Veeam Backup for Office 365 v4c build 4.0.1.519 offers support for disabled legacy protocols

Veeam Backup for Office 365

Six weeks ago, we looked at how Veeam Backup for Office 365 works in tenants with multi-factor authentication required for admin roles. With Security Defaults being the norm in newly created Azure AD tenants and their respective Office 365 tenants, it’s a good time to look at how Veeam Backup for Office 365 can work without using legacy authentication protocols.

This is a new feature in Veeam Backup for Office 365 version 4c (build 4.0.1.519).

API-only Mode

Veeam Backup for Office 365 version 4c (build 4.0.1.519) is the first version of Veeam Backup for Office 365 that is able to work without a user account. Instead of user credentials it only leverages the application registration in Azure Active Directory to communicate with Microsoft’s Application Programming Interfaces (APIs).

     

Benefits of using API-only mode

The big benefit of using API-only mode is that admins can successfully disable legacy authentication protocols and/or enable the Security Defaults feature in their organization’s Azure AD tenant if Veeam Backup for Office 365 was the last system, service or application that uses it.

     

Drawbacks of using API-only Mode

Veeam has long used an user account to offer full coverage of the backup and restore needs that Office 365 admins have. Meanwhile, Microsoft has been busy improving their APIs to offer more functionality, but it doesn’t offer full coverage, today.

In API-only mode, the following tasks are not supported, when compared to using Veeam Backup for Office 365 with both the application registration and user credentials:

  • Discovery Search and Public Folder mailboxes are not supported.
  • Dynamic Distribution groups are not supported.
  • The type property for shared and resource/equipment mailboxes cannot be resolved. Such mailboxes will be available for backup with a general ‘User’ type.
  • SharePoint Web Parts can only backed up if their ‘exportmode’ property is enabled. Non exportable Web Parts are not supported.
  • OneNote restore is not supported.
  • SharePoint Web Part customized template cannot be preserved upon a restore. All Web Parts will be restored with the default template.
  • The ‘Allow multiple responses’ setting in survey lists within team modern sites is not preserved upon a restore.
  • The ‘Measure-VBOOrganizationFullBackupSize’ cmdlet is not supported.

Additionally, application registration are harder to audit than user accounts, which might lead to a different approach to auditing of the Azure AD tenant.   

   

Concluding

Leaving both legacy authentication (non Multi-factor Authentication-capable authentication) and legacy protocols behind, Veeam Backup for Office 365 is a shining example of an application that adheres to the quickly changing realities of cloud computing.

Further reading

Release notes for Veeam Backup for Microsoft Office 365 4c 
Download Veeam Backup for Office 365 4c

Posted on June 5, 2020 by Sander Berkouwer in Azure Active Directory, Office 365, Veeam, Veeam Vanguard

0  

On-premises Microsoft Identity-related updates and fixes for May 2020

Windows Server

Even though Microsoft's Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for May 2020:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4556813 May 12, 2020

The May 12, 2020 update for Windows Server 2016 (KB4556813) updating the OS build number to 14393.3686 includes both security and quality improvements, but none of these updates are Identity-related.

When running virtualized Domain Controllers on top of Hyper-V, then you might be concerned with CVE-2020-0909. However, as per Microsoft recommended practices, Hyper-V hosts should not be placed on network segments that are accessible to non-administrator endpoints.

The three Print Spooler vulnerabilities are also causes for alarm, but I hope that by now everyone has hardened their Domain Controllers by not allowing printer redirection through remote desktop and stopping the spooler service…

ADV200009 May 19, 2020

Microsoft is aware of a vulnerability involving packet amplification that affects Windows DNS servers. An attacker who successfully exploited this vulnerability could cause the DNS Server service to become nonresponsive.

Admins of edge-facing authoritative DNS Servers should enable Response Rate Limit (RRL), using the Set-DnsServerResponseRateLimiting PowerShell Cmdlet.

There is currently no update available to address the vulnerability.

                          

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4551853 May 12, 2020

The May 12, 2020 update for Windows Server 2019 (KB4551853) updating the OS build number to 17762.1217 includes both security and quality improvements.

This update addresses a cross-site scripting vulnerability in Active Directory Federation Services (AD FS) (CVE-2020-1055). This cross-site-scripting (XSS) vulnerability exists when AD FS does not properly sanitize user inputs. An unauthenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected AD FS server. When successful, the attacker could then perform cross-site scripting attacks on affected systems and run scripts in the security context of the current user. This security update addresses the vulnerability by ensuring that AD FS properly sanitizes user inputs.

When running virtualized Domain Controllers on top of Hyper-V, then you might be concerned with CVE-2020-0909. However, as per Microsoft recommended practices, Hyper-V hosts should not be placed on network segments that are accessible to non-administrator endpoints.

The three Print Spooler vulnerabilities are also causes for alarm, but I hope that by now everyone has hardened their Domain Controllers by not allowing printer redirection through remote desktop and stopping the spooler service…

ADV200009 May 19, 2020

Microsoft is aware of a vulnerability involving packet amplification that affects Windows DNS servers. An attacker who successfully exploited this vulnerability could cause the DNS Server service to become nonresponsive.

Admins of edge-facing authoritative DNS Servers should enable Response Rate Limit (RRL), using the Set-DnsServerResponseRateLimiting PowerShell Cmdlet.

There is currently no update available to address the vulnerability.

Posted on June 4, 2020 by Sander Berkouwer in Active Directory Federation Services, Microsoft Windows Server 2016, Microsoft Windows Server 2019, Security Updates

0  

What’s New in Azure Active Directory in May 2020

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for May 2020, on top of the announcements made at Build 2020:

                   

What’s Planned

New email address for MFA admin notifications

Service category: Multi-factor Authentication (MFA)
Product capability: Identity Security & Protection

Microsoft is planning changes to the multi-factor authentication (MFA) email notifications for both cloud MFA and MFA server. E-mail notifications will be sent from  azure-noreply@microsoft.com.

Additionally, Microsoft is updating the content of fraud alert emails to better indicate the required steps to unblock uses.

                  

New self-service sign up for users in federated domains who can't access Microsoft Teams because they aren't synced to Azure AD

Service category: Authentications (Logins)
Product capability: User Authentication

Currently, users who are in domains federated in Azure AD, but who are not synced into the tenant, can't access Microsoft Teams.

Starting at the end of June, this new capability will enable them to do so by extending the existing email verified sign up feature. This will allow users who can sign in to a federated IdP, but who don't yet have a user object in Azure ID, to have a user object created automatically and be authenticated for Microsoft Teams. Their user object will be marked as "self-service sign up."

