HOWTO: Uninstall and Remove Azure MFA Server versions 7.x and 8.x Implementations

Azure MFA

Last week, Microsoft announced that Azure MFA Server will no longer be available for new deployments per July 1, 2019.

InformationNew customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated Azure MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.

I’m expecting organizations to make the move from Azure MFA Server to the Azure MFA service, leveraging one or more of the following options:

  1. Integrating applications, systems and services with Azure AD and leveraging Conditional Access to trigger Azure MFA
  2. Using the built-in AD FS Adapter in Hybrid Identity implementations, that is available for use in Active Directory Federation Services since the Windows Server 2016 Farm Behavioral Level (FBL) 
  3. The Azure MFA NPS Extension to secure RADIUS-based access solutions, and/or switching Citrix NetScaler-based configuration over to the claims-based access model.

After organizations have successfully migrated over from Azure MFA Server to the Azure MFA service, their next task is to decommission the Azure MFA Server infrastructure.

InformationIn this blogpost, I’ll cover how to remove an Azure MFA Server Complete Deployment, as mentioned in the supported Azure MFA Server Deployment Scenarios and their pros and cons. Some steps may not be applicable to every Azure MFA Server deployment scenario.

Uninstalling and removing Azure MFA Server consists of these high-level steps:

  • Disable and remove Azure MFA Server as MFA provider in AD FS
  • Uninstall the Azure MFA Server Mobile Web Service
  • Uninstall the Azure MFA Server User Portal
  • Uninstall the Azure MFA Server Web Service SDK
  • Remove Server reference from Azure AD
  • Uninstall the central Azure MFA Server component
  • Remove IIS
  • Remove TLS Certificate
  • Remove service accounts and groups from Active Directory
  • Remove DNS records from DNS
  • Remove the server from the domain
  • Remove the server from the network

Let’s walk through these steps:

    

Disable and remove Azure MFA Server as MFA provider in AD FS

The Azure MFA Server adapter in AD FS might be configured to allow multi-factor authentication in relying party trusts (RPTs). The first thing we need to do is remove Azure MFA Server’s MFA Adapter as an MFA method.

Execute the following three lines of Windows PowerShell in an elevated Windows PowerShell window on the primary AD FS Server to unselect Azure MFA Server’s AD FS Adapter in AD FS’ global multi-factor authentication policy:

InformationAD FS farms leveraging the Windows Internal Database (WID) feature one AD FS server that operates as the Primary AD FS server. It is the only server with read/write access to the AD FS Configuration database. In an AD FS farm, where SQL Server is used, all AD FS server have read/write access to the database and the below lines of Windows PowerShell can be executed on any of the AD FS servers in the AD FS farm.

$C = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider

$C.Remove(AzureMfaServerAuthentication)

Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $C

Next, run the following lines of Windows PowerShell on all AD FS Servers in an elevated Windows PowerShell window, to remove Azure MFA Server’s AD FS adapter from these systems, followed by a restart of the AD FS service:

Unregister-ADFSAuthenticationProvider -Name AzureMFAServerAuthentication

Restart-Service -Name adfssrv

          

AD FS no longer knows about the Azure MFA Server Adapter and the Azure MFA Server. Now we can uninstall the components from the environment.

Use the following sequence (outside in):

  • Uninstall the Mobile Web Service
  • Uninstall the User Portal
  • Uninstall the Web Service SDK
  • Uninstall Azure MFA Server

Uninstall Azure MFA Server’s Mobile Web Service

Azure MFA Server 7.x’s Mobile Web Service offers the ability to people in the organization to register the Microsoft Authenticator app with the Azure MFA Server implementation.

InformationTypically, you wouldn’t find Azure MFA Server’s Mobile Web Service in Azure MFA Server 8.x deployments, as the Mobile Web Service reference in Azure MFA Server’s User Portal was replaced with an iFrame that redirects to an Azure-based page. In this latter case, skip this paragraph.

To uninstall Azure MFA Server’s Mobile Web Service, perform these steps:

  1. Sign in to the web server that hosts the Mobile Web Service.
  2. Open the Internet Information Services (IIS) Manager (InetMgr.exe).
  3. In the left navigation pane, navigate to Sites. Expand it.
  4. Select the website or subfolder that corresponds to Azure MFA Server’s Mobile Web Service.
  5. When Azure MFA Server’s Mobile Web Service is installed as a separate site, right-click the site, click on Manage Website and then select Stop.
  6. In the action pane, click Basic Settings….
  7. Note the information in the Physical Path: field.
  8. Click OK to close the Edit Site pop-up.
  9. When Azure MFA Server’s Mobile Web Service is installed as a separate site, in the main window of Internet Information Services (IIS) Manager, double-click Logging. Note the information in the Directory: field.
  10. When Azure MFA Server’s Mobile Web Service is installed as a separate site, in the left navigation menu, right-click the site again and select Remove from the context-menu.
                       
    Confirm Remove Site
                             
    Else, right-click the folder, and select Remove. Click Yes to confirm.
  11. In the Confirm Remove pop-up window, click Yes.
  12. In the left navigation menu, navigate to Application Pools. Expand it.
  13. Right-click the application pool corresponding to Azure MFA Server’s Mobile Web Service and select Stop from the menu.
  14. Right-click it again, and select Remove from the menu.
  15. Click Yes to confirm.
  16. Close Internet Information Services (IIS) Manager.
  17. Open File Manager (explorer.exe)
  18. Navigate to the folder that resembles the folder that was mentioned in the Physical Path: field of Azure MFA Server’s Mobile Web Service.
  19. Remove the folder.
  20. When Azure MFA Server’s Mobile Web Service ran as a separate website, navigate to the folder that resembles the folder that was mentioned in the Directory: field of Azure MFA Server’s Mobile Web Service’s logging properties and remove this folder, too.
  21. Close File Explorer.

