Why Everyone’s talking about Hybrid Cloud Trust

Windows Hello for Business

In a world with both Active Directory and Azure AD, organizations have to make choices. It seems they can either stick with their proven Active Directory, or jump ahead to Azure AD. Luckily, there’s a third option. Using Azure AD Connect, organizations can have the best of the Active Directory and Azure AD worlds.

The best or the worst of both worlds?

When Azure AD benefits, like Azure Multi-factor Authentication, Dynamic Groups and Access Reviews are coupled with the robustness and data sovereignty of Active Directory, benefits like single sign-on, cloud AI, and high availability emerge. This is typically referred to as ‘Hybrid Identity’.

When done wrong, an attacker who successfully pwns Active Directory also pwns the organization’s Microsoft 365 data. This is typically referred to in biblical terms.

The right choices need to be made.

Where Passwordless comes in

In a Hybrid Identity setup, single sign-on can be based on federation, or either (hybrid) Azure AD Join or Azure AD Connect’s Seamless Single Sign-in option.

However, Microsoft’s Passwordless authentication methods, like Windows Hello for Business, Microsoft Authenticator’s Phone Sign-in and FIDO2 are all engineered with their basis firmly in Azure AD. Active Directory is still stuck in the 90s with passwords, certificates, enhanced by occasional Kerberos improvements ever since Windows NT 5 Beta 5.

Windows Hello for Business is a prime specimen of Microsoft Passwordless technologies. It allows interactive sign-ins to devices that run Windows 10 or Windows 11 and are either Azure AD-joined or hybrid Azure AD-joined.

Several members of the Identity Division have been quoted to say something along the lines of:

When you Hybrid Azure AD join instead of Azure AD join, an angel loses its wings.

With organizations going the pure Azure AD Join route for devices with default settings, the interesting situation occurs that people can have seamless access to the on-premises resources when the device is on-premises (or connected to a VPN) when they sign in with username and password, but are prompted for a username and password when they’ve signed in using Windows Hello for Business…

Trust

Luckily, you can make this work without password prompts. There are three ways to have Active Directory trust Azure AD sign-ins:

  1. Key Trust
    With key trust, when a person successfully configures Windows Hello for Business, a key credential is generated. Azure AD Connect writes a link to this RSA 2048-bit asymmetric key to the mSDS-KeyCredentialLink attribute of the user object in Active Directory. When accessing on-premises resources, the user provides the necessary information regarding the value for that attribute and the Domain Controller is able to verify the user’s identity with that information (if it’s running Windows Server 2016, or up).
  2. Certificate Trust
    With certificate trust, when a person successfully configures Windows Hello for Business, the Azure AD-joined device requests a user certificate for the user and the private key is stored on the device, protected by the TPM chip. The Certificate Connector for Microsoft Intune provides the bridge to the internal CA. When accessing on-premises resources, the user signs in with certificate-based authentication, just like when he or she would use a (virtual) smart card.
  3. Cloud Trust
    With cloud trust, Azure AD acts as a read-only domain controller. Regardless of the sign-in method, the device receives (or updates) both a Primary Refresh Token (PRT) from Azure AD and a partial Kerberos Ticket Granting Ticket (TGT) from Active Directory. When accessing on-premises resources, the partial TGT is automatically exchanged with a TGT from a domain controller that provides access to on-premises resources.

The first two trust types are based on a certificate key tab or a full-blown user certificate that the user presents to Active Directory. As Active Directory understands certificates, this works as well as you might expect.

Cloud Trust

The latter trust types uses plain old Kerberos, but it has some tricks up its sleeve to make it all work seamlessly. That makes the hybrid cloud trust model the preferred model, as long as you have devices that run Windows 10 version 22H2 (or up), Domain Controllers that run Windows Server 2016 and as long as you use Azure AD Connect.

Let’s dive in!

Hybrid Cloud Trust, How do I set it up?

