On-premises Identity updates & fixes for September 2019

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for September 2019:

 

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4516044 September 10, 2019

The September 10, 2019 update for Windows Server 2016 (KB4516044) updating the OS Build number to 14393.3204 is a security update, including many security updates.

This update addresses CVE-2019-1273. This is an Important Active Directory Federation Services XSS Vulnerability.

A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (AD FS) does not properly sanitize certain error messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected AD FS server. An attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run scripts in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the AD FS farm on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

The security update addresses the vulnerability by helping to ensure that AD FS error handling properly sanitizes error messages.

KB4522010 September 23, 2019

The September 23, 2019 update for Windows Server 2016 (KB4522010) updating the OS Build number to 14393.3206 does not include Identity-related updates. It includes security updates to Internet Explorer, released out-of-band.

KB4516061 September 24, 2019

The September 24, 2019 update for Windows Server 2016 (KB4516061) updating the OS Build number to 14393.3242 includes the following Identity-related updates:

  • It addresses an issue that may cause authentication to fail for certificate-based authentication when the certificate authentication includes a cname as part of the pre-authentication request.
  • It addresses an issue that may cause the Local Security Authority Subsystem Service (LSASS) to stop working with an “0xc0000005” error.
  • It addresses an issue that causes the Security Authority Subsystem Service (LSASS) to stop working, which causes the system to shut down. This occurs when migrating Data Protection API (DPAPI) credentials using dpapimig.exe with the domain option.
  • It addresses an issue with LdapPermissiveModify requests, which fail to make Active Directory (AD) group membership changes if the Lightweight Directory Access Protocol (LDAP) client uses the Security Identifier (SID) syntax. In this scenario, Active Directory returns a “SUCCESS” status even though the change did not occur.

 

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4512578 September 10, 2019

The September 10, 2019 update for Windows Server 2016 (KB4512578) updating the OS Build number to 17763.737 is a security update, including many security updates.

This update addresses CVE-2019-1273. This is an Important Active Directory Federation Services XSS Vulnerability.

A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (AD FS) does not properly sanitize certain error messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected AD FS server. An attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run scripts in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the AD FS farm on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

The security update addresses the vulnerability by helping to ensure that AD FS error handling properly sanitizes error messages.

KB4522015 September 23, 2019

The September 23, 2019 update for Windows Server 2016 (KB4522015) updating the OS Build number to 17763.740 does not include Identity-related updates. It includes security updates to Internet Explorer, released out-of-band.

KB4516077 September 24, 2019

The September 24, 2019 update for Windows Server 2016 (KB4516077) updating the OS Build number to 17763.774 includes the following Identity-related updates:

  • It addresses an issue that may cause the Local Security Authority Subsystem Service (LSASS) to stop working with an “0xc0000005” error.
  • It addresses an issue that causes the lsass.exe service to stop working, which causes the system to shut down. This occurs when migrating Data Protection API (DPAPI) credentials using dpapimig.exe with the -domain option.
  • It addresses an issue that prevents you from running the Active Directory Diagnostics Data Collector Set from the Performance Monitor for Domain Controllers. This causes the Data Collector Set name to appear empty. Running the Active Directory Diagnostics Data Collector Set returns the error, “The system cannot find the file specified.” Event ID 1023 is logged with the source as Perflib and the following messages:
    • Windows cannot load the extensible counter DLL “C:\Windows\system32\ntdsperf.dll.
    • The specified module could not be found.
  • It addresses an issue that may cause authentication to fail for certificate-based authentication when the certificate authentication includes a cname as part of the pre-authentication request.
  • It addresses a Lightweight Directory Access Protocol (LDAP) runtime issue for Domain Controller Locator-style LDAP requests. The error is, “Error retrieving RootDSE attributes, data 8, v4563.”
  • It addresses an issue that causes LDAP queries that contain LDAP_MATCHING_RULE_IN_CHAIN (memberof:1.2.840.113556.1.4.1941) to intermittently fail on Windows Server 2019 domain controllers. However, these queries do not fail on domain controllers running previous versions of Windows Server.
  • It addresses an issue that causes group membership changes in Active Directory groups to fail. This occurs if the Lightweight Directory Access Protocol (LDAP) client uses the Security Identifier (sID) Distinguished Name (DN) syntax after installing previous versions of NTDSAI.DLL. In this scenario, an issue with the LdapPermissiveModify (LDAP_SERVER_PERMISSIVE_MODIFY_OID) control causes Active Directory to incorrectly return a SUCCESS status even though the group membership change did not occur.
  • It addresses an issue in which the Set-AdfsSslCertificate script is successful. However, it throws an exception during resource cleanup because the target server-side endpoint is no longer there.