                

The OIDC discovery document for the Azure Government cloud is being updated to reference the correct Graph endpoints

Service category: Sovereign Clouds
Product capability: User Authentication

Starting in June, the OIDC discovery document Microsoft identity platform and OpenID Connect protocol on the Azure Government cloud endpoint, will begin to return the correct National cloud graph endpoint (https://graph.microsoft.us or https://dod-graph.microsoft.us), based on the tenant provided. It currently provides the incorrect Graph endpoint msgraph_host field.

This bug fix will be rolled out gradually over approximately 2 months.

        

Azure Government users will no longer be able to sign in on login.microsoftonline.com

Service category: Sovereign Clouds
Product capability: User Authentication

On 1 June 2018, the official Azure Active Directory Authority for Azure Government changed from https://login-us.microsoftonline.com to https://login.microsoftonline.us. If you own an application within an Azure Government tenant, you must update your application to sign users in on the .us endpoint.

Starting May 5th, Azure AD will begin enforcing the endpoint change, blocking Azure Government users from signing into apps hosted in Azure Government tenants using the public endpoint. Impacted apps will begin seeing the following error:

AADSTS900439 USGClientNotSupportedOnPublicEndpoint

There will be a gradual rollout of this change with enforcement expected to be complete across all apps June 2020.

               

What’s New

Report-only mode for Conditional Access generally available

Service category: Conditional Access
Product capability: Identity Security & Protection

Report-only mode lets admins evaluate the result of a Conditional Access policy without enforcing access controls. Admins can test report-only policies across their organization and understand the impact of policies before enabling them, making deployment safer and easier.

Over the past few months, Microsoft has seen strong adoption of report-only mode—over 26M users are already in scope of a report-only policy. With the announcement today, new Azure AD Conditional Access policies will be created in report-only mode, by default. This means admins can monitor the impact of policies from the moment they’re created.

        

Conditional Access Insights and Reporting workbook  generally available

Service category: Conditional Access
Product capability: Identity Security & Protection

The insights and reporting workbook gives admins a summary view of Azure AD Conditional Access in their organization’s tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real-time. The workbook streams data stored in Azure Monitor. To make the dashboard more discoverable, Microsoft has moved it to the new insights and reporting tab within the Azure AD Conditional Access menu.

                    

Policy details blade for Conditional Access public preview

Service category: Conditional Access
Product capability: Identity Security & Protection

The new policy details blade displays the assignments, conditions, and controls satisfied during conditional access policy evaluation. Admins can access the blade by selecting a row in the Conditional Access or Report-only tabs of the Sign-in details.

                   

SAML Token Encryption Generally Available

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

SAML token encryption allows applications to be configured to receive encrypted SAML assertions. The feature is now generally available in all clouds.

                      

Group name claims in application tokens Generally Available

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

The group claims issued in a token can now be limited to just those groups assigned to the application. This is especially important when users are members of large numbers of groups and there was a risk of exceeding token size limits. With this new capability in place, the ability to add group names to tokens is generally available.

             

Self-service sign up for guest users public preview

Service category: Business to Business (B2B)
Product capability: Azure AD B2B/B2C

With External Identities in Azure AD, you can allow people outside the organization to access your organization’s apps and resources while letting them sign in using whatever identity they prefer.

When sharing an application with external users, admins might not always know in advance who will need access to the application. With self-service sign-up, admins can enable guest users to sign up and gain a guest account for line of business (LOB) apps. The sign-up flow can be created and customized to support Azure AD and social identities. Your organization can also collect additional information about the user during sign-up.

                          

The Hybrid Identity Administrator role is now available with Cloud Provisioning

Service category: Azure AD Cloud Provisioning
Product capability: Identity Lifecycle Management

Azure AD admins can start using the new Hybrid Administrator role as the least privileged role for setting up Azure AD Connect Cloud Provisioning. With this new role, admins no longer have to use the Global Admin role to setup and configure Cloud Provisioning.

          

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2020, Microsoft has added the following 36 new applications in the Azure AD App gallery with Federation support:

       

New provisioning connectors in the Azure AD Application Gallery – May 2020

Service category: App Provisioning
Product capability: 3rd Party Integration

Admins can now automate creating, updating, and deleting user accounts for these five newly integrated apps:

               

Workday Writeback now supports setting work phone number attributes

Service category: App Provisioning
Product capability: Identity Lifecycle Management

Microsoft has enhanced the Workday Writeback provisioning app to now support writeback of work phone number and mobile number attributes. In addition to email and username, admins can now configure the Workday Writeback provisioning app to flow phone number values from Azure AD to Workday.

                   

Publisher Verification Public preview

Service category: Other
Product capability: Developer Experience

Publisher verification (preview) helps admins and end-users understand the authenticity of application developers integrating with the Microsoft identity platform.

        

New query capabilities for Directory Objects in Microsoft Graph Public Preview

Service category: Microsoft Graph
Product capability: Developer Experience

New capabilities are being introduced for Microsoft Graph Directory Objects APIs, enabling Count, Search, Filter, and Sort operations. This will give developers the ability to quickly query Microsoft’s Directory Objects without workarounds such as in-memory filtering and sorting.

              

Configure SAML-based single sign-on using Microsoft Graph API Beta

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Support for creating and configuring an application from the Azure AD Gallery using Microsoft Graph APIs in Beta is now available. If an admin or developer needs to set up SAML-based single sign-on for multiple instances of an application, time can be saved by using the Microsoft Graph APIs to automate the configuration of SAML-based single sign-on.

                  

What’s Changed

Authorization Code Flow for Single-page apps

Service category: Authentication
Product capability: Developer Experience

Because of modern browser 3rd party cookie restrictions such as Safari ITP, single-page apps (SPAs) will have to use the authorization code flow rather than the implicit flow to maintain single sign-on (SSO). MSAL.js version 2.x will now support the authorization code flow.

                  

Improved Filtering for Devices Public Preview

Service category: Device Management
Product capability: Device Lifecycle Management

Previously, the only filters admins could use were Enabled and Activity date. In this public preview, admins can filter the list of devices on more properties, including OS type, Join type, Compliance, and more. These additions should simplify locating a particular device.

         

The new App registrations experience for Azure AD B2C generally available

Service category: Consumer Identity Management (B2C)
Product capability: Identity Lifecycle Management

The new App registrations experience for Azure AD B2C is now generally available.

Previously, admins had to manage their B2C consumer-facing applications separately from the rest of their apps using the legacy 'Applications' experience. That meant different app creation experiences across different places in Azure. The new experience shows all B2C app registrations and Azure AD app registrations in one place and provides a consistent way to manage them. Whether admins need to manage a customer-facing app or an app that has access to Microsoft Graph to programmatically manage Azure AD B2C resources, they only need to learn one way to do things.