Setting up hybrid cloud trust requires only four lines of PowerShell on a Windows Server that runs Azure AD Connect v2.x. Perform these four lines in an elevated PowerShell window:

Import-module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1"

$domain = $env:USERDNSDOMAIN

$cloudCred = Get-Credential -Message 'Specify the userPrincipalName for an account with Global Administrators privileges in Azure AD.'

$domainCred = Get-Credential -Message 'Specify an Active Directory user who is a member of the Domain Admins group.'

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

Then, with the Get-AzureADKerberosServer cmdlet from the same PowerShell module, you can get the information on the read-only domain controller object and the last time the shared secret for cloud trust was updated on either end.

Azure AD as an RODC, How does that work?

After you setup cloud trust, a new read-only domain controller appears in the Domain Controllers Organizational Unit (OU) in the Active Directory domain that is configured for cloud trust, named AzureADKerberos.

This computer object does not represent an actual Windows Server installation, but is a representation of a read-only domain controller. The secret for the server object is synchronized to Azure AD.

When cloud trust is configured, Azure AD provides every Windows sign-in to Azure AD-joined devices with a partial Kerberos ticket-granting ticket (TGT) that is encrypted and signed with the password of the krbtgt_AzureAD account, associated with the AzureADKerberos read-only domain controller.

This ticket can be seen on the command line of the device using the following command-line after sign-in:

klist.exe

When the device is used to access domain-joined resources and has a line of sight to one or more Windows Server 2016-based domain controllers (or up), the partial TGT is then exchanged for a TGT that is encrypted and signed by the domain controller. This TGT contains all the group memberships, where the partial TGT did not. Based on the full TGT, a Kerberos service ticket (ST) is then requested to access the domain-joined resource.

Important
Because the AzureADKerberos read-only domain controller is not a real domain controller, do not reset its password as you would for other domain controller. The password for the accompanying krbtgt_AzureAD account needs to be synchronized to Azure AD, so there are other steps involved.

How does an Azure AD-joined device know where to find on-premises domain controllers?

Azure AD Connect provides information on Active Directory to all Azure AD-joined devices. The domain controllers the device knows can be viewed using the following command-line:

nltest.exe /dclist:domain.tld

Replace domain.tld with the DNS domain name of the Active Directory domain.

Concluding

Cloud trust allows people with synchronized accounts to access to Kerberos-based on-premises resources when they sign in using Windows Hello for Business.

However, Microsoft’s recent public preview for single sign-on to Azure Virtual Desktop (AVD)-based devices when not using Active Directory Federation Services (AD FS) also uses cloud trust. Expect more (single) sign-in experiences to emerge based on cloud trust!

3  

I’m co-presenting a session at Experts Live Netherlands 2022

1931 Congrescentrum Den Bosch

Advertised as the biggest Microsoft IT Pro event in the Netherlands, Experts Live Netherlands will take place Friday September 30th, 2022 at Conference Center 1931 in Den Bosch. It’s a privilege to share the stage again with my buddy Raymond.

 

About Experts Live

Experts Live is an independent platform for IT Professionals on Microsoft solutions. A platform for and by the community. Almost every year, Experts Live organizes its knowledge event in the Netherlands. Started as an idea from a small group of Dutch Microsoft MVPs, Experts Live has become the largest Microsoft community event in the Netherlands, with over a thousand visitors.

Both national and international speakers update the visitors in one day on the latest Microsoft technologies. Subsequently, through the years, many famous and notorious speakers delivered sessions on the Experts Live events.

This year, Experts Live is hosted at Conference Center 1931 in Den Bosch again, and scheduled for Friday September 30th, 2022 . The event offers over 40 break-out sessions, an opening panel discussion and drinks afterward.

 

About our session

I’ll deliver a 50-minute session in the Security track, together with Raymond Comvalius, right after the keynote by Mikko Hyppönen:

Properly securing Azure AD Connect and Azure AD Connect Cloud Sync

10AM – 10:50AM, level 300

There are ways to hack Azure AD Connect’s database and compromise the entire Active Directory forest. Designing and running Azure AD Connect and Azure AD Connect Cloud Sync in a highly-secure networking environment with proxies and high-availability requirements is no easy task.