This update includes so many improvements, that Joseph Ryan Ries, Escalation Engineer at Microsoft Corp., claims that Windows Server 2019 Domain Controllers are now ready for production…

Posted on October 16, 2019 by Sander Berkouwer in Active Directory, Active Directory Federation Services, Security Updates

0  

HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

This entry is part 11 of 12 in the series Hardening Hybrid Identity

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Intranet Sites list in Internet Explorer.

Note:
This is the first part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Local Intranet zone. In the next part we look at the Trusted Sites zone.

Note:
Adding URLs to the Local Intranet zone for Internet Explorer, also applies to Microsoft Edge.

 

Why look at the Intranet Sites?

Active Directory Federation Services (AD FS), and certain functionality in Azure Active Directory leverage Windows Integrated Authentication to allow for Single Sign-on. (SSO).

Single Sign-on reduces prompt fatigue in people and thus makes them more aware of the moments when password prompts happen and (and this is the theory…) paying more attention to what they are doing with their passwords.

I’m not a psychologist, but I do know how to make Windows Integrated Authentication work with Internet Explorer.

Intranet Sites vs. Trusted Sites (with Default settings)

Internet Explorer offers built-in zones:

  • Local intranet
  • Trusted sites
  • Internet
  • Restricted sites

Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Local intranet zone, by default, offers a medium-low level of security, where Trusted sites allows for medium-level security. By default, the Local intranet zone allows for the following functionality beyond the Trusted sites zone:

  • Local intranet does not allow ActiveX Filtering
  • Local intranet allows Scriptlets
  • Local intranet allows accessing data sources across domains (Trusted sites prompt)
  • Local intranet allows scripting of Microsoft web browser control
  • Sites in the Local intranet zone don’t prompt for client certificate selection when only one certificate exists
  • Sites in the Local intranet zone may launch applications and unsafe files
  • Sites in the Local intranet zone may navigate windows and frames across different domains
  • Local intranet sites do not use the Pop-up Blocker feature
  • Local intranet sites do not use the Defender SmartScreen feature
  • Local intranet sites allow programmatic clipboard access
  • Local intranet sites do not use the XSS Filter feature
  • Local intranet sites allow user authentication

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Local intranet zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions.

While this does not represent a clear and immediate danger, it is a situation to avoid.

 

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

  • A member of the Domain Admins group, or;
  • The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
  • Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

 

The URLs to add

You’ll want to add the following URLs to the Local intranet zone, depending on the way you’ve setup your Hybrid Identity implementation:

 

https://<YourADFSFarmName>

When you use federation with Active Directory Federation Services (AD FS), the URL for the AD FS Farm needs to be added to the Local Intranet zone. As AD FS is authenticated against, it need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

 

https://login.microsoftonline.com

https://secure.aadcdn.microsoftonline-p.com

The https://login.microsoftonline.com and https://secure.aadcdn.microsoftonline-p.com URLs are the main URLs for authenticating to Microsoft cloud services. As these URLs are used to authenticate against, they need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

 

https://aadg.windows.net.nsatc.net

https://autologon.microsoftazuread-sso.com

If you use the Seamless Single Sign-On (3SO) feature in Azure AD Connect, then you’ll want to add the following URLS to the Local intranet zone:

  1. https://aadg.windows.net.nsatc.net and
  2. https://autologon.microsoftazuread-sso.com

These URLs need to be added to the Local intranet zone on all devices where people in the organization use the 3SO feature, as these are the URLs where they will authenticate against. Trusted sites, by default, do not allow this functionality.

