What’s New in Azure Active Directory for November 2017

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for November 2017:


What’s Planned

Retiring ACS

Service Category: ACS
Product Capability: Access Control Service

Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) will be retired in late 2018. Further information, including a detailed schedule & high-level migration guidance, will be provided in the next few weeks. In the meantime, leave comments on this page with any questions regarding ACS, and a member of our team will help to answer.


Restrict browser access to the Intune managed browser

Service Category: Conditional Access
Product Capability: Identity Security & Protection

With this behavior, you will be able to restrict browser access to Office 365 and other Azure AD-connected cloud apps using the Intune Managed Browser as an approved app. Today, access is blocked when using this condition. When the preview of this behavior is available, all access will require the use of the managed browser application.


New approved client apps for Azure AD app-based conditional access

Service Category: Conditional Access
Product Capability: Identity Security & Protection

The following apps are planned to be added to the list of approved client apps:


What’s New

Terms of Use support for multiple languages

Service Category: Terms of Use (ToU)
Product Capability: Governance/Compliance

Administrators can now create new terms of use (ToU) that contains multiple Portable Document Format (PDF) documents. You can tag these documents with a corresponding language. Users that fall in scope are shown the PDF with the matching language based on their preferences. If there is no match, the default language is shown.


Real-time password write-back client status

Service Category: Self-service Password Reset (SSPR)
Product Capability: User Authentication

You can now review the status of your on-premises password write-back client. This option is available in the On-premises integration section of the Password reset blade in the Azure Portal.


Azure AD app-based conditional access

Service Category: Azure AD
Product Capability: Identity Security & Protection

You can now restrict access to Office 365 and other Azure AD-connected cloud apps to approved client apps that support Intune App Protection policies using Azure AD app-based conditional access. Intune app protection policies are used to configure and protect company data on these client applications.

By combining app-based with device-based conditional access policies, you have the flexibility to protect data for personal and company devices.


Managing Azure AD devices in the Azure portal

Service Category: Device Registration and Management
Product Capability: Identity Security & Protection

You can now find all your devices connected to Azure AD and the device-related activities in one place. There is a new administration experience to manage all your device identities and settings in the Azure portal.


Support for macOS as device platform for Azure AD conditional access

Service Category: Conditional Access
Product Capability: Identity Security & Protection

You can now include (or exclude) macOS as device platform condition in your Azure AD conditional access policy. With the addition of macOS to the supported device platforms, you can:

  • Enroll and manage MacOS devices using Intune
  • Ensure MacOS devices adhere to your organization’s compliance policies defined in Intune
  • Restrict access to applications in Azure AD to only compliance MacOS devices


NPS Extension for Azure MFA

Service Category: MFA
Product Capability: User Authentication

The Network Policy Server (NPS) extension for Azure MFA adds cloud-based MFA capabilities to your authentication infrastructure using your existing servers. With the NPS extension, you can add phone call, text message, or phone app verification to your existing authentication flow without having to install, configure, and maintain new servers.


Restore or permanently remove deleted users

Service Category: User Management
Product Capability: Directory

In the Azure AD admin center, you can now:

  • Restore a deleted user
  • Permanently delete a user

You are no longer required to use PowerShell to this purpose.


What’s Changed

New approved client apps for Azure AD app-based conditional access

Service Category: Conditional Access
Product Capability: Identity Security & Protection

The following apps have been added to the list of approved client apps:

  • Microsoft Planner
  • Microsoft Azure Information Protection


Ability to ‘OR’ between controls in a conditional access policy

Service Category: Conditional Access
Product Capability: Identity Security & Protection

The ability to ‘OR’ (Require one of the selected controls) conditional access controls has been released. This feature enables you to create policies with an OR between access controls. For example, you can use this feature to create a policy that requires a user to sign in using multi-factor authentication OR to be on a compliant device.


Aggregation of real-time risk events

Service Category: Identity Protection
Product Capability: Identity Security & Protection

To improve your administration experience, in Azure AD Identity Protection, all real-time risk events that were originated from the same IP address on a given day are now aggregated for each risk event type. This change limits the volume of risk events shown without any change in the user security.

The underlying real-time detection works each time the user logs in. If you have a sign-in risk security policy setup to MFA or block access, it is still triggered during each risky sign-in.


I’m co-presenting a webinar on tracking changes in Hybrid Identity environments

Next week, on Wednesday November 29, 2017 I’m co-presenting a webinar on tracking changes in Hybrid Identity environments, based on Active Directory Domain Services (AD DS) and Azure AD. The session is sponsored by Netwrix, who I think have a stellar solution for tackling this challenge.