Uninstall Azure MFA Server’s Mobile Web Service from any Windows Server that offers it.

     

Uninstall Azure MFA Server’s User Portal

Use the following steps to uninstall Azure MFA Server’s User Portal in the same way as you have uninstalled Azure MFA Server’s Mobile Web Service from any Windows Server that offers it:

  1. Sign in to the web server that hosts the User Portal.
  2. Open the Internet Information Services (IIS) Manager (InetMgr.exe).
  3. In the left navigation pane, navigate to Sites. Expand
    it.
  4. Select the website or subfolder that corresponds to Azure MFA Server’s User Portal.
  5. When Azure MFA Server’s User Portal is installed as a separate site,
    right-click the site, click on Manage Website and then
    select Stop.
  6. In the action pane, click Basic Settings….
  7. Note the information in the Physical Path:
    field.
  8. Click OK to close the Edit Site
    pop-up.
  9. When Azure Server’s User Portal is installed as a separate
    site, in the main window of Internet Information Services (IIS)
    Manager
    , double-click Logging. Note the information in
    the Directory: field.
  10. When Azure MFA Server’s User Portal is installed as a separate site, in the
    left navigation menu, right-click the site again and select Remove
    from the
    context-menu.
  11. Else, right-click the folder, and select Remove.
    Click Yes to confirm.
  12. In the Confirm Remove pop-up window, click
    Yes.
  13. In the left navigation menu, navigate to Application Pools.
    Expand it.
  14. Right-click the application pool corresponding to Azure MFA Server’s User Portal and select Stop from the menu.

                                
    Remove Azure MFA Server's User Portal Application Pool
                                  
  15. Right-click it again, and select Remove from the menu.
  16. Click Yes to confirm.
  17. Close Internet Information Services (IIS) Manager.
  18. Open File Manager (explorer.exe)
  19. Navigate to the folder that resembles the folder that was mentioned in the
    Physical Path: field of Azure MFA Server’s User Portal.
  20. Remove the folder.
  21. When Azure MFA Server’s User Portal ran as a separate website, navigate to
    the folder that resembles the folder that was mentioned in
    the Directory: field of Azure MFA Server’s User Portal’s logging properties and remove this folder,
    too.
  22. Close File Explorer.

                 

Uninstall Azure MFA Server’s Web Service SDK

Azure MFA Server’s Mobile Web Service and Azure MFA Server’s User Portal communicate to the central Azure MFA Server component using its Web Service SDK.

InformationAzure MFA Server deployment scenarios, where the Mobile Web Service and User Portal are not used, or are deployed on the same server that runs the Azure MFA Server’s central component, do not use the Web Service SDK. In these scenarios, this paragraph can be skipped.

To uninstall the Web Service SDK, perform these steps:

  1. Press Win and X simultaneously, right-click the Start button and select Programs and Features from the top of the menu, or search for Programs and Features.
                          
    MFA Server in Programs And Features
                                 
  2. Select Multi-Factor Authentication Web Service SDK from the list of installed programs.
  3. In the action bar on top of the list of installed programs, click Uninstall.
  4. Click Yes to answer the pop-up question Are you sure you want to uninstall Multi-Factor Authentication Web Service SDK?
  5. After several short progress bars filling, Azure MFA Server’s Web Service SDK will be removed.
  6. Close Programs and Features.
  7. Open the Internet Information Services (IIS) Manager (InetMgr.exe).
  8. In the left navigation pane, navigate to Sites. Expand
    it.
  9. Select the website or subfolder that corresponds to Azure MFA Server’s Web Service SDK.
  10. When Azure MFA Server’s Web Service SDK is installed as a separate site, right-click
    the site, click on Manage Website and then select
    Stop.
  11. In the action pane, click Basic Settings….
  12. Note the information in the Physical Path:
    field.
  13. Click OK to close the Edit Site
    pop-up.
  14. When Azure MFA Server’s Web Service SDK is installed as a separate site, in the
    main window of Internet Information Services (IIS) Manager,
    double-click Logging. Note the information in the
    Directory: field.
  15. When Azure MFA Server’s Web Service SDK is installed as a separate site, in the left
    navigation menu, right-click the site again and select Remove
    from the context-menu.
    Else, right-click the folder, and select Remove.
    Click Yes to confirm.
  16. In the Confirm Remove pop-up window, click
    Yes.
  17. In the left navigation menu, navigate to Application Pools.
    Expand it.
  18. Right-click the application pool corresponding to Azure MFA Server’s Web Service SDK and select Stop from the menu.
  19. Right-click it again, and select Remove from the menu.
  20. Click Yes to confirm.
  21. Close Internet Information Services (IIS) Manager.
  22. Open File Manager (explorer.exe)
  23. Navigate to the folder that resembles the folder that was mentioned in the
    Physical Path: field of Azure MFA Server’s Web Service SDK.
  24. Remove the folder.
  25. When Azure MFA Server’s Web Service SDK ran as a separate website, navigate to
    the folder that resembles the folder that was mentioned in
    the Directory: field of Azure MFA Server’s Web Service SDK’s logging properties and remove this folder,
    too.
  26. Close File Explorer.

              

Remove Server references from Azure AD

To clean up the Azure AD tenant, delete the MFA Provider from Azure AD, since it’s no longer needed, even when you use Azure MFA with the NPS Extension for Azure MFA or Azure MFA with AD FS in Windows Server 2016 or Windows Server 2019. This paragraph also provides the ability to determine the primary server when there are multiple MFA Servers in the MFA Server group.

