The video of our Active Directory session at VMware VMworld 2020 is now available

VMware VMworld 2020

VMworld is a global conference for virtualization and cloud computing, hosted by VMware. It is the largest virtualization-specific event. No wonder, I was pleased to announce my return to this awesome event.

And now, you can enjoy Deji Akomolafe’s, Matt Liebowitz’s and my efforts in creating a demo-packed, full-featured version of the ‘Virtualize Active Directory the right way!’ evergreen VMworld session.

During the VMware VMworld 2020 online event, the video was available to play on-demand for everyone with a free General pass.


About our session

Active Directory Domain Services (ADDS) allows organizations to deploy a scalable and secure directory service for managing users, resources, and applications. Although virtualizing Domain Controllers has been a simple and supported operation for many years, many organizations have been very reluctant to do so.

Organizations have struggled to understand how to properly navigate and avoid the multiple pitfalls (such as synchronization, convergence, security, time management, availability, and data integrity) inherent in virtualizing a production, enterprise-level Active Directory Domain Services (AD DS) infrastructure. Even when they have virtualized their Domain Controllers, administrators still worry about the security, safety, and integrity of their AD DS infrastructure.

Watch this session to see how to virtualize AD the right way:


Comparing to the recordings and slides of this session at previous VMworld events, we’ve updated the slide deck with everything that is new in vSphere 7.0 and vSphere 7.0 Update 1 for this session, if it (even remotely) touches on identity and virtualizing Domain Controller. This is the work of over 90 hours of work from the three of us.



Thank you to VMware for organizing VMworld Europe 2020 and inviting me as a speaker. VMware have also made the recording publicly available. Thank you to Deji and Matt for co-recording this session with me.

Enjoy! Thumbs up


Mainstream support for Microsoft Advanced Threat Analytics (ATA) ends in three months

Microsoft ATA

We’ve helped organizations embrace Microsoft’s Advanced Threat Analytics (ATA) solution to protect their Active Directory environments from attacks.

On January 12th, 2021, mainstream support for this product ends. ATA version 1.9.3, released on September 14th, 2020 is the final update as part of mainstream support.

It’s time to move on to Microsoft Defender for Identity.

About Microsoft Advanced Threat Analytics (ATA)

Microsoft Advanced Threat Analytics (ATA) is a solution to detect suspicious activities and Identity-related attacks to Active Directory environments. ATA monitors all devices in the network performing authentication and authorization requests against Active Directory, including non-Windows and mobile devices.

Three weeks after deployment, ATA starts to detect behavioral suspicious activities. On the other hand, ATA will start detecting known malicious attacks and security issues immediately after deployment.

In addition to analyzing Active Directory traffic using deep packet inspection technology, ATA can also collect relevant events from your Security Information and Event Management (SIEM) implementation and from the event logs if the organization configures Windows Event Log forwarding.

ATA is licensed as part of the Enterprise Mobility + Security (EMS) E5 license, and is available as a part of Microsoft 365 E5 licensing. In grandfathered licensing schemes, ATA was part of the Enterprise Client Access License (CAL) suite.

About Microsoft Defender for Identity

Azure Advanced Threat Protection (ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Previously labeled Azure Advanced Threat Protection (Azure ATP), Microsoft Defender for Identity is a cloud service with lightweight agents on each of the Domain Controllers in the Active Directory environment.

In contrast to Microsoft Advanced Threat Analytics (ATA), Microsoft Defender for Identity leverages cloud-based Machine Learning (ML) to detect threats. This offloads the need for organizations to keep analysis assets and to keep current in terms of rules.

Start migrating today

The end of mainstream support should be your start signal to:

  1. Stop new deployments
    Deployments in extended support may not be able to add their benefits in the timeframe that is allotted to the deployment. This time period is typically 4-5 years and determined by economic motives. It’s a unpopular to say today that new deployments should not be built using Windows Server 2016, but is the best thing to do today, already.
  2. Migrate off the product to a successor, if such a product or service exists
    Microsoft has introduced its lifecycle policies to help organizations determine their right courses of action ahead of time. Despite this information being available without registration and for free, some organizations still end up using unsupported versions and migrating off products after their end of support date.