This expert webinar is scheduled for a convenient time for my American friends, at 2PM. A webinar for Europe and Africa is slated for early next year.


About Netwrix

NetwrixNetwrix is a private IT security software company, which offers IT auditing solutions for systems and applications across your IT infrastructure. Netwrix  specializes in change, configuration and access auditing software with its Netwrix Auditor solution. Netwrix is a partner of Microsoft, VMware, EMC, NetApp and HP ArcSight.

If you’ve worked in highly-secure highly-regulated IT environments, you’re probably familiar with the Netwrix brand, because their Active Directory auditing solution is one of the best out there.


About the webinar

For many organizations, Active Directory is the cornerstone of their network infrastructure. However, as cloud adoption among businesses increases IT teams are posed with more and more security challenges by these hybrid environments. It’s a daunting struggle to manage both Active Directory and Azure AD, let alone ensure the security of such deployments. How can you monitor critical changes? Or comply with the certifications your organizations need?

In this webinar, you’ll learn how you can monitor privileged account activity, stay on top of critical changes and a slew of security threats in hybrid environments with Netwrix Auditor. You will get an abundance of ready-to-go recommended practices, so you’ll be able to start with Netwrix Auditor 9.5 the right way, immediately.

I’m co-presenting the webinar with Jeff Melnick, systems engineer at Netwrix. This way, you get the best practices from the field and expert analysis tips, directly from the guys whol build the Netwrix Auditor product.


Join me! Glimlach

The webinar is offered free of charge.
You only need to register in advance to become part of the fun!

Of course, if you can’t make November 29, 2PM EDT, you can also register for viewing the webinar on-demand , after we’ve finished up.


Pictures of the Hybrid Identity Protection Conference 2017 in New York

Last week, I spent a long weekend in New York, NY for the inaugural Hybrid Identity Protection Conference.

Welkcome to Paris

I flew in on Saturday November 4 via Paris, where I boarded an Air France Boeing 777, that had its seats, at best, filled for 30%. There was ample space and I enjoyed working on a couple of designs and other documents during the 8-hour flight in. Unfortunately, I landed late and, therefore, had some trouble getting from JFK to Manhattan. By the time I arrived at the Holiday Inn, it was around midnight (6AM European time).

The next day, Roelf Zomerman and I went on a tour of the Statue of Liberty and Ellis Island. We went for a quick breakfast and then off to Battery Park, where we met our guide.

The Statue of Liberty (click for larger photo)Ellis Island, where between 1890 and 1924 5000 people per day passed to become US citizens (click for larger photo)Manhattan (click for larger photo)With Roelf at the Statue tour (click for larger photo)The Oculus, old buildings and sky scrapers. Just another day in New York (click for larger photo)

Afterwards, we met up with Tomasz Onyszko, strolled through the city to Greenwich Village and had pizza at Johns  Bleecker Street.

One World Trade Center (click for larger photo)With Tomasz and Roelf at Johns of Bleecker (click for larger photo)

On Monday, the inaugural Hybrid Identity Protection Conference kicked off at 7 World Trade Center.

Breakfast at the WTC (click for larger photo)A Bit of Kerberos (click for larger photo by Roelf Zomerman)

On Monday night, we all had drinks at the Roaring Twenties-inspired Wooley at Woolsworth Building, where we snapped a picture of all the speakers, much at the amusement of the attendees present. 

Speakers at the Wooley (click for larger photo, from social media)

Tuesday marked Day 2 and Roelf and I had a lot of fun, explaining Azure AD Connect and its many facets during the 135 minutes we ended up with by combining our two sessions into a back to back two-fold exposé of our favourite tool.

Roelf Pointing out the rules (click for larger photo)Roelf being Recorded (click for larger photo)

After our sessions, I had to go check out and leave New York, to get back to the Netherlands in time to deliver yet another presentation, but not before I said goodbye to all my good DSMVP friends.

I owe a big bag of gratitude to Mickey, Guy, Sean, Darren, Gil, Brian, Christoffer, Henrik, John, Tomasz, Michael, Joe and especially Roelf and the Hybrid Identity Protection Conference attendees for making this my favourite conference next to the MVP Summit.

Let’s do this again sometime soon! Smile


I’m co-presenting at the KNVI Congress

The Dutch Professional Association of Information and IT Professionals (KNVI) organizes its yearly congress next week. I’m honored to be invited to co-present two sessions, together with my buddy Raymond Comvalius.