Join Raymond Comvalius and me in this session to learn how to implement Azure AD Connect Sync or Azure AD Connect Cloud Sync in a secure way and how to monitor and audit it for proper security.

Even if you’re not a security professional, you’ll find that the demos and guidance in this session enable you to confidently make better security choices on Monday!

 

Join us!

Experts Live Netherlands hasn’t sold out yet, but there’s only a handful of tickets left. Snag yours before it’s too late Dutch and join us!

0  

I’m presenting at NT Konferenca 2022

NTK2022

I’m proud to announce that I’ll be presenting three sessions at this year’s NT Konferenca in Slovenia later this month.

 

About NT Konferenca

NT Konferenca is the biggest Slovenian technological conference. NT Konferenca is not just about IT trends and solutions. It is also about the ways to include them in everyday business processes and how to effectively use them in business challenges in order to reach objectives in a more rapid, time-efficient and affordable way.

The 27th NT Konferenca event takes place from September 26th to September 28th, 2022 in Grand Hotel Bernardin in Portorož, along Slovenia’s coastline. With fantastic speakers, many I call friends, like Ljubo Brodaric, Slavko Kukrika, Tomislav Lulic, Paula Januszkiewicz, and Aleksandar Nikolic, the 2022 edition of NTK shapes up to be another fantastic event.

 

About my sessions

I’ll present three 60-minute sessions:

 

Increasing the security of on-premises Active Directory with Entra and Defender technologies

Tuesday September 27th, 12:45 PM – 1:45 PM, Room Mediteranea, Level 300

Would you believe a networking infrastructure can become more secure by adding a cloud to it? This session gives real-world examples and thorough guidance on how Entra and Defender technologies make on-premises environments more secure.

Air-gapping and the accompanying immense challenges for updating, activating, and monitoring for admins are truly referred back to the 80s in this session. Many old-fashioned CISOs truly believe air-gapping their environment and requiring multi-multi-multi-factor authentication for access off-premises is the way to go. It is not.

In this session, Sander Berkouwer shows how organizations can:

  1. Require multi-factor authentication only when needed because of the risk
  2. Get notified and can automatically remediate leaked credentials
  3. Ban bad passwords
  4. Manage fragile Domain Controllers better

This session features a couple of exciting demos to showcase the strengths of Azure AD, Azure AD Connect Health, and Microsoft Sentinel. This is a session no Active Directory admin should miss!

 

Just apply the basics in your Azure AD tenant!

Tuesday September 27th, 3:15 PM – 4:15PM, Room Europa B+D, Level 300

With Microsoft's focus on Defender for * and Azure AD Premium P2 features, you might start to believe that you can't be successful in your identity and zero trust journeys when you don't have these products and licenses. The opposite is true: without doing the basics in your Azure AD tenant, all these advanced products don't perform as well as you'd think…

After numerous Azure AD security assessments, Sander Berkouwer has identified the basics that most organizations seem to have forgotten. Without these basic measures, their Microsoft 365 services are at risk regarding security, privacy, and productivity. For most organizations applying these basics is trivial and relatively easy to start with. Come to this session to learn the basics and their caveats, and then confidently apply the basics to your Azure AD tenant!

 

Windows Hello for Business Hybrid Access: How Does It Work Under The Covers?

Wednesday September 28th, 9 AM – 10 AM, Room Emerald 1, Level 300

As weak, stolen, and cracked passwords are at the root of 80% of cybersecurity incidents, Passwordless has the potential to change the world. Under the covers, Windows Hello for Business, Microsoft's Passwordless solution, has already changed the authentication paradigm for Active Directory.

Regardless of the device being domain-joined, hybrid Azure AD-joined, or Azure AD-joined, you can access organizational resources without specifying credentials.