Steps to migrate

To migrate from Advanced Threat Analytics (ATA) to Microsoft Defender for Identity, follow these steps:

Get current

Currently, version 1.9.3 is the latest version of Advanced Threat Analytics (ATA). If you run an older version of ATA, upgrade to the latest version. You can upgrade from 1.8.x versions directly. for older versions, an upgrade path scheme is available.

In terms of licenses, Microsoft Defender for Identity is not part of the Enterprise CAL suite. If your organization intends to use Microsoft Defender for Identity, an upgrade to the Enterprise Mobility + Security (EMS) E5 or Microsoft 365 E5 suite is necessary.

Meet the requirements

Microsoft Advanced Threat Analytics (ATA) and Microsoft Defender for Identity are totally different products from an infrastructure point of view. You will need to meet additional requirements:

  1. You need an Azure AD tenant
  2. You need an account with Global administrator privileges to configure Microsoft Defender for Identity
  3. All Domain Controllers and Read-only Domain Controllers need to run Windows Server 2012, or up. Windows Server 2019-based Domain Controllers need to run at least the February  2019 cumulative update (KB4487044).
  4. All Domain Controllers and Read-only Domain Controllers need to run .NET Framework version 4.7, or up.
  5. All Domain Controllers need to be able to send traffic with * on TCP port 443. This traffic can be exchanged through a proxy server. Any (privileged access) workstations that will be used to manage Microsoft Defender for Identity require the same network access.
  6. A new standard user account as the sensor’s serivce account or a new group Managed Service Account (gMSA)

Create the Microsoft Defender for Identity instance

To get started with Microsoft Defender for Identity, create your instance in the Azure Portal. After creation, assign any co-administrators the Administrators, Users and/or Viewers role groups.

Switch out the sensors

Uninstall the ATA Lightweight Gateway on all Active Directory Domain Controllers and install the Azure ATP Sensor on all Active Directory Domain Controllers. Next, configure the sensor with the new service account.

Decommission the ATA Center

Microsoft ATA relied on an ATA Center installation on the network. Its security alerts and reports are not migrated over. To reference this information, keep the ATA Center online for a period of time. After decommissioning the ATA Center, the number of resources can typically be deallocated, especially if the ATA Center is a virtual machine.


Extended support for Advanced Threat Analytics (ATA) continues until January 2026.

Further reading

Support for Microsoft Advanced Threat Analytics (ATA) versions 
End of mainstream support for Advanced Threat Analytics January 2021  
Advanced Threat Analytics (ATA) to Azure Advanced Threat Protection (Azure ATP)


The videos of Microsoft Ignite Untold are now available for you to view

Microsoft Ignite

During Microsoft Ignite 2020, Raymond Comvalius, Barbara Forbes and I presented ‘Ignite Untold’, the Dutch Community live stream supporting Microsoft Ignite 2020 in Dutch.


About Microsoft Ignite

Ignite is Microsoft’s yearly event for IT Professionals and developers. At Microsoft Ignite they connect with IT leaders from around the world. They hear from industry thought-leaders on the changing landscape of IT, they find new technology partners and they see how others are transforming businesses. Ignite is a one-of-a-kind experience designed to fuel business, connections, and the future forward.

For 2020, Ignite is organized differently to align with the new reality. Microsoft has announced that they will organize virtual events only until July 2021. Instead of an in-person event in New Orleans, LA, a virtual Ignite event is organized from September 22nd to September 24th, 2020.


Our videos


Our first live stream offers a general overview and tips and tricks, just prior to the keynote by Satya Nadella, kicking off Microsoft Ignite. We’ll discuss the session types, sessions that we feel strongly about, and tips and tricks on staying awake (or convincing your boss to spend company time on sessions).

As Satya starts his keynote at 5:15 PM, there is ample time to grab some popcorn and arrange your optimal seating between our live stream and the keynote.



