What’s New in Azure Active Directory for November 2019

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for November 2019:


What’s Planned

Support for the SameSite attribute and Chrome 80

Service category: Authentications (Logins)
Product capability: User Authentication

As part of a secure-by-default model for cookies, the Chrome 80 browser is changing how it treats cookies without the SameSite attribute. Any cookie that doesn’t specify the SameSite attribute will be treated as though it was set to SameSite=Lax, which will result in Chrome blocking certain cross-domain cookie sharing scenarios that apps may depend on. To maintain the older Chrome behavior, apps can use the SameSite=None attribute and add an additional Secure attribute, so cross-site cookies can only be accessed over HTTPS connections. Chrome is scheduled to complete this change by February 4, 2020.

Microsoft recommends all developers to test their apps using this guidance:

  • Set the default value for the Use Secure Cookie setting to Yes.
  • Set the default value for the SameSite attribute to None.
  • Add an additional SameSite attribute of Secure.

What’s New

Google social ID support for Azure AD B2B collaboration General Availability

Service category: B2B
Product capability: User Authentication

New support for using Google social IDs (Gmail accounts) in Azure AD helps to make collaboration simpler for users and partners. There’s no longer a need for Google-based partners to create and manage a new Microsoft-specific account. Additionally, Microsoft Teams now fully supports Google users on all clients and across the common and tenant-related authentication endpoints.

For more information, see Add Google as an identity provider for B2B guest users.

Microsoft Edge Mobile Support for Conditional Access and Single Sign-on General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

Azure AD for Microsoft Edge on iOS and Android now supports Azure AD Single Sign-On and Conditional Access:

  • Microsoft Edge single sign-on (SSO): Single sign-on is now available across native clients (such as Microsoft Outlook and Microsoft Edge) for all Azure AD-connected apps and services.
  • Microsoft Edge conditional access: Through application-based Conditional Access policies, users must use Microsoft Intune-protected browsers, such as Microsoft Edge.

Azure AD entitlement management General Availability

Service category: Other
Product capability: Entitlement Management

Azure AD entitlement management is a new identity governance feature, which helps organizations manage identity and access lifecycle at scale. This new feature helps by automating access request workflows, access assignments, reviews, and expiration across groups, apps, and SharePoint Online sites.

With Azure AD entitlement management, Azure AD admins can more efficiently manage access both for employees and also for users outside your organization who need access to those resources.

Updates to the My Apps page along with new workspaces
Public Preview

Service category: My Apps
Product capability: 3rd Party Integration

Azure AD admins can now customize the way their organizations’ users view and access the refreshed My Apps experience. This new experience also includes the new workspaces feature, which makes it easier for users to find and organize apps.

For more information about the new My Apps experience and creating workspaces, see Create workspaces on the My Apps portal.

New AD FS app activity report to help migrate apps to Azure AD Public Preview

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Azure AD Admins are welcome to use the new Active Directory Federation Services (AD FS) app activity report in the Azure portal. This way, admins can identify which of their apps are capable of being migrated to Azure AD. The report assesses all AD FS apps for compatibility with Azure AD, checks for any issues, and gives guidance about preparing individual apps for migration.

New workflow for users to request administrator consent Public Preview

Service category: Enterprise Apps
Product capability: Access Control

The new admin consent workflow gives Azure admins a way to grant access to apps that require admin approval. If a user tries to access an app, but is unable to provide consent, they can now send a request for admin approval. The request is sent by email, and placed in a queue that’s accessible from the Azure portal to all the admins who have been designated as reviewers. After a reviewer takes action on a pending request, the requesting users are notified of the action.

New Azure AD App Registrations Token configuration experience for managing optional claims Public Preview

Service category: Other
Product capability: Developer Experience

The new Azure AD App Registrations Token configuration blade on the Azure portal now shows app developers a dynamic list of optional claims for their apps. This new experience helps to streamline Azure AD app migrations and to minimize optional claims misconfigurations.