                 

What’s Fixed

SAML Single Logout request now sends NameID in the correct format

Service category: Authentications (Logins)
Product capability: User Authentication

When a user clicks on sign-out (e.g., in the MyApps portal), Azure AD sends a SAML Single Logout message to each app that is active in the user session and has a Logout URL configured. These messages contain a NameID in a persistent format.

If the original SAML sign-in token used a different format for NameID (e.g. email/UPN), then the SAML app cannot correlate the NameID in the logout message to an existing session (as the NameIDs used in both messages are different), which caused the logout message to be discarded by the SAML app and the user to stay logged in. This fix makes the sign-out message consistent with the NameID configured for the application.

Posted on June 3, 2020 by Sander Berkouwer in Azure Active Directory, What's New

0  

Protecting virtual Domain Controllers on vSphere with Virtualization-based Security

Virtualizing Domain Controllers

VMware vSphere 6.7 offers the ability to enable virtualization-based security (VBS) for virtual machines. Let’s find out what kind of protection this setting provides, what’s needed to get it going and how to configure a virtual Domain Controller to use it.

 

About Virtualization-based Security

Virtualization-based Security (VBS) uses virtualization features to create and isolate a secure region of memory from the normal Operating System. Windows Server can use this "virtual secure mode" to host a number of security solutions, providing them with greatly increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits which attempt to defeat protections.

 

Benefits of using Virtualization-based Security

Virtualization-based Security (VBS) uses the Windows hypervisor to create this virtual secure mode, and to enforce restrictions which protect vital system and Operating System resources, or to protect security assets such as authenticated user credentials.

With the increased protections offered by Virtualization-based Security, even if malware gains access to the Operating System’s kernel, the possible exploits can be greatly limited and contained because the hypervisor can prevent the malware from executing code or accessing platform secrets.

For Active Directory Domain Controllers, specifically, Virtualization-based Security offers:

Secure Boot

The Secure Boot feature in Windows Server 2016, and up, is designed to protect the virtual machine from malicious boot loaders. In traditional Basic Input/Output System (BIOS)-based systems, a rootkit may replace the Windows boot loader, remaining invisible and undetectable on the Domain Controller.

With Secure Boot, a virtual machine no longer boots with BIOS, but with Unified Extensible Firmware Interface (UEFI). UEFI checks the signature of the boot loader before launching, detecting any malware impersonating, replacing or tampering with the Windows boot loader.

Direct Memory Access (DMA) Protection

Direct Memory Access (DMA) attacks try to grab the memory of a running Operating System to gain access to BitLocker keys and other information from the memory. In vSphere, you can take advantage of an Input/Output Memory Management Unit (IOMMU) to connect a DMA-capable I/O bus to the main memory.

With IOMMU, memory of Windows Server 2016 installations, and  up, is protected from malicious devices that are attempting DMA attacks and faulty devices that are attempting errant memory transfers because a device cannot read or write to memory that has not been explicitly allocated (mapped or re-mapped) for it.

Hypervisor-enforced Code Integrity (HVCI)

Kernel-mode Code Integrity enforces kernel-mode memory protections by protecting the Code Integrity validation path with Virtualization-based Security. All drivers in the virtual machine must be compatible with virtualization-based protection of code integrity; otherwise, the virtual machine fails.

Code Integrity (CI) Policies

Historically, most malware has been unsigned. Simply by deploying code integrity policies, organizations can get immediately protection against unsigned malware. By using Code Integrity policies, an enterprise can also select exactly which binaries can run in both user mode and kernel mode. When completely enforced, it will only load specific applications or software with specific signatures.

Note:
Code Integrity policies are independent of Hypervisor-enforced Code Integrity (HVCI). However, when using CI policies without HVCI, the enforcement will not be as strong as when using CI Policies with HVCI.

Note:
Windows Server 2019 expands on the CI policies feature in Windows Server 2016 by offering built-in CI policies for robust yet quick deployment of Code Integrity.

 

Other features like Application Guard, Credential Guard and Windows Sandbox, operating in their separate memory spaces are features targeted towards Windows-based devices and are not applicable to Domain Controllers. Well… when you adhere to the rule of thumb not to browse the Internet and install all kinds of software on your Domain Controllers, that is.

Note:
Do not configure Credential Guard on Domain Controllers.

 

Getting Ready

For Virtualization-based Security (VBS) you’ll need to meet the following requirements:

  • At least one ESXi host running VMware vSphere 6.7, or up, managed by vSphere
  • At least one virtual machine running hardware version 14 (Compatible only with ESXi 6.7 and later), or up, configured with Virtualization Based Security. and installed with Windows Server 2016, or a later version of Windows Server in this virtualization state.

Note:
The Virtualization Base Security option enables CPU virtualization extensions, IOMMU, EFI firmware and Secure Boot.

 

Configuring Virtualization-based Security

Configuring Virtualization-based Security consists of three steps:

  1. Configure the right virtual machine settings on vSphere 6.7
  2. Configure the right security settings in the virtual Domain Controller
  3. Install the Hyper-V feature on the virtual Domain Controller

Configure the right virtual machine settings

First, we need to create a virtual Domain Controller that meets the requirements.

ESXi 6.7

When creating a new virtual machine for a Domain Controller, on the 2 Select a name and guest OS page of the New virtual machine wizard, make sure as a Compatibility level you pick ESXi 6.7 virtual machine (or up), resulting in hardware version 14. Pick Microsoft Windows Server 2016 or later (64-bit) as the Gues OS version. Then, make sure you select the option Enable Windows Virtualization Based Security:

Enable Virtualization Based Security on the Select a name and guest OS page when creating a virtual machine in ESXi 6.7 (click for original screenshot)

vSphere 6.7

In the vSphere Web Client, when creating a new virtual machine, take care of the following settings:

  • On the Select compatibility page of the New Virtual Machine wizard, select ESXi 6.7 and later. The accompanying text below this settings will then indicate that This virtual machine uses hardware version 14, which provides the best performance and latest features available in ESXi 6.7.
  • On the Select a guest OS page of the New Virtual Machine wizard, specify Microsoft Windows Server 2016 or later (64-bit) as the Guest OS Version and select the option Enable Windows Virtualization Based Security:

Enable Virtualization Based Security on the Select a guest OS page when creating a virtual machine in vSphere Web Client 6.7 (click for original screenshot)

 

Configure the right security settings in the virtual Domain Controller

After installing Windows Server 2016, or up, on the new virtual Domain Controller and configuring it as a Domain Controller for (one of) your Active Directory domain(s), perform the following actions in the virtual machine or on any other domain-joined machine that has the Group Policy Management Console feature installed:

  • Sign in with an account that has sufficient permissions in Active Directory to create Group Policy objects and link them to the Domain Controllers Organizational Unit (OU). Typically, a member of the Domain Admins group has these permissions.
  • Open the Group Policy Managment console, by either:
    • Picking it from the Tools menu in Server Manager.
    • Selecting it in the Start Menu from the Windows Administrative Tools folder.
    • Clicking the Start button and typing gpmc.msc followed by a press of the Enter button on the keyboard.
    • right-clicking the Start button and typing gpmc.msc followed by a click on the OK button.
  • The Group Policy Management window appears.
  • In the left navigation pane, expand the forest node, then the Domains node, than your domain. Select the Domain Controllers Organizational Unit (OU).
  • Right-click Domain Controllers and select the Create a GPO in this domain, and Link it here… menu option.
    The New GPO pop-up window appears.
  • In the New GPO pop-up window, type a name for the Group Policy object.
  • Click the OK button.
  • In the left navigation pane, expand the Domain Controllers OU and select the newly created Group Policy object.
  • Dismiss the Group Policy Management Console pop-up telling you that You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other locations where this GPO is linked. by clicking the OK button, if it pops up.
  • Right-click the Group Policy object and select Edit… from the context menu.
    The Group Policy Management Editor window appears.
  • In the left navigation pane of the Group Policy Management Editor window, expand the Computer Configuration node, then the Policies node, the Administrative Templates node, the System, and finally the Device Guard node.

The Device Guard settings in Group Policy Management (click for original screenshot)

  • In the main pane, double-click the Turn on Virtualization Based Security group policy setting.
    The Turn on Virtalization Based Security window appears
  • In the top part of the Group Policy setting, select the Enabled option.
  • At the left Options: pane, select the following options:
    • For Virtualization Based Protection of Code Integrity:, select Enabled without lock from the drop-down list. As we are configuring Virtualization-based Security through Group Policy, we’d want Group Policy to be able to remove the settings remotely as well, if need be.
    • Enable the Require UEFI Memory Attributes Table option.
    • For Secure Launch Configuration:, select Enabled from the drop-down list.
  • Click the OK button at the bottom of the Turn on Virtualization Based Security window to save the Group Policy settings and close the Turn on Virtualization Based Security window:

Turn on Virtualization Based Security Group Policy Settings (click for original screenshot)

  • Close the Group Policy Management Editor window.
  • In the left navigation pane of the Group Policy Management window, right-click the Domain Controllers OU. Select Group Policy Update… from the context menu.
    The Force Group Policy update window appears.
  • Click the Yes button to answer the question Are you sure you want to update policy for these computers?
    The Remote Group Policy update results window appears.
  • Click the Close button to close the window.
  • Close the Group Policy Management window.

 

 

Install the Hyper-V feature on the virtual Domain Controller

If you’ve managed the Group Policy settings from another machine than the virtualized Domain Controller running Windows Server 2016, or up, sign into the Domain Controller with an Active Directory account that has administrative privileges on the Domain Controller.

Run the following lines of Windows PowerShell in an elevated PowerShell window on each Domain Controller that you want enabled with Virtualization-based Security:

Install-WindowsFeature Hyper-V

Restart-Computer

  

Concluding

Virtualization-based Security offers benefits for virtualized Domain Controllers running Windows Server 2016, and up. It uses nested virtualization, where Microsoft Hyper-V offers the secure memory regions and vSphere offers the virtualization platform as it would do for any virtual machine.

Further reading

Virtualization-based Security (VBS)
Introducing support for Virtualization Based Security in vSphere 6.7
Overview of Device Guard in Windows Server 2016
Enabling Windows 10 Virtualization Based Security with vSphere 6.7

Posted on June 2, 2020 by Sander Berkouwer in Active Directory, VMware, VMware vExpert

0  

Identity-related Features in Windows 10 version 2004 build 19041

Windows 10

Microsoft has released Windows 10 version 2004 build 19041 (or ‘Windows 10 May 2020 Update’) through Windows Server Update Services (WSUS) and Windows Update for Business. It was previously already available as download from Visual Studio Subscriptions, the Software Download Center (via Update Assistant or the Media Creation Tool), and the Volume Licensing Service Center.

It’s time to look at the new Identity-related features in this version of Windows 10:

FIDO2 for hybrid environments

FIDO2 security key support has been expanded to include hybrid Azure Active Directory-joined devices, enabling even more organizations to take an important step in their journey towards passwordless environments.

Before Windows 10 version 2004, the use of FIDO2 security keys was only available for Azure AD-joined devices. These devices are typically joined to Azure AD from the Out-of-the-Box experience. Hybrid Azure AD Join occurs through a Group Policy assigned to Active Directory domain-joined Windows-based devices.

Next to Windows 10 version 2004, FIDO2 security keys also require:

  • Windows Server 2016-based Domain Controllers and/or Windows Server 2019-based Domain Controllers with the January 23 2020 Feature update.
  • Azure AD Connect version 1.4.32.0, or a newer version of Azure AD Connect with the user objects in scope for synchronization and Hybrid Azure AD Join enabled.
  • FIDO2 security keys enabled on the Authentication Methods blade in the Azure AD Portal.

                     

Windows Hello

Windows Hello for Microsoft accounts

Starting in Windows 10 version 2004 you can enable passwordless sign-ins for Microsoft accounts to strengthen device access by switching all Microsoft accounts on the device to modern multi-factor authentication with Windows Hello Face, Fingerprint, or PIN, and eliminating passwords from Windows.

Windows Hello PIN added to Safe mode

For added security when troubleshooting an issue on a device, Microsoft has enabled the Windows Hello experience for devices started in Safe mode.

Posted on May 27, 2020 by Sander Berkouwer in Microsoft Windows 10, What's New

1  

Five things I wish I knew before ‘Next-Next-Finish’ing my Veeam Backup for Office 365 v4 installation

Veeam Backup for Office 365

Veeam Backup for Office 365 is an awesome product with a lot of possibilities and features. Just like Active Directory, it is a product that you can typically ‘next, next, finish’-install in about 10 minutes.

However, is that the best approach to implementing Veeam Backup for Office 365? Here’s my list of five things I wish I knew before ‘Next-Next-Finish’-ing my first Veeam Backup for Office 365 v4 installation roughly six months ago:

                        

Office 365 Sizer Tool

There is an awesome web-based tool by Veeam’s Senior Solution Architect Hal Yaman. The Microsoft Office 365 Backup Sizing tool, version 2 is a very efficient tool on how to estimate the storage requirements for Veeam Backup for Office 365. It takes all the guess work out of storage. I highly recommend it.

Read how to analyze your Office 365 Backup requirements with ease.

                      

Domain-Join

In recent months, Veeam is recommending to run Veeam Backup and Replication (VBR) on non-domain-joined boxes to make backups more resilient to ransomware attacks. However, you need to install Veeam Backup for Office 365 on a domain-joined box.