In this session, Sander Berkouwer, 13-time Microsoft MVP, explains how Windows Hello works in all three scenarios and what you need to get it going for your organization.

 

Join us! Thumbs up

Tickets are limited, but still available for NT Konferenca.
Register here and join me for these sessions.

0  

Pictures of VeeamON Tour Netherlands 2022

VeeamON Tour Netherlands BBQ

Last week, Veeam Benelux organized VeeamON Tour on the Island of Maurik in the Netherlands. Maurice Kevenaar, Jeroen Leijsten and I attended as the leaders of the Dutch Veeam User Group.

Audience gathering at Pavilion A (Click for larger picture by Veeam Benelux)The day started early and bright. While attendees flocked to the venue from 9:30 onward, we were there to setup the Veeam User Group Netherlands booth, spread some promotional material for the User Group (flyers and pens) and socialize with Veeam employees.

VeeamUGNL
Veeam User Group Netherlands SwagVeeamON Tour Netherlands 2022 Badge

After a Haka workshop, at 10:45, the keynote commenced, followed by the first round of 45-minute inspirational sessions:

View from the Opening Session (click for larger photo, by Veeam Benelux)
Insipiration session on preventing ransomware (click for larger photo, by Veeam Benelux)Inspiration session on cyberInsurance (click for larger photo, by Veeam Benelux)

After the first round of session, lunch was served from two food trucks offering burgers and Asian food. A salad bar completed the lunch setup.

Lunch from foodtrucks (click for larger photo, by Veeam Benelux)

The second round of inspiration sessions (the same as the previous sessions, but with pavilions A and B switched) then provided a perfect ramp-up for several activities, including archery and ride along in a Dakar Rally truck.

At 16:30, people could order drinks after they wrestled themselves through the booths of the sponsors and our little Veeam User Group. At 16:00 the BBQ was fired up and the remaining people enjoyed a dinner before leaving home.

BBQ (click for larger photo)

We had a lot of good conversations with attendees, Veeam employees and sponsors. We feel inspired to continue the work of the Veeam User Group Netherlands and will soon communicate where we’ll be next!

0  

Pictures of the KNVI Knowledge BBQ

Enjoying The View

Last week, Raymond and I presented at the KNVI Knowledge BBQ in Rotterdam.

As the event was practically in my backyard, I drove to the location and setup the equipment, together with Tom Dalderup. Slightly after 14:00 we started with the six ways that Azure AD makes sense to Active Directory admins.

Erwin Derksen about Endpoint Manager (click for larger photo by Chris Raghoebarsing)

After that, Erwin Derksen showed the attendees a seventh way when he shared his experiences with Endpoint Manager.

Raymond presenting in his shorts (click for larger photo)
Raymond presenting (click for larger photo by Chris Raghoebarsing)Sander presenting (photo by Chris Raghoebarsing)

After a short break, Raymond and I presented our second session. We shared our process on the Passwordless journey and explained the benefits of using Windows Hello for Business (WHfB). We also highlighted Temporary Access Passes (TAPs) as a way for people to be born with strong credentials within the organization during onboarding. Obviously, this represented the 8th way people can benefit from a little Azure AD.

After the three sessions, it was time to enjoy the views from the sixth floor and go for some drinks and food.

View of Rotterdam from the 6th floor at ZPiNNERZ (click for larger photo by Chris Raghoebarsing)View of Rotterdam from the 6th floor at ZPiNNERZ (click for larger photo by Chris Raghoebarsing)
Enjoying the BBQView of Rotterdam from the 6th floor at ZPiNNERZ (click for larger photo by Chris Raghoebarsing)

Raymond and I received some great feedback on our session and went home with great energy.

Thank you!

A big ‘Thank You!’ to all the KNVI attendees, Erwin Derksen, Chris Reghoebarsing and Tom Dalderup for making this event another enjoyable experience!