New two-stage approval workflow in Azure AD entitlement management Public Preview

Service category: Other
Product capability: Entitlement Management

Microsoft has introduced a new two-stage approval workflow that allows Azure AD admins to require two approvers to approve a user’s request to an access package. For example, they can set it so the requesting user’s manager must first approve, and then they can also require a resource owner to approve. If one of the approvers doesn’t approve, access isn’t granted.

Automated user account provisioning for additional SaaS apps

Service category: Enterprise Apps
Product capability: 3rd Party Integration

Azure AD admins can now automate creating, updating, and deleting user accounts for these eight newly integrated apps:

New Federated Apps available in Azure AD App gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2019, Microsoft has added these 21 new apps with Federation support to the app gallery:

What’s Changed

New and improved Azure AD application gallery

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Microsoft has updated the Azure AD application gallery to make it easier for admins to find pre-integrated apps that support provisioning, OpenID Connect, and SAML on Azure Active Directory tenants.

Increased app role definition length limit from 120 to 240 characters

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Based on feedback from customers that the length limit for the app role definition value in some apps and services is too short at 120 characters. Microsoft has increased the maximum length of the role value definition to 240 characters.


New hotfix for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2)

Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

A hotfix rollup package (build is available for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2). This rollup package resolves issues and adds improvements that are described in the “Issues fixed and improvements added in this update” section of 4512924 Microsoft Identity Manager 2016 Service Pack 2 (build Update Rollup is available.


Pictures of the 2019 European SharePoint Conference


Last week, I delivered two sessions at the European SharePoint Conference in Prague.

View from the train station at Nieuw Vennep (click for larger photo)Lots of space in the plane (click for large photo)

After a day of consulting on Tuesday December 3rd at one of my long-term customers, I traveled to Schiphol airport. My choice to not park at the airport anymore, led me to the parking lot near the train station in Nieuw Vennep. A short train ride brought me to Amsterdam Schiphol Airport in time for my flights to Prague.

The Prague Corinthia Hotel (click for larger photo)Welcome to ESPC19 (click for large photo)

I arrived late and went to bed. In the morning, I got up early to get to the venue, register and watch Alex Simons’ keynote. The short walk from the Corinthia hotel to the Prague Congress Center allowed for sufficient time to soak up the atmosphere and sun. I must admit we had the best weather you can wish for in Prague in December with an abundance of sun.

Alex Simons delivering the Identity Keynote at ESPC 19 (click for larger photo)Alex Simons explaining Microsoft's zero trust solution (click for larger photo by Samir Daoudi)

I prepared for my first session in the speaker room, where I met with a lot of familiar community faces, including Morgan Simonsen, Thomas Vochten, Fabian Williams and Luise Freese.

At 11:45 AM it was time to present on GDPR. The room featured 100 seats, and the room was packed with people interested in my experiences with GDPR in the past 17 months.

Presenting on GDPR (Click for larger photo by Marleen Madsoleh-van der Meulen)

I thought my abstract made it clear that my session on GDPR was anything but boring, but getting the below feedback from an attendee was still wonderful:

This was nowhere as boring as I expected it to be, based on the topic.

After the session, I scoured the expo for people I know and organizations offering technology I might need.

Having fun with Julia Ivanova at the Netwrix booth (click for larger photo)

I ran into Nikola Pejková at the Veeam booth and ran into Julia Ivanova at the Netwrix booth. It was fun to meet the person behind many of the webinars I did in recent years with Netwrix.

Presenting your Identity Roadmap to 2022 (click for larger photo by Julia Ivanova)

At 4:45PM, I started my second presentation. This is the helping hand to organization that want to get the most out of their Microsoft-oriented Identity and Access Management (IAM) investments.

After the session, I went to the hotel to drop my stuff and get ready for the party. We had a great time at Club SaSaZu, but I had to get back to the hotel early for my 5AM ride to the airport.

On Thursday December 5th, I was scheduled to arrive at 11:45 AM at Amsterdam Schiphol Airport, after two short flights with a layover in Paris. However, due to the French strike, full flights, a reroute via Frankfurt and a sick copilot, I eventually arrived at 11:45 PM at Amsterdam…


Thank you Thumbs up

Thank you to the European SharePoint Conference Program Team for inviting me as a speaker. Thank you to all the attendees, especially the people in my sessions.