On Wednesday September 23rd, we’ll provide a live stream to wrap up day 1 of Microsoft Ignite to Dutch IT professionals. Just before you go home, or during your commute on the way home, we’ll provide an overview of all the news from Microsoft Ignite.



Wrapping up Microsoft Ignite 2020, we present our third live stream on Thursday September 24th at 5 PM again. We’ll have concluded our Ask the Experts sessions and we’ll share our Top 3s of new features and top feedback items from these sessions.

Our enthusiasm might transfer to you during our live stream (that's our actual disclaimer…), so we will also share the links for you to take the next steps in learning and experiencing the new features and technologies.


Enjoy! Thumbs up


I’m co-presenting a session at Veeam LIVE


Veeam is organizing a global virtual conference on October 20th under title Veeam LIVE. There´s gonna be free registration for all attendees and agenda will be full of LIVE sessions with Veeam top experts and external hosts to provide attendees with real-time experience.

The data protection and management scene is shifting constantly. You may be asking:

  • How can I make my solution more efficient?
  • Where are the threats, where are my opportunities?
  • What new technologies do I need to keep pace with?
  • What are my best options to Backup my data to the cloud?

Veeam is defining the future of cloud data solutions and helping today’s businesses securely and reliably protect and easily recover their data. At Veeam Live, you will be offered data protection management guidance you can activate today. You’ll learn how to up your data protection game across your enterprise, connect with like-minded professionals, set the strategy right for your organization and be part of the future of Cloud Data Management.

Data protection is changing rapidly: Be on the edge of what’s next. Veeam Live will give you actionable Cloud Data Management guidance and help you propel your business forward. Learn about:

  • Hybrid Cloud
    Digital transformation is exciting,but challenging. Learn about the cloud-native landscape with sessions on Cloud Data Management™, the Modern Data Center and de-risking your operations.
  • Cyber Security
    The risk of data loss is ever-present and evolving, and business continuity is at stake. Prepare your organization with critical insight on ransomware, malware and disaster recovery.
  • Modern Data Protection
    Data drives everything. You need smart solutions to protect your most prized resource. Explore modern data protection from any environment, across any workload, to meet evolving demands.


Veeam Live will give you the tools you need to answer these questions and up your data protection game. Veeam will bring together deployment, key features and management best practices, helping you make better decisions and reach new levels of technical expertise and better business outcomes.

All online, ALL Live, all at your fingertips, and all in a single day on October 20th 2020 from 10AM to 3:30 PM Eastern Time.


About my presentation

Rick Vanover and I will present a 30-minute solution session filled with demos on:

Solution Overview: Application recovery with Veeam Explorers

Solution Overview: Application recovery with Veeam Explorers

October 20th, 2020, 2:35PM – 3:05PM EDT

Adapt your application recovery process to keep pace with the rapidly changing data protection landscape. Join Rick Vanover from Veeam and me for advice on application recovery with a Veeam Explorers solution overview.

In this session, you’ll learn how Veeam Explorers work for critical application recoveries. Whether it’s SQL Server, Exchange Server, SharePoint, Oracle or Office 365 data, Veeam has you covered.


Join us!

Join the Cloud Data Management revolution!
Register for free.

For every registered attendee Veeam donates 1 USD to Girlswhocode, supporting more women entering the engineering and IT world.


Ten things you should know about Azure AD Administrative Units

Azure Active Directory

An Administrative Unit (AU) is an Azure AD resource that can be a container for other Azure AD resources. Administrative units allow an organization to grant admin permissions that are restricted to a department, region, or other segment of the organization. Admins can use Administrative Units to delegate permissions to regional administrators or to set policy at a granular level. For example, a User account admin could update profile information, reset passwords, and assign licenses for users only in their Administrative Unit (AU).

There are, however, a few things that you need to be aware of:


Ten things you need to know

Administrative Unites (AUs) are Generally Available

Normally, when we provide a list of things you should know about a certain technology in Azure AD, we notify you of the perils of Public Previews with Microsoft.

For Administrative Units (AUs) in Azure AD, we decided to give judgement upon General Availability (GA). This means, the feature is available in all Azure AD tenants and is fully supported by the Microsoft product team. Microsoft customer engineers (formerly known as PFEs) and Microsoft Support.