0  

What's New in Microsoft Defender for Identity in August 2022

Microsoft Defender for Identity

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

What’s New

In August 2022, three new versions of Microsoft Defender for Identity were released:

  1. Version 2.186, released on August 10, 2022
  2. Version 2.187, released on August 18, 2022
  3. Version 2.188, released on August 28, 2022

These releases introduced the following functionality:

Health Alerts with FQDNs instead of NetBIOS names

Since version 2.187, health alerts will now show the Microsoft Defender for Identity sensor's fully qualified domain name (FQDN) instead of the NetBIOS name.

New Health Alerts

Since version 2.187, new health alerts are available for capturing component type and configuration. A full overview of all Microsoft Defender for Identity sensor health alerts is available here.

Logic Behind Suspected DCSync Attack detections

Since version 2.187, Microsoft changed some of the logic behind how the Suspected DCSync attack (replication of directory services) (external ID 2006) alert is triggered. This detector now covers cases where the source IP address seen by the sensor appears to be a NAT device.

IMPROVEMENTS AND BUG FIXES

All August 2022 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.

0  

I'm co-presenting a session on Windows Hello for Business at the Cloud Identity Summit

CloudIdentitySummit22

On September 20, 2022, Raymond Comvalius and I will present a 50-minute session on Windows Hello for Business at the third Cloud Identity Summit, organized by the Azure Bonn user group.

About the Cloud Identity Summit

The Cloud Identity Summit aims to bring together people from different areas of Identity and Access Management (IAM) and provide an open community platform for collaboration and exchange of ideas.

The Cloud Identity Summit focuses on Cloud Identity Management, various aspects such as identity protection, managing external accounts, passwordless and much more. The Cloud Identity Summit is a free event that focuses on the exchange between the participants. The group of participants is international and comes from different areas and industries.

The third Cloud Identity Summit will take place on September 22, 2022. After two great (virtual) conferences Thomas Naunheim, Rene dé la Motte, Gregor Reimling and Melanie Eibl are looking ahead and plan the 3rd edition as a hybrid event and of course still free of charge. They had to look for a new location at short notice and are happy to be able to hold the conference at adesso SE.

The conference will consist of two parts: The morning workshops will only be held on-site in Bonn. The afternoon sessions and the subsequent roundtable with all experts will be available both on-site in Bonn and online.

The Cloud Identity Summit features two tracks:

  1. Identity Management (09:30-16:30)
    In the Identity Management track, the morning is filled with an interactive workshop on Microsoft Entra Verified Identities by Stefan van der Wiele. After lunch, Jan Vidar Elven, David Frappart and Christopher Brumm present on topics related to managing identity in the Microsoft ecosystem.
  2. Identity Security (09:30 – 17:30)
    Nestorii Syynimaa kicks off the Identity Security track, with a workshop on AADInternals. After lunch, Eric Berg, Sergey Chubarov, David O’Brien, Raymond Comvalius and I present on sessions on securing identity in the Microsoft ecosystem.

After the sessions, a roundtable and raffle concludes the day.

About our session

Raymond and I will present a 50-minute session on:

Windows Hello for Business Hybrid Access: How Does It Work Under The Covers?

4:30 PM – 5:20 PM, Identity Security Track

As weak, stolen and cracked passwords are at the root of 80% of cybersecurity incidents, Passwordless has the potential to change the world. Under the covers, Windows Hello for Business, Microsoft's Passwordless solution, has already changed the authentication paradigm for Active Directory.

Regardless of the device being domain-joined, hybrid Azure AD-joined or Azure AD-joined, you can access organizational resources without specifying credentials.

In this session, Raymond and I explain how Windows Hello works in all three scenarios and what you need to get it going for your organization.

Join us!

The Cloud Identity Summit is a free in-person event. Registration is open via the Azure Bonn Meetup Site German.

0  

I’m co-presenting a webinar with Veeam and ENow to bust common Microsoft 365 myths

While working together with Veeam and ENow, I found some common interests. While discussing these interests, we found that most organizations give us the same common answers to our questions. When I proposed to share these answers, the idea was born to provide a free webinar to discuss them and the dangers that they hold.