The steps in this paragraph depend on the way the Azure MFA Server implementation is licensed.

Perform these steps:

  1. Open a web browser and navigate to the Azure Portal.
  2. Sign in with an account that has the Global administrator role assigned.
    Perform Azure-based multi-factor authentication, when prompted.
  3. In the left navigation menu, click Azure Active Directory.
  4. In the Azure AD navigation menu, scroll down to the Security section.
  5. Click MFA.

          

MFA Provider scenario

When the implementation uses an MFA Provider, perform these steps:

  1. In the Multi-Factor Authentication navigation menu, click Providers.
  2. Select a provider in the list of MFA providers to open its settings.
  3. In the navigation menu for the MFA Provider, click Server Status.
  4. In the list of Azure MFA Servers, take note of the Azure MFA Server installation that has the value Yes in the Master column.
  5. Click on the to the left of each of the Azure MFA Servers, and select Delete from the menu.
  6. In the Delete Entry pop-up, click OK to acknowledge that the selected entry will be removed from the report.
                   
    Repeat steps 5 and 6 for each Azure MFA Server in the list.
                        
  7. Delete the MFA Provider.

    

Hybrid Identity Scenario

When the implementation is licensed through Azure AD Premium license or another license that includes that license, perform these steps:

  1. In the Multi-Factor Authentication navigation menu, click Server Status.
  2. In the list of Azure MFA Servers, take note of the MFA Server installation that has the value Yes in the Master column.
  3. Click on the to the left of each of the Azure MFA Servers, and select Delete from the menu.
  4. In the Delete Entry pop-up, click OK to acknowledge that the selected entry will be removed from the report.

Repeat steps 3 and 4 for each Azure MFA Server in the list.

                            

Uninstall the central Azure MFA Server component    

The central Azure MFA Server component offers the Management User Interface, Directory Synchronization and other Azure MFA Server services that may be in use.

InformationWhen multiple Azure MFA Servers are part of the implementation, uninstall the central Azure MFA Server component on the Master server last. This is the only Azure MFA Server that has read/write access to the phonefactor.pfdata file.

Perform the  To uninstall the central MFA Server components, perform these steps:

  1. Press Win and X simultaneously, right-click the Start button and select Programs and Features from the top of the menu, or search for Programs and Features.
  2. Select Multi-Factor Authentication Server from the list of installed programs.
  3. In the action bar on top of the list of installed programs, click Uninstall.
  4. Click Yes to answer the pop-up question Are you sure you want to uninstall Multi-Factor Authentication Server?
  5. After several short progress bars filling, Azure MFA Server will be removed.
  6. Close Programs and Features.
  7. Open File Manager (explorer.exe)
  8. Navigate to the C:\Program Files\Multi-Factor Authentication Server folder
    (or the installation location for Azure MFA Server, if you’ve changed it from the default during installation)
  9. Delete the folder, including the Data and Logs subfolder and the files therein.
  10. Close File Manager.
  11. Restart the server.

                         

Remove IIS

WarningSkip this paragraph on Windows Servers that remain functioning as webservers, as the above steps will remove the Internet Information Services (IIS) role that hosts other IIS-based applications.

With all Azure MFA Server components removed, the servers in scope of the Azure MFA Server deployment no longer require Internet Information Services (IIS). Remove IIS from the server using the Remove roles and services wizard from Server Manager, or use the following line of Windows PowerShell in an elevated PowerShell window:

Uninstall-WindowsFeature -Name Web-Server,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Health,Web-Http-Logging,Web-Performance,Web-Stat-Compression,Web-Security,Web-Filtering,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase

Afterward, restart the server. For instance, using the following line of Windows PowerShell:

Restart-Server        

If there are any load-balancer rules directing traffic to Azure MFA Server’s former Mobile Web Service, User Portal or Web Service SDK, remove these, too.

                                                  

Remove TLS Certificates

The local computer still has a TLS certificate stored in its certificate store. Remove the certificate for the Windows Servers in scope for the Azure MFA Server implementation from their local computer certificate stores.

WarningSkip this paragraph if any of the Windows Servers in scope of the Azure MFA Server implementation remains a webserver, hosting websites over https using the same TLS certificate. However, when the time comes to renew the certificate, opt to remove any Azure MFA Server-specific DNS entries in the certificate request.

Perform these steps:

  1. Open the Certificates MMC Snap-in for the local computer (certlm.msc)
  2. In the left navigation pane, expand Personal, then Certificates.
  3. In the main pane, select the TLS certificate that was used for Azure MFA Server’s Mobile Web Service, Azure MFA Server’s User Portal and/or Azure MFA Server’s Web Service SDK.
  4. Right-click the certificate and select Delete from the menu.
                       
    MFAServerRemoveCert
                            
  5. Click Yes.
  6. Close the Certificates MMC Snap-in.

If you have connected MFA Server’s Mobile Web SDK and User Portal to Azure MFA Server’s Web Service SDK using certificate authentication, remove these certificates, too.

   

Remove service accounts and groups from Active Directory

For typical Azure MFA Server deployments, there are two service accounts and one group in Active Directory Domain Services:

  • The PhoneFactor Admins group in the Users container
  • The service account for the Azure MFA Server itself
  • The service account for the portals to connect to the Web Service SDK

Remove them all.

                    

Remove the servers from the domain

WarningSkip this paragraph for any Windows Server in scope of the Azure MFA Server implementation that remains on the network to service end-users.

Configure the Azure MFA Server as a member of the WORKGROUP workgroup, instead of the domain it’s a member of.

Restart the server, afterwards.

After a successful restart, remove the computer object from Active Directory Domain Services.