About KNVI

knvi_logoThe Dutch Professional Association of Information and IT Professionals (KNVI) is an independent platform for sharing professional knowledge and expanding the personal networks of ICT Pros, information professionals, students and employers who want to keep their employees up to date.

KNVI organizes multiple meetings per month, publishes AG Connect both online and in print,and offers discounts to its members.

KNVI is a merged organization of several professional associations, including the Dutch Networking User Group (Ngi-NGN) and the Dutch Association for Documentary Information and Organization Administration (SOD).

About KNVI Congress

WebThe KNVI Congress is KNVI’s largest event, organized yearly. The 2017 KNVI Congress is organized on November 9th, 2017 at the NBC Congrescentrum in Nieuwegein, Netherlands. This year’s theme is Information is Power.

This year’s event features keynotes by René ten Bos, appointed Dutch Thinker, Professor Rik Maes and Marietje Schaake, member of the European Parlement.


Our sessions

Raymond and I will present two 40-minute sessions:

Automatic D, T and A environments and Continuous Integration with Veeam and Microsoft

11:30AM – 12:10PM, Track 5: The New Datacenter, will it empower us?

Microsoft Azure changes daily. We can expect a new version of Windows Server every six months. Although Microsoft offers a wide bandwidth of supported versions, organizations expect their admins to keep up and stay within the bandwidth.

The only way we see admins keep up is by testing changes and formally accept these changed in representative test and acceptance environments. Raymond and I show the attendees how to achieve this, costeffectively and safe. We’ll also share our best practices, based on our experiences with Veeam and Microsoft technologies and products. We’ll enable their organizations to take a couple of steps forward.

How to Migrate off your on-premises environments

2:15PM – 2:55PM, Track 8: The Power of Cloud

The continuing waves in the sea of IT push us towards the cloud, today. Yesterday’s wave of virtualization and last decade’s waves of VDI and centralization might have left you wary of any new projects. But today’s news is really something and we’d like you to pay attention, because it’s easily digestible with last decade’s experience under your belt.

Raymond and I show you how to embrace the new possibilities of the cloud and potentially get rid of the square footage, cooling needs, firewalls and even your Domain Controllers. Dive into the full stack of Microsoft cloud possibilities and impossibilities with us.


Join KNVI!

It’s not too late to join KNVI Dutch.
This is a prerequisite to being able to attend the KNVI Congress.

Subscriptions to KNVI for students are free. Subscriptions for individuals start at EUR 97,50 per year for members aged 27 and below and EUR 99,99 for retirees. Other individual subscriptions set you back EUR 165 per year. Organizational subscriptions are available upon request.


What’s New in Azure Active Directory for October 2017

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for October 2017:


What’s Planned

Deprecating Azure AD reports

Service Category: Reporting
Product Capability: Identity Lifecycle Management

The Azure portal provides you with:

  • A new Azure Active Directory administration console
  • New APIs for activity and security reports

Due to these new capabilities, the report APIs under the /reports endpoint will be retired on December 10, 2017.


What’s New

New Multi-Factor Authentication features

Service Category: Multi-Factor Authentication (MFA)
Product Capability: Identity Security & Protection

Multi-Factor authentication (MFA) is an essential part of protecting your organization. To make credentials more adaptive and the experience more seamless, the following features have been added:

  • Integration of multi-factor challenge results directly into the Azure AD sign-in report, including programmatic access to MFA results
  • Deeper integration of the MFA configuration into the Azure AD configuration experience in the Azure portal

With this public preview, MFA management and reporting are an integrated part of the core Azure AD configuration experience. Aggregating both features enables you to manage the MFA management portal functionality within the Azure AD experience.

terms of use

Type: New feature
Service Category: Terms of Use (ToU)
Product Capability: Governance

Azure AD terms of use provide you with a simple method to present information to end users. This ensures that users see relevant disclaimers for legal or compliance requirements.

You can use Azure AD terms of use in the following scenarios:

  • General terms of use for all users in your organization.
  • Specific terms of use based on a user’s attributes (ex. doctors vs nurses or domestic vs international employees, done by dynamic groups).
  • Specific terms of use for accessing high business impact apps, like Salesforce.


Enhancements to privileged identity management

Service Category: PIM
Product Capability: Privileged Identity Management

With Azure Active Directory Privileged Identity Management (PIM), you can now manage, control, and monitor access to Azure Resources (Preview) within your organization to:

  • Subscriptions
  • Resource groups
  • Virtual machines.