If you don’t use the 3SO functionality, don’t add the above URLs.

 

https://account.activedirectory.windowsazure.com

It is still one of Microsoft’s recommendation to add the https://account.activedirectory.windowsazure.com URL to the Local intranet zone. However, an enhanced experience is available that no longer points employees to this URL, but instead to the https://myprofile.microsoft.com URL, that uses the normal authentication URLs.

The new enhanced experience is available in the Azure portal, under User settings, Manage user feature preview settings (in the User feature previews area) named Users can use preview features for registering and managing security info – enhanced.

If you’ve enabled the enhanced preview, don’t add the above URL.

How to add the URLs to the Local Intranet zone

To add the URLs to the Local Intranet zone, perform these steps:

  • Log into a system with the Group Policy Management Console (GPMC) installed.
  • Open the Group Policy Management Console (gpmc.msc)
  • In the left pane, navigate to the Group Policy objects node.
  • Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
  • Right-click the Group Policy object and select Edit… from the menu.
    The Group Policy Management Editor window appears.
  • In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Control Panel and then the Security Page node.

The Site To Zone Assignment List Setting for a Group Policy object in the Group Policy Management Console (click for original screenshot)

  • In the main pane, double-click the Sites to Zone Assignment List setting.
  • Enable the Group Policy setting by selecting the Enabled option in the top pane.
  • Click the Show… button in the left pane.
    The Show Contents window appears.

Adding Hybrid Identity Sites to the Local Intranet Zone (click for original screenshot)

  • Add the above URLs to the Local Intranet zone by entering the URL in the Value name column and the number 1 in the Value column for each of the URLs.
  • Click OK when done.
  • Close the Group Policy Editor window.
  • In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
  • Right-click the OU and select Link an existing GPO… from the menu.
  • In the Select GPO window, select the GPO.
  • Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

 

Concluding

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like Seamless Single Sign-on and remove specific URLs when you move away from specific functionality.

Further reading

Office 365 URLs and IP address ranges
Group Policy – Internet Explorer Security Zones
Add Site to Local Intranet Zone Group Policy

Posted on October 15, 2019 by Sander Berkouwer in Active Directory, Azure Active Directory, Security

2  

Pictures of the 2019 KNVI IT Infra Day of the Year

The Conference Room at the Carlton President Hotel in Maarssen

After many months of preparations, we ran the KNVI IT Infra Day of the Year last Thursday. Raymond, Erwin, Tom and I organized a day filled with a total of eleven sessions with topics for today’s IT Pros that want more out of life and their careers.

Welcome to the KNVI IT-Infra Special Interest Group Meetup (click for original photo by organization)Variety of Tea at the Carlton President Hotel (click for original photo by Barbara Forbes)

Tom kicked off the day with a warm welcome to the attendees. It marked the start of the ‘What’s New’ block of sessions. Peter Daalmans presented a 30-minute session on Mobile Device Management. My colleague Barbara Forbes presented a 30-minute session on Azure DevOps and Jeff Wouters presented on treating servers like cattle, not cats.

Barbara introducing herself (click for original photo)Barbara talking about Azure DevOps (click for original photo)

After a short break, Tom introduced the ‘Get rid of legacy’ block of sessions. Raymond Comvalius presented a 30-minute session on AutoPilot to get rid of imaging. Erwin Derksen presented a 30-minute session on Azure AD DS to get rid of legacy LDAP stores and Active Directory on-premises.

Erwin talking about Azure Active Directory Domain Services (click for larger photo by organization)Tom introducing Raymond for his AutoPilot talk (click for original photo by organization)

Then, Raymond and I presented a 30-minute session on password-less, as a way to get rid of passwords and to transition into a brave new world with stronger authentication, based on a 4-layer security model. As part of the session, we demoed Azure AD Join using the Authenticator App and the OneDrive Personal Vault.

Introducing Raymond and myself (click for original photo by Barbara Forbes)Explaining how MFA is just a patch, not a solution (click for larger photo by Barbara Forbes)

After lunch, Tom kicked off the block of sessions where we make sure we don’t miss today’s big issues. Ronald Potharst presented on Software-defined Networking (SDN). Harold van de Kamp presented on privacy in Microsoft 365. Guido Steusel presented on what to expect in IT in the near future.