 

About the webinar

On Tuesday September 13th, 2022, starting at 6 PM CEST, I will be co-presenting a 60-minute webinar with Jay Gundotra from ENow and Karinne Bessette from Veeam on:

Busting Common Microsoft 365 Myths

In the past years, IT has changed dramatically. The pandemic accelerated Microsoft Teams and overall Microsoft 365 adoption, Office co-authoring surged, and organizational data found its way to all sorts of cloud apps.

In this webinar, Jay Gundotra, Karinne Bessette and Sander Berkouwer discuss how things have changed from their perspective. Working with organizations has offered us many insights in the way people think. While discussing our experiences, we found three common myths:

We have a 99,99% SLA. Monitoring Microsoft 365 is unnecessary.

Procurement is in charge of managing Microsoft 365 licenses. They’re in control.

Microsoft takes care of backups as part of Microsoft 365. We don’t have to do anything in that area to ensure business continuity.

Most organizations believe these myths to be true, but they are not. In fact, it’s dangerous to assume these myths are true in this cloud age, as they may result in downtime and data loss at a higher price.

As each of us have different views on IT today, this webinar provides many insights on how to ‘do cloud right’. Join us for 60 minutes of discussion and demos. Of course, afterward we take the time to answer any questions you may still have on these three myths.

 

Register today!

Join Jay, Karinne and me on September 13, 2022, for 60 minutes of busting Microsoft 365 myths. Register for free here.

Note:
This webinar is offered free of charge, thanks to the sponsoring by ENow. By signing up for these webinars you agree to their privacy policy.

 

About ENow

ENow SoftwareENow’s digital experience monitoring and reporting for Active Directory, Microsoft Exchange, and Office 365 transforms the way IT supports these complex services which enables organizations to improve service delivery, increase workplace productivity, and lower total cost of ownership. Unlike Microsoft native tools, ENow’s OneLook dashboard provides comprehensive and unbiased data out-of-the-box so you can get a meaningful picture.

0  

What's New in Azure Active Directory for August 2022

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for August 2022:

 

What’s New

Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

Organizations can now require a fresh authentication each time a person performs a certain action. Forced reauthentication supports requiring a person to reauthenticate during Intune device enrollment, password change for risky users, and risky sign-ins.

 

Workload Identity Federation with App Registrations General Availability

Service category: Other
Product capability: Developer Experience

Entra Workload Identity Federation allows developers to exchange tokens issued by another identity provider (IdP) with Azure AD tokens, without needing secrets. It eliminates the need to store, and manage, credentials inside the code or secret stores to access Azure AD protected resources such as Azure and Microsoft Graph.

By removing the secrets required to access Azure AD protected resources, workload identity federation can improve the security posture of the organization. This feature also reduces the burden of secret management and minimizes the risk of service downtime due to expired credentials.

 

External user leave settings Public Preview

Service category: Enterprise Apps
Product capability: Business to Business (B2B)/ Business to Consumer (B2C)

Currently, users can self-service leave an organization without the visibility of their IT administrators. Some organizations may want more control over this self-service process.

With this feature, IT administrators can now allow or restrict external identities to leave an organization by Microsoft provided self-service controls via Azure Active Directory in the Microsoft Entra portal. In order to restrict users to leave an organization, customers need to include a Global privacy contact and Privacy statement URL under Properties.

 

Restrict self-service BitLocker for devices Public Preview

Service category: Device Registration and Management
Product capability: Access Control

In some situations, admins may want to restrict the ability for end users to self-service access to BitLocker Drive Encryption (BDE) recovery keys. With this new functionality, admins can now turn off self-service access to BDE recovery keys, so that only specific individuals with right privileges can use a BitLocker recovery key.

 

Identity Protection Alerts in Microsoft 365 Defender Public Preview

Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection risk detections (alerts) are now also available in the Microsoft 365 Defender portal to provide a unified investigation experience for security professionals.