All resources within the Azure portal that leverage the Azure Role Based Access Control (RBAC) functionality can take advantage of all the security and lifecycle management capabilities Azure AD PIM has to offer.

access reviews

Type: New feature
Service Category: Access Reviews
Product Capability: Governance

Access reviews (preview) enable organizations to efficiently manage group memberships and access to enterprise applications:

  • You can recertify guest user access using access reviews of their access to applications and memberships of groups. The insights provided by the access reviews enable reviewers to efficiently decide whether guests should have continued access.
  • You can recertify employees access to applications and group memberships with access reviews.

You can collect the access review controls into programs relevant for your organization to track reviews for compliance or risk-sensitive applications.

Hiding third-party applications from My Apps and the Office 365 launcher

Service Category: My Apps
Product Capability: Single Sign-On

You can now better manage apps that show up on your user portals through a new hide app property. Hiding apps helps with cases where app tiles are showing up for backend services or duplicate tiles and end up cluttering user’s app launchers. The toggle is located on the properties section of the third-party app and is labeled Visible to user? You can also hide an app programmatically through PowerShell.

What’s Changed

Automatic sign-in field detection

Service Category: My Apps
Product Capability: Single Sign-On (SSO)

Azure Active Directory supports automatic sign-in field detection for applications that render an HTML username and password field. These steps are documented in How to automatically capture sign-in fields for an application. You can find this capability by adding a Non-Gallery application on the Enterprise Applications page in the Azure portal. Additionally, you can configure the Single Sign-on mode on this new application to Password-based Single Sign-on, entering a web URL, and then saving the page.

Due to a service issue, this functionality was temporarily disabled for a period of time. The issue has been resolved and the automatic sign-in field detection is available again.


I’m speaking at the Hybrid Identity Protection Conference in New York

Next week, I’m joining many of my technical friends at the Hybrid Identity Protection Conference in New York, NY.

For those who attended The Experts Conference (TEC) and NetPro’s Directory Experts Conference (DEC) events previously, the Hybrid Identity Protection Conference promises to be at least as much fun as these events, where you’ve seen the likes of Gil Kirkpatrick, Sean Deuby, Darren Mar-Elia, Brian Desmond, Joe Kaplan and Jorge de Almeida Pinto.



About the Hybrid Identity Protection Conference

The Hybrid Identity Protection Conference is Semperis Inc.’s event in the spirit of The Expert Conference (TEC) to bring together the leading experts in the field of Identity and Access Management. The event offers a unique opportunity to spend two days on-site in New York with peers, whose day-to-day job is to architect, manage, and protect identity management in the hybrid enterprise.

Attendees are able to meet face-to-face with the leading experts of their field, acquire in-depth technical knowledge, and be exposed to the latest innovation.

The 2017 Hybrid Identity Protection Conference takes place on November 6th and November 7th at the famous 7 World Trade Center in New York City’s Tribeca neighborhood. Just minutes’ walk from famous landmarks, attractions, museums, and famous restaurants in Manhattan, and with astounding views of the New York skyline.


About my presentations

I’m delivering three presentations at the inaugural Hybrid Identity Protection Conference. With pride, I’m co-presenting two of my presentations with Roelf Zomerman, the only Dutch Active Directory Microsoft Certified Master (MCM):

Virtualizing Domain Controllers in Hyper-V and Azure

Monday November 6th 2017 3:40PM – 4:40PM

Active Directory Domain Controllers hold the keys to your kingdom. So how do you virtualize these castles of identity, without compromising on the requirements of your organization?

In this session I share my best practices for hardening, backing up, restoring and managing virtualized Domain Controllers on both Hyper-V, Azure Stack and in Azure Infrastructure-as-a-Service VMs, from the field, The information is based on the latest version of Azure and Windows Server 2016, like Shielded VMs, but will also show how the functionality of Windows Server 2012 and Windows Server 2012 R2 already allow for risk mitigation and availability, too, so you don’t have to upgrade everything immediately, if you can’t.

Azure AD Connect, The Dutch Connection

Tuesday November 7th 10AM – 11AM

With businesses adopting more cloud, how do you cope with the new identity challenges? How do you properly design and implement Hybrid Identity in real-world scenarios?

In this first of two demo-packed sessions, two Dutchmen, Sander Berkouwer (Microsoft MVP) and Roelf Zomerman (Microsoft Cloud Solution Architect), explain the ins and outs of Azure AD Connect, the Microsoft’s free Hybrid Identity “bridge” product.

Learn about the history of Azure AD Connect and why and what it does. See authentication scenarios supported by Azure AD Connect and how Azure AD Connect brings your colleagues and their devices to the cloud. You’ll receive useful tips and tricks to apply in your organization.