                                  

Modern Authentication is the way to go

The Security Defaults are in full swing for Azure AD tenants created after March 16th, 2020. Many other organizations using Azure AD without Azure AD Premium functionality are adopting the Security Defaults. Security Defaults are good from an information security point of view, as they require multi-factor authentication for privileged roles.

The Veeam Backup for Office 365 service account holds two highly-coveted privileged roles -Exchange Administrator and SharePoint Administrator- that both require multi-factor authentication.

Veeam Backup for Microsoft Office 365 offers a complete multi-factor authentication-proof installation. Here’s how to configure Veeam Backup for Microsoft Office 365 with Modern Authentication.

                                          

Default repository

Admins with some experience with setting up Veeam products know the first-run experiences. They offer great value if you need default settings.

When you first start Veeam Backup for Office 365, it offers a default schedule and a default repository with a default retention period. If one year of retention on a local disk is your preferred way to go, then you’d be done.

But are these the right settings for your repository? If not, than the consequence is that you’ll need to create a new repository, increasing the amount of storage needed for Office 365 backups on-premises to meet your goals in terms of retention and restore.

                                  

Offload to Object Storage is only available for new repositories

Many of the organizations I help have onboarded to Veeam Backup for Office 365 when it was version 1.5. We’ve been in-place upgrading these installations for years and have been able to take advantage of new and expanded features without a hitch.

However, the new option to offload Veeam Backup for Office 365’s backup repository to object storage, like Amazon S3 and Azure Storage, is not so easy to onboard; existing backup repositories can’t be transformed into offloaded repositories. The only right thing to do is to make a second (offloaded) repository and backup into that repository until the retention policy is reached for the objects in the original repository.

                                  

Concluding

I believe in a growth mindset. I believe that I should be ashamed of how I was doing things two years ago. This is how I learn. How I grow. How I heal. The other side of my approach is that I revisit old designs and approaches and thinking to myself: “I wish I knew then, what I know now…”. That’s perfect for sharing in blogposts like this one. Winking smile

Posted on May 26, 2020 by Sander Berkouwer in Veeam, Veeam Vanguard

0  

HOWTO: Use Azure AD Connect’s v2 Endpoint

Azure AD Connect

Azure AD Connect is Microsoft’s free tool to synchronize objects and their attributes from Active Directory Domain Services (AD DS) implementations to Azure Active Directory tenants. Many millions of organizations depend on Azure Active Directory and the APIs that the tool connects to. Now, there is a new endpoint Public Preview, so it’s time to take a closer look!

Why use the Azure AD Connect v2 Endpoint?

For years, Azure AD Connect has used an endpoint. The endpoint has served Azure AD Connect well. However, there are a couple of known limits to the endpoint:

Group membership limitations

With Azure AD Connect’s v1 endpoint, group memberships are limited to 50,000 members. Without a verified DNS domain name, a limit of 15,000 members is applied, though. With the v2 Endpoint, group memberships can now be set at 250,000 objects.

When the group memberships limit is increased, the new limit also applies to writing back Office 365 groups from Azure AD to Active Directory (if the Group WriteBack feature is enabled).

Performance limitations

Due to the way the v1 endpoint handles attribute changes, the v2 brings significant performance gains on exports and (delta) imports to Azure AD. Again, these changes benefit groups most as their members attribute may change often.

   

Known issues with the v2 Endpoint

There are three known issue for Azure AD Connect’s v2 Endpoint:

Additional errors shown

After enabling the new endpoint, you may see additional export errors on the AAD connector with name dn-attributes-failure. There will be a corresponding event log entry for each error with id 6949. The errors are informational and do not indicate a problem with your installation, but rather that the sync process could not add certain members to a group in Azure AD because the member object itself was not synced to Azure AD.

The new V2 endpoint code handles some types of export errors slightly different from how the V1 code did. You may see more of the informational error messages when you use the V2 endpoint.

In-place Upgrades

When upgrading Azure AD Connect, ensure that the steps below are rerun, as the changes are not preserved through the upgrade process.

Public Preview

Microsoft supports organization using the v2 Endpoint in production. If you need support when using this feature you should open a support case.

However, please know that Public Preview capabilities may be withdrawn and possibly redesigned before reaching further milestones. 

     

Getting ready

To take advantage of the v2 endpoints, you’ll need to meet the following requirements:

  1. One or more Azure AD Connect installations running version 1.5.30.0, or above.
  2. An Azure AD tenant in the global cloud. The Public Preview does not extend to sovereign clouds, like the US Government and VIANet’s China Azure, yet.

   

Enabling the use of the v2 Endpoint

Sign in on the Windows Server running Azure AD Connect.

Run the following lines of Windows PowerShell in an elevated Windows PowerShell window on the Windows Server with Azure AD Connect, that you’d want to use with the v2 Endpoint:

Set-ADSyncScheduler -SyncCycleEnabled $false

Import-Module 'C:\Program Files\Microsoft Azure AD Sync\Extensions\AADConnector.psm1'

Set-ADSyncAADConnectorExportApiVersion 2

Set-ADSyncAADConnectorImportApiVersion 2

Set-ADSyncScheduler -SyncCycleEnabled $true

After these changes, the synchronization performance increases apply, but the group memberships limit of 50,000 members still applies.

    

Increasing the group memberships limit

To increase the group memberships limit, we’ll need to change the synchronization rule. Follow these steps to do so:

  1. Run the following line of Windows PowerShell in an elevated Windows PowerShell window on the Windows Server with Azure AD Connect, that you’d want to use with the v2 Endpoint:
                                                                                                 

    2. Set-ADSyncScheduler -SyncCycleEnabled $false
                                                 

  2. Open Synchronization Rules Editor from the Azure AD Connect folder in the Start Menu.
    The Synchronization Rules Editor screen appears.
  3. From the list of synchronization rules, select the Out to AAD – Group Join sync rule.
  4. Click the Edit button at the bottom of the Synchronization Rules Editor screen.
    The Edit Reserved Rule Confirmation pop-up appears.
  5. Click on the Yes button to acknowledge that to edit an out-of-the-box synchronization rule, you’d need to disable the rule and edit a copy of the original rule. As you click Yes, the original rule is disabled, an editable copy is created and you’ll start editing the copy.
    The Edit outbound synchronization rule screen appears.
  6. On the Description page of the Edit outbound synchronization rule wizard, change the value for Precedence to an available value between 1 and 99.
  7. Click the Next > button three times.
  8. On the Transformation page of the Edit outbound synchronization rule wizard, change the Source for the Expression for member. The source contains the default 50000 limit. You can change this value to anywhere between 50000 and 250000.
  9. Click the Save button.
  10. Close the Synchronization Rules Editor window.
  11. Switch to the PowerShell window.
  12. Run the following line of Windows PowerShell:
                                                                                                     
    Set-ADSyncScheduler -SyncCycleEnabled $true

Posted on May 25, 2020 by Sander Berkouwer in Azure AD Connect, What's New

1  

A Recap of Identity-related Announcements from Microsoft Build 2020

Microsoft Build 2020

Microsoft organized Microsoft Build 2020 as a free digital event between Tuesday May 19th 8AM Pacific Time and Thursday May 21st 8 AM Pacific Time.