                    

Remove DNS records from DNS

WarningSkip this paragraph for any Windows Server in scope of the Azure MFA Server implementation that remains on the network to service end-users.

Many Azure MFA Servers are known in the internal network and the Internet with other names, than their hostnames.

Remove the A, AAAA and CNAME records, pointing to the host in the DNS zone for the internal network. Remove the A, AAAA and CNAME records, pointing to the host in the public DNS zone for the Internet.

                       

Remove the servers from the network

WarningSkip this paragraph for any Windows Server in scope of the Azure MFA Server implementation that remains on the network to service end-users.

Shut down the server. Remove the server from the virtualization platform, or disconnect the physical server and remove it from the server room.

This is also the perfect moment to remove any custom firewall rules you might have had in place to allow communications between the Mobile Web Service and/or User Portal and the Web Service SDK, and replication between MFA Servers.

Make sure the hosts from the Azure MFA Server implementation are correctly removed from monitoring, backup and other information security services, as well as the service catalog.

              

Concluding

The above paragraphs provide steps to clean Azure MFA Server implementations off a network. Following these steps, no remnants remain of this legacy product.               

Related blogposts

Supported Azure MFA Server Deployment Scenarios and their pros and cons 
HOWTO: Install Azure Multi-Factor Authentication (MFA) Server 8.0.1.1 
Things to know about Billing for Azure MFA and Azure MFA Server 
Ten Things you need to know about Azure Multi-Factor Authentication Server 

Further reading

Configure Azure MFA as authentication provider with AD FS   
Integrate your existing NPS infrastructure with Azure Multi-Factor Authentication  
Azure: How to unregister and register MFA Server 6.x ADFS Authentication Provider 

0  

Pictures of Experts Live Netherlands 2019

Last week, I delivered a 60-minute session, together with Raymond Comvalius at Experts Live Netherlands at Congress Center 1931 in Den Bosch, the Netherlands.

I left home early to arrive at 7:15 at the venue. This left me with ample time to find a (charging) parking spot, get to the speaker room and change to the Experts Live Polo shirt, and still catch the 7:45 pre-keynote session; I attended Orin Thomas’s session on Securing Azure Networks. Then, onward to the keynote.

ExpertsLive Panel Keynote (click for larger photo by Organization)Keynote Panel (click for larger picture)

After the keynote, it was time for Raymond and me to start working on the slides. I sat down in the speaker area, where my book drew quite some attention.

The Active Directory Administration Cookbook at ExpertsLive (click for larger photo)CookBook Chapter14 (Click for larger photo by Michael van Hybrid)Erwin Derksen going through the Active Directory Administration CookBook (click for larger photo)

At 11:30AM, it was showtime for Raymond and me: We were allowed to talk for 60 minutes to a room full of attendees on Active Directory, AD FS, Certification Authorities and Windows to express how Windows Hello for Business could be used on-premises to start the password-less journeys.

With Ray On Stage (Click for larger photo by Didier van Hoye)On Stage before the session (Click for larger photo by Barbara Forbes)A picture with our audience  (click for larger photo by Barbara Forbes)Presenting as a Duo with Raymond (click for larger photo by the ExpertsLive Organization)Presenting as a Duo with Raymond (click for larger photo by the ExpertsLive Organization)On Stage at Experts Live NL (click for larger photo by the ExpertsLive Organization)

After the session we spoke with a couple of attendees and then headed off to lunch.

A nice chat with Jeff and Marc (click for larger photo by the ExpertsLive Organization)The ExpertsLive NL Expo (click for larger photo)

I attended some more sessions that caught my interest and stood in the crowd during the epic raffle with my colleagues Barbara Forbes and Michiel Dekker. Toni Petrina took a picture of use, before we headed off for a nice dinner just outside of Den Bosch.

The Community meets here (Click for a larger photo, taken by Toni on Barbara's phone)

Thank you! Thumbs up

Thank you to the ExpertsLive organization for organizing yet another successful event and inviting me as a speaker once again, and to all the people attending, sitting in on our session and, of course, the people with whom I had interesting discussions.

0  

What’s New in Azure Active Directory for May 2019

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for May2019:

                   

What’s Planned

Future support for only TLS 1.2 protocols on the Azure AD Application Proxy service

Service category: App Proxy
Product capability: Access Control

To help provide best-in-class encryption for our customers, Microsoft is limiting access to only TLS 1.2 protocols on the Azure AD Application Proxy service. This change is gradually being rolled out, first to customers who are already only using TLS 1.2 protocols.

Deprecation of TLS 1.0 and TLS 1.1 happens on August 31, 2019. Microsoft will provide additional advanced notice, so you’ll have time to prepare for this change. To prepare for this change make sure your client-server and browser-server combinations, including any clients your users use to access apps published through Application Proxy, are updated to use the TLS 1.2 protocol to maintain the connection to the Application Proxy service.

                     

What’s New

Identity secure score is now available in Azure AD
General availability

Product capability: Identity Security & Protection

You can now monitor and improve your identity security posture by using the identity secure score feature in Azure AD. The identity secure score feature uses a single dashboard to help you:

  • Objectively measure your identity security posture
  • Plan for your identity security improvements
  • Review the success of your security improvements

                 

New App registrations experience is now available
General availability

Service category: Authentications (Logins)
Product capability: Developer Experience

The new App registrations experience is now in general availability. This new experience includes all the key features admins are familiar with from the Azure portal and the Application Registration portal and improves upon them through:

  • Better app management. Instead of seeing their apps across different portals, admins can now see all their apps in one location.
  • Simplified app registration. From the improved navigation experience to the revamped permission selection experience, it’s now easier for admins to register and manage apps.
  • More detailed information. Admins can find more details about their app, including quickstart guides and more.