Not all roles are available for Administrative Units

You can only assign the following administrative roles to Azure AD Administrative Units (AUs):

  • Authentication Administrator
    Has access to view, set, and reset authentication method information for any non-admin user in the assigned Administrative Unit only.
  • Groups Administrator
    Can manage all aspects of groups and groups settings like naming and expiration policies in the assigned Administrative Unit only.
  • Helpdesk Administrator
    Can reset passwords for non-administrators and Helpdesk administrators in the assigned Administrative Unit only.
  • License Administrator
    Can assign, remove, and update license assignments within the Administrative Unit only.
  • Password Administrator
    Can reset passwords for non-administrators and Password Administrators within the assigned Administrative Unit only.
  • User Administrator
    Can manage all aspects of users and groups, including resetting passwords for limited admins within the assigned Administrative Unit only.

Users, role-assignable cloud groups Preview and Service Principal Names (SPNs) can be added to these roles.


Administrative Unite (AUs) can only contain users and groups

User objects and group objects can be made members of Administrative Units (AUs). However, devices cannot be made members of AUs. Scoping management of devices in Azure AD is therefore not in the picture.

User administrators for the Administrative Unit can manage the name and membership of the group itself. It does not grant the User Administrator for the Administrative Unit permissions to manage the users of the group (for example, to reset their passwords). To grant the User Administrator the ability to manage users, the users have to be direct members of the Administrative Unit.

When you add a group to the Administrative Unit, that does not result in all the group's members being added to it. Users must be directly assigned to the Administrative Unit.

Organizations using Microsoft Intune can use tags for devices as scopes for management, but organizations without Intune are left in the dark.


Administrative Units require Azure AD Premium licenses

Using Administrative Units (AUs) requires an Azure Active Directory Premium license for each Administrative Unit admin. It does not require Premium licenses for Administrative Unit members; an Azure Active Directory Free license will suffice in terms of Administrative Units (AUs) for members.


Only Global Admins and Privileged Role Admins can create AUs

Global administrators or Privileged role administrators can use the Azure AD portal to create Administrative Units (AUs), add users as members of AUs, and then assign IT staff to AU-scoped administrator roles. The Administrative Unit-scoped admins can then use the Microsoft 365 admin center for basic management of users in their AU(s).


AUs cannot be managed in the Microsoft 365 Admin Center

While you can create and delete AUs, add and remove AU members and assign AU-scoped admins through the Azure Portal, the Azure AD Portal, through the Azure AD PowerShell and through Microsoft Graph, you can’t use the Microsoft 365 Admin Center to perform these actions.

Additionally, scoped admins cannot perform unit-scoped management of user MFA credentials in the Microsoft 365 Admin Center.


There are no dynamic Administrative Units

Azure AD knows the concept of Dynamic Groups, where members are added to groups based on (combinations of) attributes of the account in Azure AD. Alas, Administrative Unites (AUs) do not know the concept of Dynamic Administrative Unit memberships (yet).


There is a big Difference between the Azure Portal and the Microsoft 365 Admin Center

Administrative units apply scope only to management permissions. They don't prevent members or administrators from using their default user permissions to browse other users, groups, or resources outside of the Administrative Unit. Admins can browse other users in the Azure AD portal, PowerShell, and other Microsoft services.

However, in the Microsoft 365 admin center, users outside of a scoped admin's Administrative Units are filtered out.


Group Assignment to AUs is clunky

You can assign groups only individually to an Administrative Unit (AU). There is no option of assigning groups in bulk to an AU. When using the Portal, PowerShell or Microsoft Graph, you’ll need to perform an add per group. The same goes for removing a group from the scope of an AU in PowerShell and the Microsoft Graph.

However, in the Portal, you can remove AU membership for multiple groups in the Azure Portal if need be.


Elevation of Privilege paths may lead to unexpected behavior

Scoped admins pose an information security risk. Therefore, paths that can lead to elevation of privilege for these accounts are blocked.