Azure AD Connect version offers some bug fixes

Azure AD Connect

It’s time for a new version of Azure AD Connect to incorporate Microsoft’s lessons learned and distribute the fixes Microsoft made to the larger public. Last Friday, Microsoft released the fourth version in the 1.4 branch of Azure AD Connect: v1.4.38.0.

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.


What’s New

Microsoft made the following improvements:

Password Hash Sync

Microsoft updated Password Hash Sync (PHS) for Azure Active Directory Domain Services to properly account for padding in Kerberos hashes. This provides a performance improvement during password synchronization from Azure Active Directory to Azure Active Directory Domain Services.

Pass-through Authentication

Microsoft added support for reliable sessions between the authentication agent and the Azure service bus when Pass-through Authentication (PTA) is used as the authentication method.

This release of Azure AD Connect enforces TLS 1.2 for communications between the authentication agent and Azure AD when Pass-through Authentication (PTA) is used as the authentication method.

Microsoft added a DNS cache for websocket connections between the authentication agent and Azure AD when Pass-through Authentication (PTA) is used as the authentication method.

Microsoft added the ability to target a specific agent from cloud to test for agent connectivity.

Seamless Single Sign-on

Release introduced a bug where the PowerShell cmdlet for Seamless Single Sign-on (also known as Desktop SSO) was using the login windows credentials instead of the admin credentials provided. As a result, it was not possible to enable Seamless Single Sign-on in multiple forests through the Azure AD Connect Configuration Wizard.

A fix was made to enable Seamless Single Sign-on (also known as Desktop SSO)simultaneously in all forests through the Azure AD Connect Configuration Wizard.


Version information

This is version of Azure AD Connect.
This release in the 1.4 branch for Azure AD Connect was made available for download on December 6, 2019.


Download information

You can download Azure AD Connect here.
The download weighs 91.0 MB.


On-premises Identity updates & fixes for November 2019

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for November 2019:


Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4525236 November 12, 2019

The November 12 update for Windows Server 2016 (KB4525236), updating the OS build number to 17763.864 is an update that combines security and quality improvements.

While this updates contains updates for several vulnerabilities, even some rated critical, none of them are identity-related.


Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4523205 November 12, 2019

The November 12 update for Windows Server 2019 (KB4523205), updating the OS build number to 17763.864 is an update that combines security and quality improvements.

While this updates contains updates for several vulnerabilities, even some rated critical, none of them are identity-related.


Video of my Azure AD Connect session at Dutch Windows Management User Group 2019-5 Meet-up is now available

On November 13, 2019, I presented a 30-minute session at 5th meeting of the Dutch Windows Management User Group for 2019 at the company I called ‘home’ for over 15 years: OGD in Delft. The video of my 30-minute talk on Azure AD Connect is now available for you to watch.

20 million organizations worldwide use Azure AD. The majority of them use Azure AD Connect to synchronize the on-premises Active Directory environment with Azure AD. An organization can realize this in four clicks, but what exactly do you get? And is that sufficient?

In this session I show the possibilities of Azure AD Connect. Opportunities that until recently were not possible, but are certainly worthwhile for many organizations. In addition, I share the experiences of my team, so that you can take the tips, tricks, do’s and especially the don’s with you to your own (or future) implementations of Azure AD Connect.

Watch this session to learn everything I shared:

This video is in Dutch, but English subtitles are available on-demand.


THANK YOU Thumbs up

Thank you to the Dutch Windows Management User Group for organizing this meetup at my former employer and inviting me as a speaker. Thank you to OGD for recording the session and making the video available to all the attendees. Thank you the people behind the technology panel that night.


Knowledgebase: When you enable DNS debug logging to removable media, the DNS Service no longer starts


Sometimes, Microsoft products have a way of their own. The Domain Naming System (DNS) service since Windows Server 2003, too, has a nice little quirk that I ran into the other day, that I’d like to share with you.