 

New Federated Apps available in the Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In August 2022, Microsoft has added the following new applications to the Azure AD App gallery with Federation support:

  1. Albourne Castle
  2. Adra by Trintech
  3. workhub
  4. 4DX
  5. Ecospend IAM V1
  6. TigerGraph
  7. Sketch
  8. Lattice
  9. snapADDY Single Sign On
  10. RELAYTO Content Experience Platform
  11. oVice
  12. Arena
  13. QReserve
  14. Curator
  15. NetMotion Mobility
  16. HackNotice
  17. ERA_EHS_CORE
  18. AnyClip Teams Connector
  19. Wiz SSO
  20. Tango Reserve by AgilQuest (EU Instance)
  21. valid8Me
  22. Ahrtemis
  23. KPMG Leasing Tool
  24. Mist Cloud Admin SSO
  25. Work-Happy
  26. Ediwin SaaS EDI
  27. LUSID
  28. Next Gen Math
  29. Total ID
  30. Cheetah For Benelux
  31. Live Center Australia
  32. Shop Floor Insight
  33. Warehouse Insight
  34. myAOS
  35. Hero
  36. FigBytes
  37. VerosoftDesign
  38. ViewpointOne – UK
  39. EyeRate Reviews
  40. Lytx DriveCam

 

New provisioning connectors in the Azure AD Application Gallery Public Preview

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

  1. Ideagen Cloud
  2. Lucid (All Products)
  3. Palo Alto Networks Cloud Identity Engine – Cloud Authentication Service
  4. SuccessFactors Writeback
  5. Tableau Cloud

 

 

What’s Changed

Multi-Stage Access Reviews General Availability

Service category: Access Reviews
Product capability: Identity Governance

Organizations can now meet their complex audit and recertification requirements through multiple stages of reviews.

 

Entitlement management automatic assignment policies Public Preview

Service category: Entitlement Management
Product capability: Identity Governance

In Azure AD entitlement management, a new form of access package assignment policy is being added. The automatic assignment policy includes a filter rule, similar to a dynamic group, that specifies the users in the tenant who should have assignments.

When user accounts come into scope of matching that filter rule criteria, an assignment is automatically created, and when they no longer match, the assignment is removed.

0  

On-premises Identity-related updates and fixes for August 2022

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

This is the list of Identity-related updates and fixes we saw for August 2022:

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5016622 August 9, 2022

The August 9, 2022 update for Windows Server 2016 (KB5016622) updating the OS build number to 14393.5291, is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that prevents the Key Distribution Center (KDC) Proxy from properly receiving Kerberos tickets for Windows Hello for Business authentications in Hybrid Key Trust implementations.
  • It addresses an issue that causes the KDC code on Domain Controllers to incorrectly return the following error message during shutdown:

KDC_ERR_TGT_REVOKED

  • It addresses an issue that might cause the Local Security Authority Server Service (lsass.exe) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 and later. This issue occurs when the device performs a specific form of service for user (S4U) in a non-Trusted Computing Base (TCB) Windows service that runs as Network Service.
  • It enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, domain controllers will not authenticate them.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5016623 August 9, 2022

The August 9, 2022 update for Windows Server 2019 (KB5016623) updating the OS build number to 17763.3287 is a monthly cumulative update that includes the following Identity-related improvements:

  • It provides the option to configure an alternate login ID for the Azure Multi-Factor Authentication (MFA) Active Directory Federation Services (AD FS) adapter for on-premises scenarios.  By default, the adapter configuration will not ignore alternate login ID (IgnoreAlternateLoginId = $false) unless explicitly set to $true.
  • It addresses an issue that might cause the Local Security Authority Server Service (lsass.exe) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 and later. This issue occurs when the device performs a specific form of service for user (S4U) in a non-Trusted Computing Base (TCB) Windows service that runs as Network Service.
  • It enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, domain controllers will not authenticate them.