After another short break, Twan Paes presented the TeamPerformance loop. As organizers we took the stage again and rounded up our experiences with the event and we asked the attendees what they picked up during the day.

Wrapping up the KNVI IT Infra Day of the Year (click for original photo by organization)Drinks (photos start to get blurry after this point ;-) )

After that, of course, we had drinks at the restaurant of the Carlton President Hotel.

    

Thank you! Thumbs up

Thank you to all the attendees. Your feedback is invaluable. Thank you to the Carlton President Hotel and MOS Events for helping us organize this meetup. Until next year!

Posted on October 14, 2019 by Sander Berkouwer in Community, Microsoft MVP, Personal

0  

I’m speaking at VMware VMworld Europe 2019

VMworld Europe 2019 - Make your mark

I’m pleased to announce that I will be delivering a 4-hour workshop with Deji Akomolafe, Staff Solutions Architect at VMware, at VMware VMworld Europe 2019 in Barcelona on October 7th, 2019.

About VMware VMworld

VMworld is a global conference for virtualization and cloud computing, hosted by VMware. It is the largest virtualization-specific event. Each year, there is a VMworld US and a VMworld Europe event, addressing VMware’s two main target geographies.

VMworld Europe 2018 is hosted at the Fira Gran Via Convention Center in Barcelona, Spain from Monday November 4, 2019 to Thursday November 7, 2019.

About our session

I’ll make one main appearance during VMware VMworld Europe 2019, besides the obvious parties and gatherings. Winking smile

Architecting and Implementing Microsoft Active Directory on VMware

BCA2161TE, level 300, October 7 10:30AM – 2:30PM

Active Directory Domain Services (AD DS) allows organizations to deploy a scalable and secure directory service for managing users, resources, and applications. Although virtualizing domain controllers has been a simple and supported operation for many years, many organizations have been reluctant to do so.

Organizations struggle to understand how to properly navigate and avoid the pitfalls (such as synchronization, convergence, security, time management, availability, and data integrity) inherent in virtualizing a production, enterprise-level AD DS infrastructure. Even when they have virtualized their domain controllers, admins still worry about the security, safety, and integrity of their ADDS infrastructure.

This session will discuss and demonstrate considerations and practices for optimally and securely virtualizing AD infrastructure.

Join us!

Join me while I take the stage with Deji.
Make your mark and register for VMware VMworld Europe 2019.

Posted on October 9, 2019 by Sander Berkouwer in Community, Personal, VMware vExpert

0  

HOWTO: Change the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256

This entry is part 12 of 12 in the series Hardening Hybrid Identity

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at properly securing relying party trusts on AD FS servers in terms of the signature hash algorithm.

Note:
This blogpost assumes you’re running AD FS Servers as domain-joined Server Core Windows Server 2016 installations.

 

Why look at the signature hash algorithm for AD FS Relying Party Trusts

Active Directory Federation Services (AD FS) signs its tokens to relying party trusts, like Azure Active Directory to ensure that they cannot be tampered with.

This signature can be based on SHA1 or SHA256. Azure Active Directory supports tokens signed with an SHA256 algorithm since October 2016, and recommends setting the token-signing algorithm to SHA256 for the highest level of security.

Reasons why

Federation servers require token-signing certificates to prevent attackers from altering or counterfeiting security tokens in an attempt to gain unauthorized access to federated resources.

The private/public key pairing that is used with token-signing certificates is the most important validation mechanism of any federated partnership because these keys verify that a security token was issued by a valid partner federation server and that the token was not modified during transit.

It would be a shame if information could be created that would unlock the information encrypted through a collision attack, but that’s exactly what Google announced on February 2017 for SHA1 certificates after two years of research in collaboration with the CWI Institute in Amsterdam.

This collision attack urges to move from SHA1 to safer alternatives, such as SHA256.

Possible negative impact (What could go wrong?)