About DNS debug logging

When you suspect problems with the Domain Naming System (DNS) Service, the records it keeps and scavenges, or the errors it encounters, but doesn’t let you know about in the event logs, you can enable DNS debug logging.

The DNS debug log provides extremely detailed data about all DNS information that is sent and received by the DNS server, similar to the data that can be gathered using packet capture tools such as network monitor. Debug logging can affect overall server performance and also consumes disk space, therefore it is recommended to enable debug logging only temporarily when detailed DNS transaction information is needed.


How to enable DNS debug logging

You can enable DNS Debug logging in three separate ways:

Through the Graphical user interface

To enable DNS debug logging through the Graphical User Interface (GUI), follow these steps:

  • Log in to the DNS Server with an account that has local administrator privileges. When the DNS Server is also a Domain Controller, log on with an account that is a member of the Domain Admin group.
  • Open the Domain Name System Microsoft Management Console (dnsmgmt.msc).
  • In the left pane, right-click the server name and select Properties from the context menu.
    The Properties window appears.
  • Navigate to the Debug Logging tab.


  • Select the Log packets for debugging option at the top op the tab.
  • Select the rest of the options, as need be.
  • Specify a location to store the logged information.
  • Click the OK button.

Windows Server 2003 introduced the ability to provide a location for storing the logged information. On Windows 2000 Server, by default, information from DNS debug logging was stored in C:\windows\system32\dns\dns.log

When you’re done, disable DNS debug logging again by following the same steps, but unselecting the Log packets for debugging option.

When you’ve used removable media to store the logged information, you can safely remove it.

On the Command-line

To enable DNS debug logging on the command-line, use the following line on an elevated command prompt, while logged on with an account that has local administrator privileges:

dnscmd.exe localhost /Config /LogLevel 0x6101 /logfilepath E:\DNS.log


To disable DNS Debug Logging when you’re done, use the /LogLevel switch with the 0x0 value.


The issue

After you’ve used DNS debug logging on a removable media, removed the media and then restarted the Windows Server installation acting as DNS Server, the DNS Service no longer starts.

This is indicated by Event ID 7031 with source Service Control Manager in the System log.


The solution

Remove the location for DNS debug logging in the registry.

The location used is stored in the LogFilePath value in the following path:

Simply remove it, and the DNS service is ready for you to start without problems again.



Clearly, there is code that checks the previously configured debug logging location for existence. This code prevents the DNS service from starting when it can’t locate this location.

Further reading

Select and enable debug logging options on the DNS server
Gathering detailed DNS debug logs from AD DNS
Enabling DNS Server Debug Logging
Enable DNS Request Logging for Windows 2003 and above


What’s New in Veeam Backup for Microsoft Office 365 version 4

Veeam Backup for Microsoft Office 365

Since August 2016, this blog features news on Veeam Backup for Microsoft Office 365. We’ve been implementing this awesome Veeam product at customers ever since version 1.5 and validated the Office 365 contingency plan vision with Veeam repeatedly.

This week marks the release of version 4 of Veeam Backup for Microsoft Office 365, so let’s look at what’s new and improved!


What’s New

Veeam lists the following improvements in Veeam Backup for Microsoft Office 365 version 4:


Object storage support

Veeam Backup for Microsoft Office 365 v4 delivers a cloud-optimized deployment option, targeted at cloud-first companies. Using object storage, these organizations can deploy Veeam Backup for Microsoft Office 365 in a cloud-native way, by leveraging cost-efficient cloud-based object storage to store their Microsoft Office 365 data.

Popular object storage providers, including Amazon’s AWS S3, Microsoft’s Azure Blob storage and IBM Cloud, but also S3-compatible providers are supported in this release.

When organizations choose to use object storage to store backups of Microsoft Office 365 data, they can:

  • Reduce costs of storage, because they only pay for what they consume
  • Benefit from unlimited scalability with unlimited storage capacity
  • Simplify their deployments using public cloud providers with no complex planning.

The new Cloud Credential Manager feature can be used to maintain the list of object storage accounts. This allows for easy changes of credentials without having to change the configuration of the object storage manually.