Microsoft Build is Microsoft’s annual conference event, aimed at software engineers and web developers using Windows, Microsoft Azure and other Microsoft technologies. First held in 2011, it serves as a successor for Microsoft's previous developer events, the Professional Developers Conference (PDC) and MIX.

During Build 2020, Microsoft made the following Identity-related announcements:

   

Azure Active Directory External Identities

Azure Active Directory External Identities help organizations scale, manage directories and maintain continuity. They offer organizations the ability to scale IT resources and costs with just one solution that secures and manages all their identities.

Azure AD External Identities Public Preview empowers developers to build flexible, user-centric experiences for external users, including business partners and customers, and continuously customize without duplicating coding effort. External Identities also streamlines how IT admins manage their directories and identities — employee and external — through the Azure AD tool. 

IT leaders can optimize for business continuity by securely connecting with any user using the identity provider of their choice. This makes it easier for employees to remotely collaborate with their supply-chain partners in Microsoft Teams, SharePoint and custom line-of-business (LOB) apps, and for consumers to stay engaged through seamless digital experiences.

In Eha Goel’s demo, she showed the functionality with a user flow containing the B2X monitoring. Perhaps, this is the direction Microsoft is heading, leaving Azure AD B2B and Azure AD B2C behind.

                     

Application Consent Controls

IT administrators can create policies that decide the types of applications end users can consent to using Application Consent Controls Public Preview

Previously, IT administrators could either allow all end users or no end users to consent to applications. Using Application Consent Controls, admins can create policies in the Azure portal that determine which users can consent to which applications. For example, admins can allow end users to consent to applications that have been publisher verified, see below.

                  

Azure AD Consent Publisher Verification

Publisher Verification Public Preview allows developers with a verified Microsoft Partner Network (MPN) account to mark their applications as “Publisher Verified.”

Developers can distinguish their apps to end users by receiving a blue checkmark that indicates they are a verified publisher. Developers can differentiate their apps with a “verified” badge that will appear on:

  • The Azure Active Directory consent prompt
  • The Enterprise Apps page, and
  • Additional User Experience (UX) surfaces used by end users and admins.

IT administrators also will have increased transparency on whether verified or unverified apps are in use within their organization and can configure consent policies based on publisher verification.

                 

Microsoft Authentication Library Support

Microsoft Authentication Library (MSAL) now supports additional platforms, including Angular Generally Available and Microsoft.Identity.Web for ASP.NET Core Public Preview

Microsoft Authentication Library streamlines how developers implement the right authentication patterns, security features, and integration points that support any Microsoft identity:

  • MSA accounts
  • Azure Active Directory (AD) accounts and
  • Social accounts powered by Azure AD B2C.

Microsoft Authentication Library (MSAL) offers developers identity innovations such as passwordless authentication, multi-factor authentication and Conditional Access options that don’t require developers to implement that functionality themselves. Additionally, Microsoft Authentication Library (MSAL) for Android and iOS allow developers to build first-line worker apps that support shared device sign-in and sign-out.

               

Azure AD Authentication to Azure Database for PostgreSQL and Azure Database for MySQL

Microsoft’s Azure cloud service includes a portfolio of secure, enterprise-grade, fully managed database services that support open-source database engines.  Microsoft is announcing new product capabilities for these two database offerings:

  • Azure Database for PostgreSQL, and
  • Azure Database for MySQL

One of the new capabilities launched on both Azure Database for PostgreSQL and Azure Database for MySQL is Azure Active Directory Authentication Generally Available.

These new product capabilities will help developers across various types and sizes of workloads to productively leverage enterprise-grade security for their mission-critical work and effectively manage the costs of running their databases on PostgreSQL and MySQL.

Posted on May 22, 2020 by Sander Berkouwer in Azure Active Directory

1  

HOWTO: Secure VMware Horizon with Azure MFA through its NPS Extension

How To...

This week, one of my customers is switching to Azure multi-factor authentication as their only multi-factor authentication solution for their employees. As the organization leverages VMware Horizon, this implementation needs to be switched to Azure MFA as well.

Here’s how we secured their VMware Horizon implementation with Azure MFA through the Azure MFA NPS Extension:

 

Why use multi-factor authentication for Horizon?

Organizations face multiple challenges, including (but not limited to):

  • tackling current consumer cloud adoption problems
  • adhering to privacy regulations
  • achieving productivity

 

User cloud adoption problems

Today’s cloud applications and services allow sign-ins with email addresses, as it’s currently the only truly global identifier for people. However, as cloud applications and services are breached, credential sets fall in the hands of malicious people. Though credential stuffing attacks, they will use these leaked credentials and try them on your organization’s public facing applications and services.

Privacy regulations

To adhere to privacy regulations, organizations deploy virtual desktop solutions to provide secure means to achieve productivity with the organization’s sensitive data. There are many virtual desktop solutions in the market today, but VMware’s Horizon product is the popular choice for organizations.

1 + 1 = ?

However, when a malicious person gains access to the ‘secure’ productivity platform of an organization through stuffed credentials. the organization has a big problem.

Multiple MFA methods

With Microsoft cloud services on the rise, another problem might also arise: disparate multi-factor authentication methods for users. It’s counter-intuitive for people to have to use one multi-factor authentication method for one system or platform the organization uses, and another method for another. The hassle of keeping more than one method up to date for people who change phone numbers and/or phones yearly grows exponentially with each multi-factor authentication method added.

Note:
In my opinion, administrators should get used to multiple multi-factor authentication methods and solutions to avoid getting locked out by single multi-factor authentication solution acting up.