                                  

Conditional access for the combined registration process Public preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Admins can now create Conditional Access policies for use by the combined SSPR/MFA registration page. This includes applying policies to allow registration if:

  • Users are on a trusted network.
  • Users are a low sign-in risk.
  • Users are on a managed device.
  • Users agree to the organization’s terms of use (TOU).

                           

Use the usage and insights report to view your app-related sign-in data

Service category: Enterprise Apps
Product capability: Monitoring and Reporting

Admins can now use the usage and insights report, located in the Enterprise applications area of the Azure portal, to get an application-centric view of the sign-in data, including info about:

  • Top used apps for your organization
  • Apps with the most failed sign-ins
  • Top sign-in errors for each app

                         

Automate your user provisioning to cloud apps using Azure AD

Service category: Enterprise Apps
Product capability: Monitoring and Reporting

Follow these new tutorials to use the Azure AD Provisioning Service to automate the creation, deletion, and updating of user accounts for the following cloud-based apps:

You can also follow this new Dropbox tutorial, which provides info about how to provision group objects.

                     

New capabilities available in the Risky Users API for Identity Protection

Service category: Identity Protection
Product capability: Identity Security & Protection

Microsoft is pleased to announce that admins can now use the Risky Users API to retrieve users’ risk history, dismiss risky users, and to confirm users as compromised. This change helps admins to more efficiently update the risk status of their users and understand their risk history.

                    

New Federated Apps available in Azure AD app gallery – May 2019

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2019, Microsoft has added these 21 new apps with Federation support to the app gallery:

  1. Freedcamp
  2. Real Links
  3. Kianda
  4. Simple Sign
  5. Braze
  6. Displayr
  7. Templafy
  8. Marketo Sales Engage
  9. ACLP
  10. OutSystems
  11. Meta4 Global HR
  12. Quantum Workplace
  13. Cobalt
  14. webMethods API Cloud
  15. RedFlag
  16. Whatfix
  17. Control
  18. JOBHUB
  19. NEOGOV
  20. Foodee
  21. MyVR

                                

Improved groups creation and management experiences in the Azure AD portal

Service category: Group Management
Product capability: Collaboration

Microsoft has made improvements to the groups-related experiences in the Azure AD portal. These improvements allow admins to better manage groups lists, members lists, and to provide additional creation options. Improvements include:

  • Basic filtering by membership type and group type.
  • Addition of new columns, such as Source and Email address.
  • Ability to multi-select groups, members, and owner lists for easy deletion.
  • Ability to choose an email address and add owners during group creation.

                

What’s Changed

Configure a naming policy for Office 365 groups in Azure AD portal General availability

Service category: Group Management
Product capability: Collaboration

Admins can now configure a naming policy for Office 365 groups, using the Azure AD portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization.

                                  

Microsoft Graph API endpoints are now available for Azure AD activity logs General availability

Service category: Reporting
Product capability: Monitoring & Reporting

Microsoft is happy to announce general availability of Microsoft Graph API endpoints support for Azure AD activity logs. With this release, admins can now use Version 1.0 of both the Azure AD audit logs, as well as the sign-in logs APIs.

0  

Experiences with Being Published, Part 3: Deadlines

Deadlines

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

            

On deadlines and the typical process

When a publisher targets you as a new writer, you are typically asked to create an outline for the book they want you to write. A publishing board then decides if the right topics are present in the book, before providing a ‘Go!’ for the book.

When you write a book, a schedule is determined based on the outline, so all people know what is expected of them. Typically for every writer, their schedule features deadlines; points in time when content (usually defined per chapter for a technical book) is due.

There’s a perfectly valid reason for these deadlines: After first delivery, the content is then reviewed by an independent technical reviewer, then edited for readability, spelling and grammar by a team of content editors from your publisher and then reviewed by a technical person at the publisher to make sure everything checks out. Throughout the process, time is allocated for the writer to address the comments and changes made by everyone.

        

Stakes and tools

Just like every other situation in life, in the process, people have different stakes. The publishing board has a clear vision of the book in terms of the maximum total amount of pages, the topics and the search engine research that governs their choices.

The content editing team has clear expectations as well. For cookbooks at Packt, the chapters must not exceed 50 pages and should have twelve recipes per chapter. These are not ‘pages’ like you write them in Microsoft Word. No, Packt has its own portal where they require you to meet your deadlines in. This platform features a button labeled ‘View in PDF’, that will tell you how many pages a chapter would have (including its ToC, but you can deduct these)…

       

Changes to the schedule

I was happily writing a chapter every two weeks. Imagine my surprise when after having met ten of my deadlines, I got a call from my publisher, asking me to speed up content delivery…

Uhm, no. We have an agreement on a schedule.

Their proposal was to deliver a chapter every four days, for the last couple of chapters, resulting in a deadline for April 12th instead of May 18th, without additional compensation or a clear reason why. Also, the five days per chapter for reviews was condensed into a mere five days in total, adding to the amount of work that needed to be delivered.

I proposed an April 22nd deadline, allowing for one weekend per chapter. Given the Easter weekend with a couple of additional days off from work, April 29th would be my deadline for everything.

     

That was quick…

This proposal was quickly accepted. Too quickly, perhaps…

After this decision, the entire process started to come tumbling down. Instead of working on a chapter each weekend, I now also was pushed into resolving comments from the reviewers, the editors and everyone involved with the book during weekdays. Now, I was dealing with four persons at a time with different roles and different stakes.

I learned a great deal about my creative process when creating the Active Directory Administration Cookbook. Looking back, I realize that the schedule change robbed me from the one luxury I had to improve on the quality of the book: the ability to write something and then take another look at it afresh a week later.