If changing the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256 goes wrong, the functionality of the relying party trust becomes unavailable, in other words; access to the application or all applications connected to the platform on the other side of the relying party trust becomes unavailable.

If the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256 change goes wrong for the ‘Microsoft Office 365 Identity Platform’ relying party trust, then access to popular functionality like Exchange Online, SharePoint Online, Teams, PowerBI and Dynamics 365 is lost and needs to be rebuild.

 

Getting Ready

To change the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256, make sure to meet the following requirements:

System requirements

Make sure the AD FS servers are installed with the latest cumulative Windows Updates.

Privilege requirements

Make sure to sign in with an account that has privileges to create and/or change and link Group Policy objects to the Organizational Unit (OU) in which the AD FS servers reside.

Who to communicate to

As the AD FS servers operate as part of a chain, notify all stakeholders in the chain. This means sending a heads-up to the rest of the Active Directory team and the teams that are responsible for Azure AD, Office 365 and cloud applications. It’s also a good idea to talk to the people responsible for backups, restores and disaster recovery.

Important:
It is especially important to communicate to the teams that are responsible for the functionality connected through AD FS, as you must use the same algorithm for the AD FS RPT as the service provider on the other side of the RPT is expecting, SHA-1 or SHA-256, to generate the hash.

One of the challenges you can easily avoid through communications is that multiple persons and/or teams make changes to the configuration. When it breaks, you don’t want to roll-back a bunch of changes, just the one that broke it. Make sure you have the proper freeze/unfreeze moments to achieve that.

 

How to do it

To get an overview of the AD FS RPTs that do not use SHA256 as the AD FS token-signing hash algorithm, run the following line of Windows PowerShell when logged on with an account that has local administrative privileges on the Primary AD FS server:

Get-AdfsRelyingPartyTrust | select Name,SignatureAlgorithm

 

This will provide the names of the RPTs and their SignatureAlgorithm properties.

You can change the AD FS token-signing hash algorithm for an AD FS relying party using the following lines of Windows PowerShell when logged on with an account that has local administrative privileges on the Primary AD FS server:

$RPT = ‘Microsoft Office 365 Identity Platform’

Set-AdfsRelyingPartyTrust -TargetName $RPT SignatureAlgorithm `
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256′

 

Roll-back

To roll back the change, run the following lines of PowerShell when logged on with an account that has local administrative privileges on the Primary AD FS server:

$RPT = ‘Microsoft Office 365 Identity Platform’

Set-AdfsRelyingPartyTrust -TargetName $RPT SignatureAlgorithm `
http://www.w3.org/2000/09/xmldsig#rsa-sha1

 

Concluding

Changing the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256 from SHA1 provides a much smaller risk of collisions and therefore increases information security.

Make sure the service providers offering functionality through AD FS relying party trusts support SHA256 as the token-signing hash algorithm before changing it to avoid (temporary) loss of functionality.

Further reading

Change signature hash algorithm for Office 365 relying party trust
Token-Signing Certificates
Configuring the AD FS Token Signing and -Decrypting Certs for a longer lifetime

Posted on October 8, 2019 by Sander Berkouwer in Active Directory, Azure Active Directory, Security

0  

Pictures of WAZUG.nl 60

Ordina Headquarters in Nieuwegein

Last Thursday, Raymond and I presented on password-less authentication for the Dutch Microsoft Azure User Group (WAZUG.nl) at Ordina’s Headquartes in Nieuwegein, the Netherlands.

After the splendid dinner, when the entire group gathered for the elevators to get to the 11th floor, we were already there, enjoying the views over Utrecht, set up and even recording a short interview with Iwan Bel from the WAZUG.nl user group.

BadgesInterview with Iwan Bel (Picture by WAZUG.nl organization)

After the meal and a short introduction by Ordina, it was our task to share our knowledge and experiences with passwords, multi-factor authentication and password-less authentication using Azure Active Directory and FIDO 2.0-based security keys.

Introduction (Picture by WAZUG.nl organization)Raymond

After our presentation and a short break, Xander Gijtenbeek and John Bruin from Ordina’s new Mtech division shared their experiences with Application Insights, coupled with a Google AIY Projects Vision kit.