Increased Information security

Veaam Backup for Microsoft Office 365 version 4 provides added security to backups with at-rest encryption for Office 365 data in object storage. Organizations can be sure their data is secure and protected, as data in object storage is protected with AES 256-bit encryption, when this option is enabled.

The new Password Manager feature can be used to maintain passwords used for this encryption.


Faster backup performance

With Veeam Backup for Microsoft Office 365 version 4, organizations can achieve faster backup performance for SharePoint Online and OneDrive for Business data. This significantly shortens the backup windows for Microsoft Office 365 data and helps deliver more easily on RTOs and RPOs.

Microsoft throttling mechanisms become a challenge when it comes to backup of SharePoint Online and OneDrive for Business data. Microsoft throttles backups once you hit a certain number of requests from a single service account in a certain period, regardless of the number of backup proxies.

Veeam Backup for Microsoft Office 365 version 4 leverages multiple auxiliary backup accounts to distribute the load on Microsoft Office 365 servers and significantly reduce the risk of backups throttling.

The Limit network bandwidth option in version 3 in the backup proxy properties dialogue has been updated to Throttle network traffic to in version 4 to correctly reflect this feature.


Exclude retention for contacts and calendars

This feature allows admins to protect all contacts and calendar items for as long as an associated mailbox is protected and skip these items from the retention cleanup.


Group-based targeting

Backup jobs for Veeam Backup for Microsoft Office 365 can be configured with non-mail enabled Office 365 security groups  as a source for backup jobs. This applies to both synchronized groups, security groups created in Azure Active Directory and groups created in Office 365.


Enhanced reporting

The enhanced Mailbox Protection report now includes protection statistics for Office 365 Group, Public, Shared and Resource (Equipment/Room) mailboxes.


Version information

This release of Veeam Backup for Microsoft Office 365 is version and marks the first General Available version of the version 4 branch. It was signed off on on November 26th, 2019.



Download version of Veeam Backup for Microsoft Office 365 here. The download weighs 29,5 MB. To protect less than 10 mailboxes and 1 TB of SharePoint data, alternatively, the free Veeam Backup for Microsoft Office 365 Community Edition can be downloaded and utilized.



Veeam Backup for Microsoft Office 365 version 4 is a major update to the product. Recently it became clear to me that the product is of significant importance to Veeam and that it exhibits the strategy and UI for Veeam products to come.


Further reading

Veeam Backup for Microsoft Office 365 v4
Object storage in NEW Veeam Backup for Microsoft Office 365 v4
Release Notes for Veeam Backup for Microsoft Office 365 v4
Download Veeam Backup for Microsoft Office 365 v4


Related blogposts

Your Exchange Online Contingency Plan is here with Veeam Backup for Office 365
Veeam Backup for Office 365 version 2 expands on earlier Cloud Protections
Veeam Backup for Office 365 now offers support for the Baseline Policy ‘Require MFA for Admins’


HOWTO: Enable Extended Protection for Authentication on the AD FS Farm

This entry is part 19 of 19 in the series Hardening Hybrid Identity

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the extended protection for authentication feature with AD FS.

This blogpost assumes you’re running AD FS Servers as domain-joined Windows Server 2016 Server Core installations. The same information applies to AD FS Servers running Windows Server 2016 with Desktop Experience (Full).


Why look at Extended Protection for Authentication

To help secure your Hybrid Identity deployments, you can set and use the extended protection for authentication feature with AD FS. This setting specifies the level of extended protection for authentication supported by the AD FS servers in the farm.

Reasons why

Extended protection for authentication helps protect against Man-in-the-Middle (MitM) attacks. In this type of attack, a malicious person intercepts client credentials and forwards them to a server. Protection against such attacks is made possible through a Channel Binding Token (CBT) which can be either required, allowed, or not required by the server when it establishes communications with clients.

Extended Protection for Authentication aims to prevent this type of credential relay. It does this by implementing a protocol based on RFC5056 “On the Use of Channel Bindings to Secure Channels”.

Possible negative impact (What could go wrong?)