Even when self-publishing, the above pitfall exists. The Project management triangle applies to books, too.

Picture by Georgie Pauwels, used under CC BY 2.0 license. Adjusted in size.

    


Active Directory Administration CookbookLearn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

0  

HOWTO: Disable account enumeration in Azure Active Directory

PowerShell

To celebrate the availability of the Active Directory Administration Cookbook, I decided to write a blogpost in the typical structure of a recipe in this book:

   

Disabling account enumeration

Use this recipe to disable account enumeration for an Azure Active Directory tenant. After completing this recipe, people with user accounts in the tenant will no longer be able to list the other accounts.

 

Getting ready

To complete this recipe, you’ll need to sign into the Azure AD tenant with an account that has the Global administrator role assigned to it.

Notification topicThis recipe does not require any additional licenses. The functionality described in this recipe is included in all Azure AD tenants, including those configured as Azure AD Free.

This recipe requires the MSOnline Windows PowerShell Module. Use the following line of Windows PowerShell on a Windows or Windows Server system that runs Windows PowerShell 5.0, or higher and has Internet connectivity, in an elevated Windows PowerShell window:

Install-Module MSOnline

Press Yes twice.

When the MSOnline Windows PowerShell Module is already installed, run the above line of Windows PowerShell to update it before continuing with the recipe.

 

How to do it

Perform these steps:

  1. Open a Windows PowerShell window on the device or server where you have installed the MSOnline PowerShell module.
  2. Execute the following line of PowerShell to import the MSOnline Windows PowerShell Module:

    Import-Module MSOnline

  3. Execute the following line of PowerShell to sign into the Azure AD tenant:

    Connect-MsolService

  4. The Sign in to Azure AD Connect Health Agent window appears:

    Sign in to your account

  5. Sign in with an account in Azure Active Directory that has the Global administrator role assigned.
  6. Perform multi-factor authentication, when prompted.
  7. Execute the following line of PowerShell to configure the Azure AD tenant:

    Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false 

  8. Close Windows PowerShell.

 

How it works

This recipe uses the MSOnline Windows PowerShell module.

Notification topicMicrosoft recommends to use the newer AzureAD Windows PowerShell Module. However, as per the current version of this module the functionality to perform the steps in this recipe is not (yet) available.

By importing the Windows PowerShell module before issuing cmdlets from the module, tab completion is available under all circumstances.

The Connect-MsolService cmdlet instructs PowerShell to connect to the Azure AD tenant. As no credentials are supplied in the above example, a prompt appears to ask for credentials. When multi-factor authentication, Azure AD Privileged Identity Management (PIM) or other information security measures are enabled, perform the required steps to successfully authenticate.

When successfully authenticated, the Set-MsolCompanySettings cmdlet configures the Azure AD tenant with the required settings.

 

There’s more!

To find the differences between the MSOnline and AzureAD Windows PowerShell modules and their history, look at the state of Azure AD PowerShell today.

 

There’s even more!

Account enumeration is labeled Account Discovery in the MITRE ATT@CK knowledgebase and tagged with ID T1087. Find out more about this adversary tactic and its impact by visiting the MITRE ATT&CK knowledgebase.

2  

Two keynotes and Top 7 sessions of VeeamON are now available online

Veeam

I missed out on VeeamON this year in Miami, FL…

I had other engagements with customers, with NT Konferenca in Slovenia and, as a repeat speaker, Techorama in Belgium in the week of May 20th. I had lots of fun, but I would have really liked to have visited the event and would have loved to have seen Rick Vanover dump the laptop in water, in real life.

The next best thing is now available though: Two keynotes and Top 7 sessions of VeeamON are now available online, for free! Smile

                   

Available videos

The following sessions are now available to view online, for free:

  • The Vision keynote with Ratmir Timsahev, Veeam Co-Founder and Executive Vice President Sales and Marketing
  • The Technology keynote with Danny Allen, Veeam Vice President Product Strategy
  • Top 7 Worst Practices when using Veeam Backup & Replication with Edwin Weijdema, Veeam Solution Architect North East EMEA
  • Veeam Agents: Tips, Tricks and What Not To Do with Tom Sightler, Veeam Vice President Product Management
  • Ransomware Resiliency Tips for Veeam and the Veeam Vanguards with Rick Vanover, Veeam Senior Director Product Strategy
  • Architecture, Installation and Design for Veeam Backup for Microsoft Office 365 with Niels Engelen, Veeam Global Technologist and Timothy Dewin, Veeam Enterprise Systems Engineer
  • From the Architect’s Desk: Sizing with Tim Smith, Veeam Solutions Architect
  • Cumolonimbus Cloud Tier Deep Dive and Best Practices with Dustin Albertson, Veeam Senior Cloud Architect Global Cloud Group and Anthony Spiteri, Veeam Senior Global Technologist Product Strategy
  • Let’s Manage Agents with Dmitry Popov, Veeam Product Management

                        

About VeeamON

VeeamON is the premier conference for Cloud Data Management. It allows attendees to gain valuable insights, training and connections with industry experts, learn how to capitalize on their existing virtualization, networking, storage and Veeam investments and discover the latest cloud technologies and how you can leverage your existing assets as part of a comprehensive availability strategy.

                            

VeeamON 2019

VeeamON 2019 took place at the Fontainebleau Miami Beach Conference Center. Veeam announced Veeam Availability Orchestrator (VAO) version 2, its new With Veeam partner program and its achievement of $1 billion in annual bookings.

        

Hungry for more?

Save the date for VeeamON 2020. Mark your calendar for VeeamON 2020 in Las Vegas,
Aria Hotel, May 4-6, 2020.