For example, to an AU-scoped administrator can't reset the password of a user who's assigned to a role with an organization-wide scope.



Enjoy Azure AD Administrative Units (AUs)!


What’s New in Azure Active Directory in September 2020

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for September 2020, on top of the announcements from Microsoft Ignite 2020:


What’s New

New provisioning connectors in the Azure AD Application Gallery Generally Available

Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:


Audited BitLocker Recovery in Azure AD Public Preview

Service category: Device Access Management
Product capability: Device Lifecycle Management

When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with.

End users can access their recovery keys via My Account. IT admins can access recovery keys via the BitLocker recovery key API in beta or via the Azure AD Portal.


Teams Devices Administrator built-in role

Service category: RBAC
Product capability: Access Control

Users with the Teams Devices Administrator role can manage Teams-certified devices from the Teams Admin Center.

This role allows the user to view all devices at single glance, with the ability to search and filter devices. The user can also check the details of each device including logged-in account and the make and model of the device. The user can change the settings on the device and update the software versions. This role doesn't grant permissions to check Teams activity and call quality of the device.


Advanced query capabilities for Directory Objects Generally Available

Service category: MS Graph
Product capability: Developer Experience

All the new query capabilities introduced for Directory Objects in Azure AD APIs are now available in the v1.0 endpoint and production-ready. Developers can Count, Search, Filter, and Sort Directory Objects and related links using the standard OData operators.


Continuous access evaluation for tenants who configured Conditional Access policies Public Preview

Service category: Authentications (Logins)
Product capability: Identity Security & Protection

Continuous access evaluation (CAE) is now available in public preview for Azure AD tenants with Conditional Access policies. With CAE, critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change.


Ask users requesting an access package additional questions to improve approval decisions

Service category: User Access Management
Product capability: Entitlement Management

Administrators can now require that users requesting an access package answer additional questions beyond just business justification in Azure AD Entitlement management's My Access portal. The users' answers will then be shown to the approvers to help them make a more accurate access approval decision.


Enhanced user management Public Preview

Service category: User Management
Product capability: User Management

The Azure AD portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include:

  • More visible user properties including object ID, directory sync status, creation type, and identity issuer.
  • Search now allows combined search of names, emails, and object IDs.
  • Enhanced filtering by user type (member, guest, and none), directory sync status, creation type, company name, and domain name.
  • New sorting capabilities on properties like name, user principal name and deletion date.
  • A new total users count that updates with any searches or filters.


Notes field for Enterprise applications

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Admins can add free text notes to Enterprise applications. They can add any relevant information that will help them manage applications under Enterprise applications.


Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2020 Microsoft has added following new applications in the Azure AD App gallery with Federation support:

  1. VMware Horizon – Unified Access Gateway
  2. Pulse Secure PCS
  3. Inventory360
  4. Frontitude
  5. BookWidgets
  6. ZVD_Server
  7. HashData for Business
  8. SecureLogin
  9. CyberSolutions MAILBASEΣ/CMSS
  10. CyberSolutions CYBERMAILΣ
  11. LimbleCMMS
  12. Glint Inc
  13. zeroheight
  14. Gender Fitness
  15. Coeo Portal
  16. Grammarly
  17. Fivetran
  18. Kumolus
  19. RSA Archer Suite
  20. TeamzSkill
  21. raumfürraum
  22. Saviynt
  23. BizMerlinHR
  24. Mobile Locker
  25. Zengine
  26. CloudCADI
  27. Simfoni Analytics
  28. Priva Identity & Access Management
  29. Nitro Pro
  30. Eventfinity
  31. Fexa
  32. Secured Signing Enterprise Portal
  33. Secured Signing Enterprise Portal AAD Setup
  34. Wistec Online
  35. Oracle PeopleSoft – Protected by F5 BIG-IP APM


New delegation role in Azure AD entitlement management: Access package assignment manager

Service category: User Access Management
Product capability: Entitlement Management

A new Access Package Assignment Manager role has been added in Azure AD entitlement management to provide granular permissions to manage assignments. Admins can now delegate tasks to a user in this role, who can delegate assignments management of an access package to a business owner. However, an Access Package Assignment Manager can't alter the access package policies or other properties that are set by the administrators.