When the client doesn’t support the Channel Binding Token (CBT), the authentication will fail. As Windows Authentication is the first negotiated authentication methods for the intranet, clients will use this authentication method by default. When this type of authentication fails, the client may resort to other authentication methods, like Forms authentication, Certificate authentication, Device authentication or Microsoft Passport authentication, if enabled.

By default, Forms authentication, Windows Authentication and Microsoft Passport authentication are enabled as authentication methods for the intranet on Windows Server 2016-based AD FS farms.

Windows 7 and up, and Windows Server 2008 R2 and up support the feature and have the feature enabled, by default. However, older Windows clients, that have not received KB968389, do not support the feature.

Chrome browser versions below version 51 .0.2784 (released on January 24th, 2017) and Firefox don’t support the Extended Protection for Authentication feature.


Getting ready

To enable the Extended Protection for Authentication feature, make sure to meet the following requirements:

Information requirements

If you expect clients to fail integrated Windows authentication when you enable the Extended Protection for Authentication feature, it is wise to assess the impact clearly. You can do so with a test Windows Server that runs Internet Information Services (IIS) version 7.5 or up, and configure it with Extended Protection for Authentication using the steps described here.

The information gathered this way clearly defines the scope and impact. Then, an informed choice can be made to enable and it, or not.

System requirements

Make sure the AD FS servers are installed with the latest cumulative Windows Updates.

Privilege requirements

Make sure to sign in with an account that has privileges to manage the AD FS farm. In case of Windows Internal Database (WID) as the storage method for the AD FS Configuration database, sign in with an account that has local administrator privilege on the primary AD FS server.

Who to communicate to

As the AD FS servers operate as part of a chain, notify all stakeholders in the chain. This means sending a heads-up to the load balancer guys and gals, the networking guys and gals, the rest of the Active Directory team and the teams that are responsible for Azure AD, Office 365 and cloud applications. It’s also a good idea to talk to the people responsible for backups, restores and disaster recovery.

As the Extended Protection for Authentication feature is an AD FS feature that mainly impacts client systems, go and have a chat with the people responsible for managing workstations in the organization. Do they see the same things in terms of scope and impact?


Enabling Extended Protection for Authentication

When all stakeholders are informed and the organization is in agreement that the Extended Protection for Authentication feature adds value, perform these steps:


Check the Extended Protection feature

Check the Extended Protection for Authentication feature status by running the following line of Windows PowerShell:

Get-ADFSProperties | Select ExtendedProtectionTokenCheck


On an AD FS farm running Windows Server 2016 and/or Windows Server 2019 AD FS servers with default settings, the above line of Windows PowerShell would return Allow.

This means the AD FS server in the farm are partially hardened, because the Extended Protection for Authentication is enforced only when clients have been patched to support it.


Configure Extended Protection for Authentication to Require

To fully harden the AD FS Farm, set the Extended Protection for Authentication feature to Require, use the following line of PowerShell on an elevated Windows PowerShell prompt:

Set-ADFSProperties –ExtendedProtectionTokenCheck Require


Testing Extended Protection for Authentication

After enabling the Extended Protection for Authentication feature,  it’s time to test. Everyone involved should sign off (not literally, unless that’s procedure) on the correct working of the AD FS servers. Does authentication to cloud applications still work? Is the user experience on down-level clients and non-Microsoft browsers still adequate?


Rolling back Extended Protection to default settings

In the case of the Extended Protection for Authentication feature, this security feature can stand in the way of user satisfaction. If so, you might need to roll it back.

To roll-back the AD FS Farm in terms of the Extended Protection for Authentication feature, use the following line of PowerShell on an elevated Windows PowerShell prompt:

Set-ADFSProperties –ExtendedProtectionTokenCheck Allow



Windows Server 2016, by default, comes with the Extended Protection for Authentication feature enabled, but not fully hardened. Configure Extended Protection for Authentication to Require to get the most out of it.

Further reading

MSRC – Extended Protection for Authentication
Windows Extended Protection <extendedProtection>
Is disabling the ADFS ExtendedProtectionTokenCheck setting required for allowing Firefox and Chrome users to authenticate?