Azure AD Connect, The World is not Enough

Tuesday November 7th 11:30AM – 12:45AM

Join Roelf Zomerman (Microsoft Cloud Solution Architect) and Sander Berkouwer (Microsoft MVP) for the second session in their Azure AD Connect series, where they open the door to the world behind complex Hybrid Identity architectures. (And to people who didn’t attend the first session, of course.)

Like the Dutch explored the world, they explore the world of complex identity scenarios in multi-forest environments and alternate ImmutableID situations. Find out where errors come from and how to resolve them while we sail through the inner workings of the Azure AD Connect tool.

We’ll share the things you didn’t think were possible with Azure AD Connect, and dive deep into the tools. Are you looking to handle multi-forest scenarios, change the immutable ID or juggle with Azure AD Connects synchronization rules to cope with increasing business requirements, without losing your Microsoft support? This is your go-to session!


Join us!

There is still time to register.

For me, with the Global MVP Summit moved from the November timeframe to March, this is the opportunity to hang out with these guys and I’m looking forward to it!


Pictures of IT/DEV Connections 2017

I just came back from San Francisco where I enjoyed the 2017 edition of Penton’s IT/DEV Connections conference.

On Saturday October 22nd, I flew out from Amsterdam Schiphol Airport to Paris Charles de Gaulle Airport, to catch a nice Air France-operated flight to San Francisco in one of their flagship Airbus A380s. My first flight in one of these planes.

The formidable Airbus A380 at Paris CDG Airport (click for larger photo)Boarding the A380 is not a small feat. (click for larger photo)

All throughout my stay in San Francisco, the weather was really nice. The only clouds I saw during the week were icons in people’s presentations. I was out and about in the city with my Serbian friend Aleksandar Nikolic for two afternoons before IT/DEV Connections started and enjoyed it very much.

Downtown San Francisco at dusk (click for larger photo)The hills of San Francisco (click for larger photo, by Aleksandar Nikolic)View of the Golden Gate bridge (click for larger photo)Hyde Street Pier with its historic ships (click for larger photo)On top of Lumbard Street (click for larger photo)Lumbard Street, said to be the crookedest street (click for larger photo)Pier 39... intrigued by the people, mostly. (click for larger photo, by Aleksandar Nikolic)A sunny day at San Francisco's Embarcadero (click for larger photo, by Aleksandar Nikolic)

On Monday, IT/DEV Connections started.

My IT/DEV Connections 2017 Speaker BadgeThe IT/DEV Connections 2017 Speaker Lounge (click for larger photo, by Rod Trent)Welcome to IT/DEV Connections 2017 (click for larger photo)The roster for room Continental 8 (click for larger photo)

On Tuesday, I participated in the Cloud & Datacenter Ask the Experts panel. It’s fun to be seated between true experts as Cameron Fuller, Bert Wolters, Dieter Wijckmans, Martyn Coupland, David o’Brien, Darren Mar’elia and John Savill. We engaged the audience with open minds and had some interesting discussions on DevOps, Azure Active Directory and Azure Site Recovery.

The Cloud and Datacenter Ask the Experts Panel (click for larger photo)

On Wednesday, I presented a 75-minute session on Azure Active Directory, Azure Infrastructure-as-a-Service, Azure File Sync, Azure Cloud Print, Windows Autopilot and Office 365. In my opinion, this constellation of Microsoft products enables the vast majority of organizations today to move from on-premises infrastructure to cloud with everything except end-user devices, printers and basic networking. On the other side, some organizations may already be part of the cloud, even though they’d claim to be 100% on-premises organizations…

My guesstimate for market share of Azure Stack (click for larger photo, by Aleksandar Nikolic)As you can clearly see ... (click for larger photo, by Aleksandar Nikolic)The way I feel ... (click for larger photo, by Aleksandar Nikolic)

I enjoyed the session. Luckily, the attendees allowed for an interactive, introspective and interesting session. I’m sure we addressed all of there dreams and nightmares.

After my session I prepared to go home. A couple of us had dinner at Punjab, which is an extremely nice Indian restaurant. My journey back home started on Thursday. but only after a visit to the pool at the Hilton…

Having dinner at Punjab's (click for larger photo by Pete Zerger)The Pool on the 16th floor of the San Francisco Hilton (click for larger photo)Saying goodbye to San Francisco (click for larger photo)


Thank you!

A big ‘Thank You!’ to all the IT/DEV Connections attendees, sponsors, speakers and staff for making the past week such an enjoyable experience!

I hope to see you all next year for IT/DEV Connections 2018 in Dallas, TX.