 

Getting ready

Before following the below steps, make sure you meet the following prerequisites:

  • Implement one or more additional Windows Server-based virtual machines to act as the Network Protection Services (NPS) Server(s) for Horizon. Make sure they run Windows Server 2016, or up. Implement the server on the same network as the Active Directory Domain Controllers.
  • Provide network connectivity between the new NPS Server(s) and the Horizon implementation. Take care of any routes and firewall configurations. Horizon View’s Connection Server(s) need access to the NPS Server(s) using UDP1812 and UPD1813.
  • Provide network connectivity between the new NPS Server(s) and Azure Active Directory. The NPS Server(s) need TCP80 and TCP443 access to these addresses:
      • https://adnotifications.windowsazure.com
      • https://login.microsoftonline.com
      • https://credentials.azure.com
      • https://provisioningapi.microsoftonline.com
      • https://aadcdn.msauth.net
      • https://*.nuget.org
      • https://nuget.cdn.azure.cn
  • You need the credentials for an account in Active Directory to join the NPS Server(s) to Active Directory.
  • You need the credentials to sign in to the NPS Server with an account that has local administrator privileges.
  • You need the credentials to sign in to the Horizon implementation with an account that has administrator privileges and access to Horizon Console.
  • You need the credentials for an account in Azure Active Directory that has the Global Administrator role.
  • Make sure all user accounts in Active Directory who will use Azure MFA with Horizon are synchronized to Azure Active Directory.
  • Make sure all persons who will use Horizon with Azure MFA have completed their one-time registration for Azure Multi-factor Authentication and are assigned the Azure AD Premium P1 stand-alone subscription license or a license bundle that includes Azure AD Premium P1.
  • Download the latest version of the NPS Extension for Azure MFA and place it on the disk of the NPS Server(s), so it’s available for installation.
  • Download the Visual C++ Redistributable Packages for Visual Studio 2013 (X64) and place it on the disk of the NPS Server(s), so it’s available for installation.

 

How to get the Azure AD Tenant ID

The installation of the Azure MFA Adapter needs the Azure AD tenant ID as input. To get this ID, follow these steps:

  • Open a web browser.
  • Navigate to the Azure AD Portal.
  • Sign in with an Azure AD account that has privileges to access the Azure AD data.
    As one of the prerequisites is the credentials of an Azure AD account with Global Administrator privileges, you can use that account, but you may opt to use a lesser privileged Azure AD account.
  • Perform multi-factor authentication, when prompted.
  • In the left navigation pane, click on Azure Active Directory.
  • In Azure Active Directory’s navigation pane, click on Properties.
  • Copy the value from the Directory ID field.
  • Close the web browser.

 

How to install the NPS Server

Follow these steps to install the NPS Server with the required components:

  • Sign in to the NPS Server wit local administrator privileges.
  • Start an elevated Windows PowerShell session and issue the following line of Windows PowerShell to join the Windows Server installation to Active Directory:
  • Add-Computer-DomainName"nlan.local"
  • Restart-Computer
  • After the Windows Server installation reboots, sign in with an Active Directory account that provides local administrator privileges to the NPS Server.
  • Start an elevated Windows PowerShell session.
  • Run the following line of Windows PowerShell to install the Network Protection and Authentication Server (NPAS) role:
  • Install-WindowsFeatureNPAS-IncludeManagementTools
  • Run the following line of
    Windows PowerShell to install the AzureAD PowerShell
    Module. Follow the on-screen instructions.
  • Install-module AzureAD
  • Run the Visual C++ Redistributable Package for Visual Studio 2013 to install it. Follow the on-screen instructions.
  • Run setup.exe from the NPS Extension for Azure MFA to install it. Follow the on-screen instructions.
  • Run the following lines of Windows PowerShell to configure the Azure MFA NPS Extension:
  • cd ”c:\ProgramFiles\Microsoft\AzureMfa\Config"
  • .\AzureMfaNpsExtnConfigSetup.ps1
  • When prompted, sign in with the Azure AD account with Global Administrator privileges.
  • Paste the Azure AD tenant ID.
  • Close the PowerShell window.

Repeat the above steps on the second NPS Server.

 

How to configure the NPS Server

Follow these steps to configure the NPS Server settings:

  • Now, Open the Network Policy Server management console from either Server Manager’s Tools menu, or the Administrative Tools folder in the Start Menu.
  • Right-click the NPS (Local) node in the top left corner of the navigation screen and click on the Register server in Active Directory menu item.
  • Next, right-click on the Radius Clients node in the navigation screen. Click New.
    The New RADIUS Client window appears.
  • Make these changes:
    • Select the Enable this RADIUS client option.
    • Specify a meaningful value in the Friendly name: field.
    • Define the IP address or fully qualified domain name for  the Horizon View Connection Server you’d want to configure with Azure MFA in the Adress (IP or DNS): field.
    • Specify a shared secret in the Shared secret: and the Confirm shared secret: fields, that will be used to obfuscate the traffic between the Horizon Connection Server and the NPS Server.
    • Click OK.
  • Create RADIUS clients for each Horizon Connection Server you’d want to configure.
  • Next, right-click on the Network Policies node in the navigation screen.
  • Duplicate the default Connections to other access servers network policy.
  • Assign priority 1.
  • Make two changes in the duplicated network policy:
    1. Check the Policy enabled option in the Policy State area.
    2. Check the Grant access. Grant access if the connection request matches this policy option in the Access Permission area.

AzureMFA NPS Settings (click for original screenshot)

  • Save the network policy by clicking OK.
  • Close the Network Policy Server management console.
  • Sign out.

 

How to configure VMware Horizon

On the Horizon View Management Server(s), configure the following settings:

  • Open Horizon Administrator.
  • Navigate to View Configuration, then to Servers.
  • On the Connection Servers tab, select a server instance to (re)configure.
  • Click Edit.
  • Click on the Authentication tab.
  • In the Advanced Authentication section, select RADIUS from the drop-down list for the 2-factor authentication value.
  • Enable the option Enforce 2-factor and Windows user name matching.
  • Enable the option Use the same user name and password for RADIUS and Windows authentication.
  • Click the Manage Authenticators… button
    The Manage Authenticators screen appears.
  • Click the Add or Edit button in the Manage Authenticators screen.
    The Edit RADIUS Authenticator modal screen appears.
  • On the Primary Authentication Server tab, specify the following settings:
    • Specify the hostname or IP-address for the NPS Server
    • For the Authentication type:, specify MSCHAP2.
    • Paste the RADIUS shared secret as the Shared Secret: value.
    • For the Server timeout: value, specify 10 seconds.
    • For the Max attempts: value, specify 1.

Azure MFA Horizon Settings (click for original screenshot)

  • To specify a second NPS Server with the Azure MFA NPS Extension installed, repeat the steps on the Secondary Authentication Server tab.
  • Click OK.
  • Close Horizon Console.

 

Concluding

The Azure MFA NPS Extension proves to be a splendid way to provide multi-factor authentication to VMware Horizon implementations. Now, credential stuffing attacks by malicious persons aren’t something to worry about anymore for the sensitive data handled in Horizon implementations.

Further reading

Download the NPS Extension for Azure MFA
Configure Firewalls for RADIUS Traffic
Integrate your existing NPS infrastructure with Azure Multi-Factor Authentication  Enable Two-Factor Authentication in Horizon Administrator

Posted on May 20, 2020 by Sander Berkouwer in Azure Active Directory, Multi-Factor Authentication, VMware

4  

Identity-related sessions at Microsoft Build 2020

Microsoft Build 2020

Microsoft organizes Microsoft Build 2020 as a free digital event between Tuesday May 19th 8AM Pacific Time and Thursday May 21st 8 AM Pacific Time.