Video of my Active Directory session at VMworld Europe is now available

VMware VMworld Europe 2019

On November 7, 2019, I presented a 60-minute session with Deji Akomolafe. The session was titled ‘Virtualize Active Directory the right way’. We presented the session in the context of VMware’s VMworld Europe 2019 event in Barcelona.

Active Directory Domain Services (ADDS) allows organizations to deploy a scalable and secure directory service for managing users, resources, and applications. Although virtualizing Domain Controllers has been a simple and supported operation for many years, many organizations have been very reluctant to do so.

Organizations have struggled to understand how to properly navigate and avoid the multiple pitfalls (such as synchronization, convergence, security, time management, availability, and data integrity) inherent in virtualizing a production, enterprise-level Active Directory Domain Services (AD DS) infrastructure. Even when they have virtualized their Domain Controllers, administrators still worry about the security, safety, and integrity of their AD DS infrastructure.

Watch this session to see how to virtualize AD the right way:


Thank you Thumbs up

Thank you to VMware for organizing VMworld Europe 2019 and inviting me as a speaker. VMware have also made the recording publicly available. Thank you to Deji for co-presenting this session with me.


Asked questions at VeeamON Virtual 2019

VeeamOn Virtual 2019

Last week, I had the pleasure of being one of the experts in the VeeamON Virtual Expert Lounge for both the APAC and Americas events. I also attended the Europe event.

In this blogpost, I’m sharing some of the questions we received and answered, so we can all benefit.


The following questions were asked regarding to Veeam licensing:

How does licensing work for workstation backup? We currently use the free version for workstations, and the enterprise edition for our VMWare virtual machines.

Workstations are protected with Veeam Universal licenses, which are sold in bundles of 10. 1 license will protect 3 workstations, 1 Server, 1 VM, 1 Enterprise app, or 250GB of NAS. Take a look at the editions comparison to determine which edition will work best for you.

We are running per socket perpetual licensing now. We need 10 additional socket licenses. Can we still buy these licenses or are these converted in Universal Licenses?

Perpetual licensing with Veeam is still possible. You can still license sockets. No licenses are automatically converted to the Veeam Universal Licensing (VUL) scheme. License administrator can convert licenses at will in the customer portal.


Tiers and protection

The following questions were asked regarding to scale-out backup repositories, the cloud tier and Cloud Connect:

Is there a Veeam CSP target option for capacity/cloud tier?

If you are running a public S3 Compatible platform that can be a target for the Object Storage Repo. Otherwise you would be looking at offering Cloud Connect Backup as an offsite Cloud Repository.

Can the Cloud Connect Repo act as object storage for the cloud tier?

Cloud Connect is a separate technology outside of the Scale Out Backup Repository (SOBR) functionality.

Regarding avoiding Ransomware issues, what is the recommended way to setup my environment? Should the backup server be added to the domain or not? What other things do you recommend?

Anton Gostev’s blogpost here sheds some more light and provides links to the smart choices you can make. Remember that these choices may also negatively impact the backup, management and restore processes.

Does Veeam plan to integrate the Kaspersky solution with Secure Backup?

As far as Kaspersky is manageable with a CLI you can use it with Secure Restore, right now.

It was being talked about that you could now restore a backed up physical server straight to a VM on vSphere. Is that same ability available for Hyper-V?

Yes, when you create agent-based backups you can restore wherever you need.


The following questions were asked regarding backing up and restoring cloud services, like Office 365 and Azure Stack:

Are we able to backup the office 365 to on premises disk storage?

Veeam Backup for Microsoft Office 365 (VBO) is Veeam’s standalone product to create backups of data in Office 365 to on-premises storage. It creates backups of data in Exchange Online, SharePoint Online, OneDrive for Business and Teams. Here’s more information.

Are there any performance increases with VBO v4?

Yes, there are significant performance improvements for both SharePoint and OneDrive. It uses multiple accounts to overcome per account throttling.

Will Veeam Backup For Office 365 v4 be able to restore Teams better than Veeam Backup For Office 365 v3

There is no change in the way VBO v4 restores Teams data compared to VBO v3.
Veeam is aware of certain limitations, like restoring a file attachment in a teams chat (restoring the chat including attachments). This functionality is currently missing in the Office 365 APIs.