Pictures of Lowlands Unite! Belgium Edition

Thursday, last week, I presented a 60-minute session on achieving productivity without an on-premises infrastructure at Lowlands Unite! Belgium Edition.

I was en route pretty early, to avoid traffic jams around Rotterdam and Antwerpen. During the drive, I encountered only a little traffic, so that was good.

Entering Belgium (click to see larger photo)The Lamot Brewery (click to see larger photo)Entrance at the Lamot Brewery (click to see larger photo)

As the venue, Lowlands Unite! picked the Lamot brewery. This is a big venue and we occupied two of the many available rooms. The industrial edge of the building makes for an interesting atmosphere and lots of open spaces. Perfect for events, and there were some other events going on during that Thursday.

Totally digging the food for lunch! (click for larger photo, by Adnan Hendricks)

After an incredible lunch with soup and sandwiches, I presented for 60 minutes in the Cloud and Datacenter Management (CDM) track.

I wonder... (Click for larger photo, by Adnan Hendricks)Screw That! (Click for larger photo by Adnan Hendricks)

After my session I stayed around to chat with some of the speakers and organizers, but I soon found my way home, to enjoy a nice quiet evening with my family and prepare for some other sessions these next few weeks.

Thank you! Smile


Azure Multi-Factor Authentication is now in the new Azure Portal (in Public Preview)

For months, admins wanting to create and manage their on-premises Azure Multi-factor Authentication Server settings had to resort to the old Azure Portal, based on the Azure Service Management (ASM) model, and the PhoneFactor Web (PFWeb) portal, while the rest of Azure Active Directory moved and improved in the new Azure Portal, based on Azure Resource Manager (ARM).

Today, this divide ends.

What you needed the old portal for

Previously, you’d use the old Azure Portal, if you’d wanted to:


  • Create an Azure Multi-Factor Authentication Provider, specifying a name, usage model (per enabled user or per authentication), subscription and (optionally) a directory link. These providers let you enable additional security for directory users and applications that use the Multi-Factor Authentication libraries.
  • Delete an Azure Multi-Factor Authentication Provider

Ironically, these actions were all performed on the MULTI-FACTOR AUTH PROVIDERS tab of the ACTIVE DIRECTORY category.

Manage service settings

Additionally, when you’d select the Azure Active Directory in the old Azure Portal, and then go to the CONFIGURE tab and under multi-factor authentication followed the Manage service settings link, you had the opportunity to:

  • Allow users to create app passwords to sign in to non-browser apps
  • Make specific authentication methods (Call to phone, Text message to phone, Notification through mobile app and Verification code from mobile app) available or unavailable to end-users.
  • Allow users to remember multi-factor authentication on devices they trust, and specify the Days before a device must re-authenticate, between 1 and 60 days.

When performing any of the above actions in the old Azure portal, a message would appear on the bottom of the screen warning you that Azure Active Directory management is only possible from the new portal starting November 30, 2017…

To add to the injury, the old Azure Portal was not readily accessible for CSP and DreamSpark customers. They were confronted with the dreaded No subscriptions found. message, that forced them to sign up for an Azure AD-only subscription.


What you needed PFWeb for

In the old Azure Portal, when you’d click the MANAGE button in the bottom pane, you would be directed to the PhoneFactor Web (PFWeb) portal and be automatically signed into the correct MFA Provider. Here you can:

  • View reports, on usage, blocked user history, bypassed user history, fraud alerts and queued requests. However, these reports are not accessible using an API.
  • View server status
  • Configure general settings, like the number of attempts to try for an MFA call, the time-out for two-way text messages and the Caller ID used
  • Configure authentication caching settings
  • Configure custom voice messages to override the default messages played during an MFA call
  • Configure notifications for fraud alerts, account lockouts and one-time bypasses
  • View the release notes for the latest on-premises Multi-Factor Authentication Server
  • Download the latest version of the on-premises Multi-Factor Authentication Server
  • Generate activation credentials to connect on-premises Multi-factor Authentication Server installations to the MFA Provider.
  • Download Multi-Factor Authentication Software Development Kits (SDKs) for Perl, Ruby, PHP, Java and several versions of ASP.NET (1.1 C#, 1.1 VB, 2.0 C# and 2.0 VB)

On the left side, a pane would allow you to chose between Azure (Default) settings and MFA Server (Default) settings to divide between the two types of authentication.


Now in the new Azure Portal (in Public Preview)

All of the above functionality is now available in the new Azure Portal.