Microsoft Build is Microsoft’s annual conference event, aimed at software engineers and web developers using Windows, Microsoft Azure and other Microsoft technologies. First held in 2011, it serves as a successor for Microsoft's previous developer events, the Professional Developers Conference (PDC) and MIX.

During Build 2020, you can enjoy the following general and Identity-related sessions:

 

Build Live Sessions

BDL211 – The importance of an Identity Platform

Speakers: Sonia Cuff, Jess Dodson, Jesse Suna
Date: Wednesday May 20
Duration: 60 minutes

Join Sonia, Jess and Jesse to discuss why Identity is a crucial technology component for both IT Pros and Developers.

 

Digital Break-out Sessions

INT105 – Building zero friction apps on Teams with SSO and Graph

Speaker: Nick Kramer
Level: 200
Date: Wednesday May 20, Thursday May 21
Duration: 30 minutes

Remove roadblocks on the way of your app adoption with SSO, Microsoft Graph, and resource-specific consent.

 

INT107 – Microsoft Graph Live

Speaker: Darrel Miller
Level: 100
Date: Tuesday May 19, Wednesday May 20, Thursday May 21
Duration: 30 minutes

Microsoft Graph is the API that describes the patterns of identity, productivity and security in organization around the world. Join us for a lively session and learn how to get started connecting you applications to the Microsoft Graph.

 

INT108 – Creating Trustworthy applications with Microsoft Identity

Speaker: Jeff Sakowicz / Philiipe Signoret
Level: 200
Date: Wednesday May 20, Thursday May 21
Duration: 30 minutes

Join this session and learn best practices to create secure and trustworthy applications with the Microsoft identity platform. Learn how to develop apps that can be securely adopted by organizations and how to use verification and certification programs to build trust.

 

INT109 – Reach millions of users building apps with the Microsoft Identity Platform

Speaker: Jean-Marc Prieur
Level: 200
Date: Wednesday May 20, Thursday May 21
Duration: 30 minutes

The Microsoft identity platform offers the building blocks for authentication, single sign-on and resource access. Join this session and learn how you can build apps that reach any user, from employees to customers to partners and more.

 

Community Connection Experiences

Com04 – Ask the Team: Azure Active Directory B2C

Speakers: Abhishek Agrawal, Steve Ball, Jenny Ferries, Neha Goel, and others
Level: 200
Date: Wednesday May 20
Duration: 60 minutes

Ask questions about customizing the way your customers sign up, sign in, and manage profiles when using iOS, Android, .NET, and single-page (SPA). Connect with Microsoft’s identity team!

 

COM09 – Ask the Team: Identity and Access for Azure

Speakers: Saeed Akhter, Sudheer Bysani, Ramiro Calderon, Jenny Ferries, and others
Level: 200
Date: Wednesday May 20
Duration: 60 minutes

Meet the Identity team and ask questions about best practices for securing Azure resources. Discuss RBAC and authenticating to Azure resources and your own microservices.

 

COM30 – Expert Q&A: Authentication Libraries

Speakers: Jenny Ferries, Bogdan Gavril, Jean-Marc Prieur
Level: 200
Date: Wednesday May 20
Duration: 30 minutes

Get questions about authentication libraries like MSAL.NET, middleware, and Microsoft.Identity.Web answered. Bring your questions about building secure by default ASP.NET Core web apps and web APIs.

 

COM45 – Expert Q&A: M365 Application Validation

Speaker: Michael Aldridge
Level: 200
Date: Wednesday May 20
Duration: 30 minutes

Creating and getting your application into the store is critical so customers can find it. Learn pro-tips on how to submit your application and avoid mistakes to get to market as soon as possible.

 

COM49 – Expert Q&A: Remote Work with Microsoft 365

Speaker: Stephen Rose
Level: 200
Date: Wednesday May 20
Duration: 30 minutes

Join Stephen Rose with your questions, comments, and feedback on our new portal to enable their employees to work remotely with Microsoft 365.

 

COM94/COM95 – Focus Group: Microsoft Graph Features and Feedback

Speakers: Yina Arenas, Vincent Biret, Arpitha Dhanapath, Ryan Gregg, and others
Level: 200
Date: Wednesday May 20, Thursday May 21
Duration: 60 minutes

Focus Groups are a chance for us to hear from you. To ensure all participants can share their thoughts, these sessions have limited capacity. Microsoft Graph is constantly evolving to keep pace with what our developers want. Come share your feedback with us around new features/services that are upcoming in Microsoft Graph Services.

 

COM96/COM97 – Focus Group: Microsoft Identity Platform Permissions & Consent

Speakers: Ipshita Nag, Jeff Sakowicz, Philippe Signoret, and others
Level: 200
Date: Thursday May 21
Duration: 60 minutes

Focus Groups are a chance for us to hear from you. To ensure all participants can share their thoughts, these sessions have limited capacity. Provide feedback on Microsoft Identity Platform's permissions & consent framework. Discuss challenges, consent policies set by customers, and the new publisher verification experience.

 

COM106 – Focus Group: Securing Applications and Services

Speakers: Susan Mings, Ipshita Nag, Kevin Yam
Level: 200
Date: Tuesday May 19
Duration: 60 minutes

Focus Groups are a chance for us to hear from you. To ensure all participants can share their thoughts, these sessions have limited capacity. Join the Microsoft Identity team to discuss your experience as a Developer or DevOps professional integrating apps with our authentication platforms so we can build better tools for you.

COM136 – Focus Group: Application Experience for Azure AD

Speakers: Allison Amaral, Luis Carlos Leon Plata, Sam Mak, Ipshita Nag, Ben Vincent
Level: 200
Date: Tuesday May 19
Duration: 60 minutes

Focus Groups are a chance for us to hear from you. To ensure all participants can share their thoughts, these sessions have limited capacity. See scenarios regarding the new unified app experience that combines the enterprise app and app registration experiences. Create, edit, and manage custom applications, app proxy, or gallery apps.

 

COM229 – Introduction to Digital Identity, the foundation of digital trust

Speaker: Kristina Yasuda
Level: 200
Date: Thursday May 21
Duration: 30 minutes

Single-sign on, multifactor authentication, usage of biometrics, etc. Have you ever noticed that how we authenticate and verify ourselves is at the foundation of digital trust? Welcome to the world of Digital identity! We will do a quick tour over the concepts, standards and use-cases.

Posted on May 18, 2020 by Sander Berkouwer in Azure, Azure Active Directory

0