After that, we enjoyed drinks at the bar.

   

Thank you!

I had a lot of fun. Thumbs up

Posted on October 7, 2019 by Sander Berkouwer in Community, Microsoft MVP, Personal

0  

What’s New in Azure Active Directory for September 2019

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for September 2019:

                          

What’s Planned

My Profile is re-naming and integrating with the Microsoft Office account page

Service category: My Profile/Account
Product capability: Collaboration

Starting in October, the My Profile experience will become My Account. As part of that change, everywhere that currently reads My Profile changes to My Account.

On top of the naming change and some design improvements, the updated experience will offer additional integration with the Microsoft Office account page. Specifically, you’ll be able to access Office installations and subscriptions from the Overview Account page, along with Office-related contact preferences from the Privacy page.

                                   

What’s New

Bulk manage groups and members using CSV files in the Azure AD portal Public Preview

Service category: Group Management
Product capability: Collaboration

Microsoft is pleased to announce public preview availability of the bulk group management experiences in the Azure AD portal. Admins can now use a CSV file and the Azure AD portal to manage groups and member lists, including:

  • Adding or removing members from a group.
  • Downloading the list of groups from the directory.
  • Downloading the list of group members for a specific group.

                 

Dynamic consent is now supported through a new admin consent endpoint

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft has created a new admin consent endpoint to support dynamic consent, which is helpful for apps that want to use the dynamic consent model on the Microsoft Identity platform.

                 

New Azure AD Global Reader role

Service category: RBAC
Product capability: Access Control

The Global Reader role is the read-only counterpart to Global Administrator. Users in this role can read settings and administrative information across Microsoft 365 services, but can’t take management actions.

Microsoft has created the Global Reader role to help reduce the number of Global Administrators in organizations. Because Global Administrator accounts are powerful and vulnerable to attack, Microsoft recommends:

  • that organizations have fewer than five Global Administrators.
  • using the Global Reader role for planning, audits, or investigations.
  • using the Global Reader role in combination with other limited administrator roles, like Exchange Administrator, to help get work done without requiring the Global Administrator role.

The Global Reader role works with the new Microsoft 365 Admin Center, Exchange Admin Center, Teams Admin Center, Security Center, Compliance Center, Azure AD Admin Center, and the Device Management Admin Center.

           

Access an on-premises Report Server from your Power BI Mobile app using Azure Active Directory Application Proxy

Service category: App Proxy
Product capability: Access Control

New integration between the Power BI mobile app and Azure AD Application Proxy allows you to securely sign in to the Power BI mobile app and view any of your organization’s reports hosted on the on-premises Power BI Report Server.

For information about the Power BI Mobile app, including where to download the app, see the Power BI site.

              

What’s Changed

New version of the AzureADPreview PowerShell module is available

Service category: Other
Product capability: Directory

New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure AD, including:

  • Add-AzureADMSFeatureRolloutPolicyDirectoryObject
  • Get-AzureADMSFeatureRolloutPolicy
  • New-AzureADMSFeatureRolloutPolicy
  • Remove-AzureADMSFeatureRolloutPolicy
  • Remove-AzureADMSFeatureRolloutPolicyDirectoryObject
  • Set-AzureADMSFeatureRolloutPolicy

Posted on October 4, 2019 by Sander Berkouwer in Azure Active Directory, What's New

0  

I’m speaking at AppManagEvent 2019

SuperNova at the MediaPlaza

After meeting the people behind Professional Development Systems at several events in my region, we started talking about presenting a session at their flagship event: AppManagEvent. This year, it’s time to get going with it!

                

About AppManagEvent

AppManagEvent is the annual industry event around application management. The event provides its visitors a status update and a future update on the leading technology, tools, strategies, insights and trends around Application Management.

AppManagEvent 2019

The 14th edition takes place on Friday October 11, 2019, with themes like Deployment, Security, Application Virtualization, MSIX, Win10 migration, Identity Management, IT Infra and much more.  It’s one day with great speakers, tech content, solution vendors in a professional atmosphere and at the Media Plaza at Jaarbeurs Utrecht in the “Supernova” area.

