK) 7.5
  • CentOS 7.5
  • RedHat Enterprise Linux 7.5
  • Ubuntu 18.04
  • Fedora 27, 28
  • openSUSE Leap 15
  • SUSE Linux Enterprise for SAP Applications 11 SP4
  • SUSE Linux Enterprise for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3


Veeam ONE

Veeam ONE provides complete visibility and delivers proactive monitoring and alerting. Veeam ONE dit not need an update to support the above products. The version that was part of the generally available version 9.5 Update 3 was confirmed to be fully compatible with these technologies already.



Although Veeam Availability Suite 9.5 Update 3a is mostly a platform support release, although the Release Notes also mention 20 minor updates, including support for ExpressRoute for Direct Restore to Azure,

Further reading

Veeam 9.5 Update 3a – What’s in it for Service Providers
Veeam Availability Suite 9.5 Update 3a is now available!
NEW Veeam Agent for Microsoft Windows 2.2
NEW Veeam Agent for Linux 2.0.1