Multi-Factor Authentication in Preview in the new Azure Portal (click for original screenshot)

The preview Multi-Factor Authentication settings are located per Azure Active Directory. To go there, simply sign in to the Azure portal as an administrator, select Azure Active Directory from the left navigation pane and then select MFA Server. in the Security section.

However, there are some things that you need to be aware of:

  1. When you create a new MFA Provider, the tenant drop-down list displays tenant IDs, not the tenant name labels.
  2. Newly created MFA Providers that you’ve created in the New Azure Portal show up in the Old Azure Portal, and MFA Providers created in the Old Azure Portal show up in the new Azure Portal (as Providers in the MFA Server of Azure Active Directory).
  3. The new Azure Portal points to the Microsoft Download Center to get the on-premises MFA Server bits. It specifically points to aka.ms/mfadownload.
  4. Just like in the old portal, when you click on the MFA Provider, you can manage its settings, download the bits and generate activation keys. However, the following functionality is currently missing:
    1. View the release notes for the latest on-premises Multi-Factor Authentication Server.
    2. Currently, there is one field to enter e-mail addresses for notifications. In PFWeb, notification could be sent to different e-mail addresses for fraud alerts, account lockouts and one-time bypasses used.
  5. A couple of new settings have been introduced:
    1. For users who enter a PIN to authenticate, admins can now set lockout settings (Minutes until account lockout counter is reset and Minutes until account is automatically unblocked) besides the Number of MFA denials to trigger account lockout.
    2. Authentication caching is now governed through cache levels (User, Application or IP address) and authentication type.
    3. Fraud Alerts are now configurable through an additional setting: Automatically block users who report fraud. This setting is turned on by default. The Allow users to submit fraud alerts is turned off by default (just like in PFWeb), though. Additionally, a code to report fraud during initial greeting can be customized.
    4. You can’t download the MFA Server SDK through the new portal.
  6. The MFA Service settings have been and still are available through various links in the portals, pointing towards the account.activedirectory.windowsazure.com website. The easiest way to go there, I found, is by signing in to the Azure portal as an administrator, selecting Azure Active Directory from the left navigation pane and then selecting Conditional Access in the Security section. Select Named locations in the navigation blade and click the Configure MFA Trusted IPs, which will take you there. There you’ll be able to:
    1. assign MFA status to individual user accounts
    2. Allow users to create app passwords to sign in to non-browser apps.
    3. Enable Skip multi-factor authentication for requests from federated users on my intranet and specify to Skip multi-factor authentication for requests from following range of IP address subnets.
    4. Make specific authentication methods (Call to phone,
      Text message to phone, Notification through mobile
      and Verification code from mobile app) available
      or unavailable to end-users.
    5. Allow users to remember multi-factor authentication on devices they
      , and specify the Days before a device must
      e, between 1 and 60 days.

Unfortunately, the link at the end of this page to manage advanced settings and view reports, still points to PFWeb…



It’s good to see the public preview of Azure Multi-Factor Authentication in the new Azure Portal. Unfortunately, some settings () are missing, because we would love to use the new and improved settings as soon as possible and leave the old Azure Portal behind.

Another good thing is that MFA Providers that you might have created earlier are migrated over to the new Azure Portal and are available for management there. This avoids having to migrate previously deployed on-premises MFA Servers from one ASM-based MFA Provider to a new ARM-based MFA Provider.

Related blogposts

Ten Things you need to know about Azure Multi-Factor Authentication Server 
Azure Multi-Factor Authentication Server with lots of improvements 
Azure Multi-Factor Authentication features per license and implementation 
Azure Multi-Factor Authentication Methods per Supported Protocol 
Choosing the right Azure MFA authentication methods 
Creating an MFA Provider when you have CSP or DreamSpark 
Things to know about Billing for Azure MFA and Azure MFA Server


Azure AD Connect v1.1.647.0 fixes Common Issues with Sign-In Methods

Last Thursday, Microsoft released version 1.1.647.0 of Azure AD Connect, its free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments to Azure Active Directory.

At Microsoft Ignite, Microsoft declared Seamless Single Sign-On and Pass-through Authentication features as Generally Available, so the team doubled down on fixing some common issues with these user sign-in methods. Other fixes were also included.



The Synchronization Service has a WMI interface that lets you develop your own custom scheduler. This interface is now deprecated and will be removed from future versions of Azure AD Connect shipped after June 30, 2018. Customers who want to customize synchronization schedule should use the built-in scheduler.


What’s New

Azure AD Connect

The team added logic to simplify the steps required to set up Azure AD Connect with Microsoft Germany Cloud. Previously, you are required to update specific registry keys on the Azure AD Connect server for it to work correctly with Microsoft Germany Cloud, as described in this article. Now, Azure AD Connect can automatically detect if your tenant is in Microsoft Germany Cloud based on the global administrator credentials provided during setup.