              

About my session

I will present a 45-minute session:

Identity, the solid base for your organization’s future

10:15 – 11AM

Recent IT disasters have proven that there’s no such thing as a safe network. Firewalls continue to lose their value. Munchhausen by proxy has got a whole new meaning. However, a new perimeter has arisen, focusing on the individuals in your organization and their behavior, but with extensive auditing and near-real time mitigating measures: Identity.

Frowned upon as mere ‘accounts’ in the old days, identity, and most importantly, hybrid identity with both Active Directory and Azure AD, offers all the richness needed to meet today’s needs head-on; One solution for cloud and on-premises? Off course. Multi-factor authentication? Built-in. Access based on device health and location? No problem. Attribute-based access control? Solved. Automated and delegated access reviews? Done. Self-service problem solving? Yes, shift left with confidence.

               

Join us!

There is still time to register for AppManagEvent 2019. Ticket sales stops on October 10 noon CEST. Tickets are available for € 125 per ticket.

Register here.

Posted on October 3, 2019 by Sander Berkouwer in Community, Microsoft MVP, Personal

0  

The videos of my Netwrix webinars are now available

Recording a webinar

Last week, on September 24, 25 and 26, I hosted three 60-minute webinars with Netwrix on my three favorite chapters in my Active Directory Administration Cookbook.

Over 1800 people have registered for these webinars. Now, a mere two working days after the last webinars, the Netwrix team has done everyone a huge favor by already placing the three video recordings online for everyone to watch:

https://www.netwrix.com/ad_admin_cookbook_nemea

 

Enjoy! Thumbs up

Simply press the red Watch now buttons and enjoy!
The slides are also available for you to download, although these webinars were mostly demos-only.

Note:
These webinars and their videos are offered free of charge, thanks to the sponsoring by Netwrix. By accessing the webinars, full-length videos and slides you agree to their privacy policy.

 

About Netwrix

Netwrix empowers information seNetwrix logocurity and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

 

Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

Posted on September 30, 2019 by Sander Berkouwer in Active Directory, Azure Active Directory, Books, Community, Microsoft MVP, Microsoft Windows Server 2019, Personal

0  

I’m speaking at SharePoint Saturday Brussels 2019

SharePoint Saturday Belgium

I’m presenting at SharePoint Saturday Belgium.

                   

About SharePoint Saturday Events

SPS Events is an all-volunteer organization that provides the tools and knowledge needed for groups and event leaders to organize and host SharePoint Saturday Events. SharePoint Saturday Events (SPS Events) are free one-day events held in different cities around the world, featuring sessions from influential and respected SharePoint professionals.

The SharePoint Saturday concept took shape in 2008, with the first SharePoint Saturday event held in early 2009. It grew from speakers who were speaking at Code Camps and SQL Saturdays on SharePoint topics who felt there was enough need in the SharePoint community to warrant their own dedicated events.

          

About SharePoint Saturday Belgium

On Saturday October 19, 2019, SPS Events hosts its second SharePoint Saturday Belgium event, filled with lots of  great sessions, interesting sponsors and of course, a famous SharePint at the end of the day.

What’s new with Microsoft SharePoint, Office 365, and Azure? Interested visitors will learn all about this on Saturday, October 19, at BluePoint Brussels.

SharePoint Saturday Belgium is organized by BIWUG.

        

About my session

I’ll present a 50-minute session:

Seven ways Identity enriches your Office 365 and Azure experience

Saturday October 19, 2019, 11:40AM – 12:30PM, Room 4

Azure and Office 365 rely on Azure Active Directory as their identity store.

As tenfold MVP, I know a lot about identity. My experience with numerous organizations, ranging from enterprises to small business, have taught me that good identity is important to embracing cloud services.

I’ll show you seven ways identity enriches the experience you, your colleagues and your customers have when using Azure and Office 365, in my typical humorous but straight to the point style.

   

Join us!

Join some of the very best independent experts from around the world, and Microsoft, as they come together at SharePoint Saturday Belgium this October.

Register here.

Posted on September 25, 2019 by Sander Berkouwer in Community, Microsoft MVP, Personal

0