KB5016690 August 23, 2022 Preview

The August 23, 2022 update for Windows Server 2019 (KB5016690) updating the OS build number to 17763.3346 is a preview update that includes the following Identity-related improvements:

  • It addresses an issue that causes the Resultant Set of Policy tool (rsop.msc) to stop working when it processes 1,000 or more File System security settings.
  • It addresses an issue that causes the Settings app to stop working on Domain Controllers when accessing the Privacy > Activity history page.
  • It addresses a race condition that causes the Local Security Authority Subsystem Service (lsass.exe) to stop working on Domain Controllers. This issue occurs when LSASS processes simultaneous Lightweight Directory Access Protocol (LDAP) over Transport Layer Security (TLS) requests that fail to decrypt. The exception code is:

0xc0000409 (STATUS_STACK_BUFFER_OVERRUN)

  • It addresses an issue that affects a lookup for a non-existent security ID (sID) from the local Active Directory domain using a read-only Domain Controller. The lookup unexpectedly returns the STATUS_TRUSTED_DOMAIN_FAILURE error instead of STATUS_NONE_MAPPED or STATUS_SOME_MAPPED.
  • It addresses an issue that causes a read-only Domain Controller to unexpectedly restart. In the event log, you’ll find the following:
    • Event 1074 with the message: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073740286. The system will now shut down and restart.
    • Event 1015 with the message: A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000602. The machine must now be restarted.
    • Event 1000 with the message: Faulting application name: lsass.exe, Faulting module name: ESENT.dll, Exception code: 0xc0000602.

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5016627 August 9, 2022

The August 9, 2022 update for Windows Server 2022 (KB5016627), updating the OS build number to 20348.887, is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that might cause Windows to stop working when you enable Windows Defender Application Control with the Intelligent Security Graph feature turned on.
  • It addresses an issue that causes the Windows profile service to fail sporadically. The failure might occur when signing in. The error message is:

gpsvc service failed to sign in. Access denied

  • It provides the option to configure an alternate login ID for the Azure Multi-Factor Authentication (MFA) Active Directory Federation Services (AD FS) adapter for on-premises scenarios.  By default, the adapter configuration will not ignore alternate login ID (IgnoreAlternateLoginId = $false) unless explicitly set to $true.
  • It addresses an issue that might cause the Local Security Authority Server Service (lsass.exe) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 and later. This issue occurs when the device performs a specific form of service for user (S4U) in a non-Trusted Computing Base (TCB) Windows service that runs as Network Service.
  • It enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, domain controllers will not authenticate them.

KB5016693 August 16, 2022 PREVIEW

The August 16, 2022 update for Windows Server 2022 (KB5016693) updating the OS build number to 20348.946 is a preview update that includes the following Identity-related improvements:

  • It addresses an issue that causes Kerberos authentication to fail when a client uses the Remote Desktop Protocol (RDP) to connect to a device that has Remote Credential Guard enabled . The error is:
  • 0xc000009a (STATUS_INSUFFICIENT_RESOURCES “Insufficient system resources exist to complete the API”)
  • It addresses an issue that might cause the deployment of the Windows Hello for Business certificate to fail in certain circumstances after you reset a device.
  • It addresses an issue that causes the Resultant Set of Policy tool (rsop.msc) to stop working when it processes 1,000 or more File System security settings.
  • It addresses an issue that causes the Settings app to stop working on Domain Controllers when accessing the Privacy > Activity history page.
  • It addresses a race condition that causes the Local Security Authority Subsystem Service (lsass.exe) to stop working on Domain Controllers. This issue occurs when LSASS processes simultaneous Lightweight Directory Access Protocol (LDAP) over Transport Layer Security (TLS) requests that fail to decrypt. The exception code is:

0xc0000409 (STATUS_STACK_BUFFER_OVERRUN)

  • It addresses an issue that affects a lookup for a non-existent security ID (sID) from the local Active Directory domain using a read-only Domain Controller. The lookup unexpectedly returns the STATUS_TRUSTED_DOMAIN_FAILURE error instead of STATUS_NONE_MAPPED or STATUS_SOME_MAPPED.
0