0  

Join the Active Directory Administration Cookbook Launch Party at SCCT

Active Directory Administration Cookbook Launch Party at SCCT

Last month, my Active Directory Administration Cookbook was released by Packt.       To celebrate, my employer is hosting a Launch Party at our office in Leidschendam, near The Hague in the Netherlands.

The Launch Party offers the opportunity to Dutch people to get their copy of the Active Directory Administration Cookbook and have it signed.

        

About SCCT

SCCT is a cloud-first Microsoft-oriented systems integrator from the Netherlands. Our aim is to help organizations embrace Microsoft cloud solutions. SCCT was founded in 2014 by Harro Borghardt and Carlo Schaeffer. In 2017, Sander Berkouwer was named CTO at SCCT, completing the management team.

         

Join us!

Active Directory Administration CookbookWe have created a Microsoft Excel Online Form, where you can provide information. Its purpose is to collect the necessary information for SCCT to successfully organize the Launch Party. It tells us how many people will attend the event and how many books we’ll need.

Please fill out the form Dutch if you would like to attend the Active Directory Administration Cookbook Launch Party.

0  

Creating the ‘Microsoft Office 365 Identity Platform’ Relying Party Trust manually

Cloud

There are several methods to create the Relying Party Trust (RPT) between Active Directory Federation Services (AD FS) and Azure Active Directory automatically:

  • Using Azure AD Connect with the Use an existing AD FS farm option or the Configure a new AD FS farm option, when configuring Federation with AD FS as the authentication method.
  • Using the Convert-MsolDomainToFederated Windows PowerShell cmdlet from the MSOnline PowerShell Module.

However, sometimes you can’t use the above methods. In this case, the only logical conclusion is to create the Relying Party Trust manually. But how do you create then exact same functionality as when you use the above method… or in the case of the Convert-MsolDomainToFederated cmdlet method, the full functionality?

I wrote this blogpost, after I’ve successfully switched the custom DNS domain name in Azure Active Directory to AD FS on a remote workstation, but wasn’t privileged to install the MSOnline PowerShell Module on an AD FS server, create Relying Party Trusts or domain-join the Azure AD Connect installations… I had to provide the changes I needed to a more privileged person. When I ran Convert-MSOLDomaintoFederated before having the RPT created manually, it failed. After I had the RPT created manually, it succeeded. I have full confidence you can come up with your own reasons and situations beyond this us ecase…

This blogpost details the steps, relying solely on cmdlets from the ADFS PowerShell module. It’s a four-step procedure:

  1. Creating the Relying Party Trust
  2. Configuring the Relying Party Trust beyond defaults
  3. Setting the claims issuance authorization rule
  4. Setting the claims issuance transformation rules

 

Important!
The settings for the Relying Party Trust that is created with the below steps are an identical copy of the Relying Party Trust created with Azure AD Connect version 1.3.21.0. These settings may change over time. While all effort was aimed at providing the best information, it may no longer be accurate.

 

Creating the Relying Party Trust

Perform these steps to create the Relying Party Trust (RPT):

  1. Sign in to an AD FS Server with local administrator privileges. When the AD FS farm leverages the Windows Internal Database (WID) replication method, sign in to the primary AD FS server, as it is the only AD FS server that has read/write access to the ADFSConfiguration database.
  2. Open an elevated Windows PowerShell screen.
  3. Enter the following lines of PowerShell:

Import-Module ADFS

Add-AdfsRelyingPartyTrust
-Name
“Microsoft Office 365 Identity Platform”MetadataUrl “https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml”

 

Configuring the Relying Party Trust beyond defaults

With the above steps, many of the settings are configured perfectly for the Relying Party Trust. However, we need to set three more settings to make it perfect.

The first setting defines the additional WS-Fed Endpoints for the RPT. The other two settings enable monitoring of the RPT and automatic updating.

Enter the following lines of PowerShell, below the earlier ones to configure the settings:

$AdditionalWSFedEndpoint = @(
  “
https://ccs.login.microsoftonline.com/ccs/login.srf”
  “https://ccs-sdf.login.microsoftonline.com/ccs/login.srf”
  “https://stamp2.login.microsoftonline.com/login.srf”

  )

 

Set-AdfsRelyingPartyTrust -TargetName “Microsoft Office 365 Identity Platform”
-AdditionalWSFedEndpoint
$AdditionalWSFedEndpoint

-AutoUpdateEnabled
$true
-MonitoringEnabled
$true

 

Setting the claims issuance authorization rule

One of the other features of the Microsoft Office 365 Identity Platform RPT, is the default claims issuance authorization rule.

Let’s add it to the RPT by entering the following lines of PowerShell, below the earlier ones:

Set-AdfsRelyingPartyTrust -Targetname “Microsoft Office 365 Identity Platform” -IssuanceAuthorizationRules ‘ => issue(Type = “http://schemas.microsoft.com/authorization/claims/permit”, Value = “true”);’

 

Setting the claims issuance transformation rules

Now, all that’s left is to configure the claims issuance transformation rules. As this is the core of the magic of the Relying Party Trust, changes most often of all the RPT characteristics and requires custom rules in multi-domain scenario’s, I’m opting to create these rules using the Claims Generator on adfshelp.microsoft.com.

Perform these steps on any Internet-connected system:

  1. Open a browser.
  2. Navigate to adfshelp.microsoft.com.
  3. On the main page, click Online Tools.
  4. On the Online Tools Overview page, click the Azure AD RPT Claim Rules tile.
  5. Follow the steps to generate the claims issuance transformation rules applicable to your organization.
  6. After you’ve completed all the steps, the claims issuance transformation rules are presented as a PowerShell script, and as raw text.
  7. Copy the contents of the PowerShell script into a file.
  8. Transfer the file to the AD FS server.