How about Azure AD backup, are we able to backup to on-premises storage and restore it in the on premises host?

Not at the moment. Take care of different attributes that reside only in Azure AD.

Is Veeam B&R able to communicate with the old Azure Stack or the new Azure Stack HCI?

Yes. Azure Stack HCI leverages Storage Spaces Direct (S2D). This is supported with VBR and not a problem at all – just like any other Hyper-V cluster deployment. The product formerly known as Azure Stack is now called Azure Stack Hub and requires agent-based backups in Veeam. There are now three products from Microsoft with the Azure Stack moniker:

  1. Azure Stack Edge, a cloud-managed appliance with use cases like Machine Learning on-premises, IoT solutions and network data transfer
  2. Azure Stack HCI, a Hyper-converged Infrastructure (HCI) solution to run virtual machines and use Windows Admin Center to connect to Azure for cloud services
  3. Azure Stack Hub, a cloud-native integrative system for disconnected scenarios, data sovereignty and application modernization, leveraging consistent Azure services and APIs.

When will immutable backup repositories be available for Azure like it will be for AWS?

Microsoft recently announced write-once, read-many (WORM) Azure storage. However, the feature in Azure offers container-level lock functionality, whereas the AWS feature offers object level locks. Azure’s current functionality would not be very cost-effective for incremental backups.



The following miscellaneous questions were asked and answered:

For a backup repository, what is the maximum size?

There isn’t a max disk size for a backup repository as such. It’s dictated by your storage and the filesystem type. If you are having disk and storage constraints you can extend Object Storage via Veeam’s Cloud Tier built into the Scale Out Backup Repository (SOBR) functionality.

How do we know that Veeam Backup is backing up valid data, not corrupted data?

Veeam Backup and Replication (VBR) creates backups. In the backup process there is no true check if the right data and sufficient data is backed up. However, VBR offers the SureBackup functionality, that allows you to restore a backup for a test scenario. You can run automated tests to this restore and test if the VM is indeed restorable (sufficient data) and restores as intended (the right data).

Can we backup VMs configured for Near Sync via the Nutanix API?

No. It seems to be a limitation in Nutanix, not Veeam, so it might be better to ask if Nutanix will support it soon. Nutanix version 5.10 still shows as lightweight snapshots which do not support change block tracking which is what Veeam and other backup solutions use to tell what needs to be backed up and what has already been.

I recently added a SAN to the Veeam Server in the Infrastructure Settings. As soon as it was connected and Veeam had finished doing the Inventory it looks like all our existing backup jobs started using the SAN for creating the snapshots. I did not change any of the backup job settings. Is there a way in the backup job to turn off the ability to use the SAN for snapshots and force it to use the usual way and have Veeam create the snapshot in vCenter?

The backup job now uses the Backup from storage snapshot option. If Veeam Backup & Replication (VBR) detects a supported storage array, it turns on the integration automatically. To return to the previous backup method, disable the option.

I’m looking at offsite Veeam Copy\Replication with 2 EMC Dedupe boxes. Is it better to use native replication or Veeam Copy?

We always recommend to use Veeam Backup Copy Jobs. In this case Veeam Backup & Replication is aware that every single block made it offsite successfully. There’s no such ‘insurance’ if you use native deduplicated replication.



It is clear that Veeam succeeded to get the possibilities of cloud in the heads of the attendees at VeeamON Virtual this year.

In cloud scenarios things change faster and Veeam is depending on the API possibilities from the cloud vendors.

That latter has always been the case, even when they started out with VMware vSphere. The difference today seems that vendors of hyperscale cloud platforms catch the eyeballs of people faster, entice them faster, but lack in API support. The number of organizations on the platform and demanding improvements dictates the development of secondary goals like API management.

Large cloud vendors get away with it, today. With their reputation of being a cutting-edge and agile data protection vendor, Veeam now sometimes take the hit, while from a secure development point of view, they’re walking the right path, the API path.