Azure AD Connect Sync

When troubleshooting Password Synchronization using the Azure AD Connect wizard troubleshooting page, the troubleshooting page now returns domain-specific status.

Previously, if you tried to enable Password Hash Synchronization, Azure AD Connect did not verify whether the AD Connector account had the required permissions to synchronize password hashes from on-premises Active Directory. Now, Azure AD Connect wizard will verify and warn you if the account does not have sufficient permissions.



Azure AD Connect

The team fixed an issue in the Change user sign-in task in Azure AD Connect wizard. The issue occurs when you have an existing Azure AD Connect deployment with Password Synchronization enabled, and you are trying to set the user sign-in method as Pass-through Authentication and when you disable or enable Seamless Single Sign-on.

The team also fixed another issue in the Change user sign-in task in Azure AD Connect wizard. The issue occurs when you have an existing Azure AD Connect deployment with Password Synchronization disabled, and you are trying to set the user sign-in method as Pass-through Authentication. When the change is applied, the wizard enables both Pass-through Authentication and Password Synchronization. With this fix, the wizard no longer enables Password Synchronization., because, since Azure AD Connect version 1.1.557.0, Password Synchronization is no longer a prerequisite for enabling Pass-through Authentication.

The team fixed an issue that caused Azure AD Connect upgrades to fail with error “Unable to upgrade the Synchronization Service”. Further, the Synchronization Service could no longer start with event error “The service was unable to start because the version of the database is newer than the version of the binaries installed”. The issue occured when the administrator performing the upgrade did not have sysadmin privilege to the SQL server that is being used by Azure AD Connect. With this fix, Azure AD Connect only requires the administrator to have db_owner privilege to the ADSync database during upgrade.

The team fixed an Azure AD Connect Upgrade issue that affected customers who have enabled Seamless Single Sign-On. After Azure AD Connect is upgraded, Seamless Single Sign-On incorrectly appears as disabled in Azure AD Connect wizard, even though the feature remains enabled and fully functional. With this fix, the feature now appears correctly as enabled in the wizard.

The team fixed an issue that caused Azure AD Connect wizard to always show the Configure Source Anchor prompt on the Ready to Configure page, even if no changes related to Source Anchor were made.

When performing manual in-place upgrade of Azure AD Connect, the customer is required to provide the Global Administrator credentials of the corresponding Azure AD tenant. Previously, upgrade could proceed even though the Global Administrator credentials provided belonged to a different Azure AD tenant. While upgrade appears to complete successfully, certain configurations were not correctly persisted with the upgrade. With this change, the wizard will not allow a manual upgrade to proceed if the credentials provided do not match the Azure AD tenant.

Azure AD Connect health

The team removed redundant logic that unnecessarily restarted Azure AD Connect Health service at the beginning of a manual upgrade.

Azure AD Connect Sync

When Azure AD Connect wizard creates the AD Connector account required to synchronize changes from on-premises Active Directory, it does not correctly assign the account the permission required to read PublicFolder objects. This issue affects both Express installation and Custom installation. This change fixes the issue.

The team fixed an issue that caused the Azure AD Connect Wizard troubleshooting page to not render correctly for administrators running Azure AD Connect on Windows Server 2016.

AD FS Management

The team fixed an issue related to the use of the msDS-ConsistencyGuid as Source Anchor feature. This issue affects customers who have configured Federation with AD FS as the user sign-in method. When you execute the Configure Source Anchor task in the wizard, Azure AD Connect switches to using ms-DS-ConsistencyGuid as source attribute for immutableId. As part of this change, Azure AD Connect attempts to update the claim rules in AD FS. However, this step failed because Azure AD Connect did not have the administrator credentials required to configure AD FS. With this fix, Azure AD Connect now prompts you to enter the administrator credentials for AD FS when you execute the Configure Source Anchor task.


Version information

This is version 1.1.647.0 of Azure AD Connect.
It was signed off on on October 19, 2017.


Download information

You can download Azure AD Connect here.
The download weighs 78,6 MB.


This release marks the General Availability of two user sign-in options, that were previously in public preview. It includes many fixes and code cleanup. It should be on the top of your ToDo list to upgrade to (if Azure AD Connect wasn’t upgraded automatically, already), when you use these user sign-in methods.

Also, if you’ve built your own scheduler for Azure AD Connect, based on the WMI calls, you should start planning on using the built-in scheduler.