Run the PowerShell script on the AD FS server, next.
After it’s done, it will create a Backup of the previously created claims issuance transformation rules. This file will be empty, as no claims issuance rules would have previously been configured. Close Windows PowerShell and log off, when done.

 

Concluding

It’s surprising how default the Microsoft Office 365 Identity Platform Relying Party Trust is, when you think about it…

Also, the documentation on the Add-AdfsRelyingPartyTrust PowerShell cmdlet is wrong at stating that the –Identifier parameter is required; when using either the –MetadataFile or –MetadataUrl parameter, it certainly isn’t.

 

Safari HatHat Tip

My colleague Barbara Forbes helped me with the Windows PowerShell antics for this blog post. I asked her help, because she uttered the immortal words ‘Surely some-one has figured this out already…’

0  

Pictures of NT Konferenca 2019

NT Konference 2019

Two weeks ago, I travelled to Portorož in Slovenia to deliver two 60-minute sessions at NT Konferenca.

I started early at one of my regular customers at 06:45 on Monday morning. After eight hours of work, I decided to drive to Schiphol airport. As I already saw notices of delays, I decided to take it easy and check in to KLM’s Crown Lounge for dinner.

With 90 minutes delay, we arrived at Paris Charles de Gaulle airport, where I promptly missed my connecting flight to Ljubljana. No worries, because Air France had no trouble booking me into a flight to Venice instead. After arriving there and a 2-hour cab ride, I arrived at the Grand Hotel in Portorož at 01:30. With nothing to see, I decided to go to bed.

The next morning I decided to go for a walk around the premises. Although the sun wasn’t out, Portorož showed its beautiful potential and history.

A lonely olive tree at Hotel Vile Park in Portoroz (click for larger photo)
An overview of the St Bernardin Resort with Croatia on the horizon (click for larger photo)The 15th-century St. Bernardin Church (click for larger photo)
Portoroz (click for larger photo, by the NTK organization)

After my walk, I checked out the entrance and decided to register.

GrandHotel St Bernardin Entrance (click for larger photo by NTK Organization)GrandHotel St Bernardin Entrance (click for larger photo by NTK Organization)NTK 19 Speaker Badge (click for larger photo)

At 11:30, it was time for me to present my first presentation. In room Adria 2, we discussed the way organization may transition from on-premises identity to cloud-only identity and how some choices are not the brightest choices to make. That was fun.

Introduction Slide for 'Your Identity Roadmap to 2022'

After the presentation, I met up with the other speakers for lunch and for some coffee on the patio of the Grand Hotel.

Coffee Moment with the Community (click for larger photo)

At 16:30, I presented my second session on the eight common mistakes organizations make with Hybrid Identity, Active Directory Federation Services (AD FS) and Azure AD Connect. Good fun!

After the session, everyone gathered in front of the Grand Hotel to enjoy beer and network with other attendees, for NTK’s Beer 2 Beer event.

Taking it easy at the NTK Party with water. Vladimir approves. (Click for larger photo)

In the evening, we went for the ‘Hot and Heavy by St. Louis Band’ down the road in Portorož. We enjoyed food and drinks. I decided to take it easy, drink water and go to bed early.

At 03:00 my alarm went off to alert me of the cab ride that was scheduled for me at 03:30 to Ljubljana airport and back to the Netherlands…

             

Thank you! Thumbs up

Thank you to the NT Konferenca organization for organizing yet another successful event and inviting me as a speaker, to all my Balkan community friends and, of course, to all the people attending, sitting in on my sessions and, of course, the people with whom I had interesting discussions.

0  

I’m speaking at Experts Live Netherlands 2019

Advertised as the biggest Microsoft IT Pro event in the Netherlands, Experts Live Netherlands will take place Tuesday June 6th, 2018 at Conference Center 1931 in Den Bosch. It’s a privilege to share the stage again with my buddy Raymond.

   

About Experts Live

Experts Live

Experts Live is an independent platform for IT Professionals on Microsoft solutions. A platform for and by the community. Almost every year, Experts Live organizes its knowledge event in the Netherlands. Started as an idea from a small group of Dutch Microsoft MVPs, Experts Live has become the largest Microsoft community event in the Netherlands, with over a thousand visitors.

Both national and international speakers update the visitors in one day on the latest Microsoft technologies. Subsequently, through the years, many famous and notorious speakers delivered sessions on the Experts Live events.

This year, for the first time Experts Live is hosted at Conference Center 1931 in Den Bosch, and scheduled for Thursday June 6th, 2019. The event offers over 40 break-out sessions, an opening panel discussion and drinks afterward.

   

About my session

I’ll deliver a 60-minute session in the Microsoft 365 track, together with Raymond Comvalius:

Going password-less on-premises, how hard can it be?

11:30AM – 12:30PM, Room Limousin 2, level 400

Password-less… Microsoft’s marketing machine makes a bold case for it. When you’re with your head in the clouds. What’s the real story for hybrid scenarios? What’s the deal for pure on-premises environments?

Find out in this session how far you can take your password-less journey!
Microsoft has spun up its latest Identity-related marketing vehicle: password-less. With Azure AD, we’re seeing high adoption of features like Windows Hello for Business, Single Sign-On and even some FIDO2 adoption.

However, when Hybrid Azure AD Join rears its ugly head, things get a bit more complicated… and don’t even get us started on going password-less on-premises!
Let’s get a closer look at Windows Hello for Business, authentication assurance, trust types and all the on-premises requirements to fulfil to get to this promise of a world with lesser passwords.

Join us!

Experts Live Netherlands hasn’t sold out yet, but there’s only a handful of tickets left. Snag yours before it’s too late Dutch and join us!

0