With this new role, organizations benefit from the least privileges needed to delegate management of assignments and maintain administrative control on all other access package configurations.


What’s Changed

Changes to Privileged Identity Management's onboarding flow

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Previously, onboarding to Azure AD Privileged Identity Management (PIM) required user consent and an onboarding flow in PIM's blade that included enrollment in Azure MFA. With the recent integration of the PIM experience into the Azure AD roles and administrators blade, Microsoft is removing this experience. Any tenant with a valid Azure AD Premium P2 license will be auto-onboarded to PIM.

Onboarding to PIM does not have any direct adverse effect on a tenant. Organizations can expect the following changes:

  1. Additional assignment options such as active vs. eligible with start and end time when admins make an assignment in either PIM or Azure AD roles and administrators blade.
  2. Additional scoping mechanisms, like Administrative Units (AUs) and custom roles, introduced directly into the assignment experience.
  3. If you are a global administrator or privileged role administrator, you may start getting a few additional emails like the PIM weekly digest.
  4. Admins might also see a ms-pim service principal in the audit log related to role assignment. This expected change shouldn't affect your regular workflow.


Azure AD Entitlement Management: The Select pane of access package resources now shows the resources currently in the selected catalog by default

Service category: User Access Management
Product capability: Entitlement Management

In the access package creation flow, under the Resource roles tab, the Select pane behavior is changing. Currently, the default behavior is to show all resources that are owned by the user and resources added to the selected catalog.

This experience will be changed to display only the resources currently added in the catalog by default, so that users can easily pick resources from the catalog. The update will help with discoverability of the resources to add to access packages, and reduce risk of inadvertently adding resources owned by the user that aren't part of the catalog.


On-premises Identity-related updates and fixes for September 2020

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

Although much attention was given this month to Secura’s ZeroLogon attack and the advice to update Windows Servers acting as Domain Controller immediately,, the underlying vulnerability was actually fixed as part of the August 2020 Cumulative updates

These are the Identity-related updates and fixes we saw for September 2020:


Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4577015 September 8, 2020

The September 8 update for Windows Server 2016 (KB4577015), updating the OS build number to 14393.3930 is a security update that includes quality improvements.

This update addresses five important vulnerabilities for Domain Controllers running as DNS Servers and contains an important update addresses a Spoofing Vulnerability in AD FS.

It includes an Identity-related quality improvement that provides the ability to set a Group Policy that displays only the domain and username when you sign in. This facilitates passwordless authentication using the Microsoft Authenticator App.

Known issue with this update

A known issue with this update is an error when accessing the Security Options data view in the Group Policy Management Editor (gpedit.msc) or Local Security Policy Editor (secpol.msc). It maight fail with one of these two error messages:

MMC has detected an error in a snap-in. It is recommended that you shut down and restart MMC

MMC cannot initialize the snap-in

To mitigate this issue, you can install the Remote Server Administrative Tools (RSAT) on a device running Windows 10, version 1709 or later. This will allow you to run Group Policy Management Console and edit GPOs on the affected server.


Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4570333 September 8, 2020

The September 8, 2020 update for Windows Server 2019 (KB4570333), updating the OS build number to 17763.1457 is a security update.

This update addresses five important vulnerabilities for Domain Controllers running as DNS Servers and contains an important update addresses a Spoofing Vulnerability in AD FS.

KB4577069 September 16, 2020

The September 16, 2020 update for Windows Server 2019 (KB4577069), updating the OS build number to 17763.1490 is an update that includes quality improvements:

  • This update addresses an issue with using Group Policy Preferences to configure the homepage in Internet Explorer.
  • This update provides the ability to set a Group Policy that displays only the domain and username when you sign in. This facilitates passwordless authentication using the Microsoft Authenticator App.
  • This update addresses an issue that causes an access violation in lsass.exe when a process is started using the runas.exe command in some circumstances.
  • This update addresses an issue that prevents the content under HKLM\Software\Cryptography from being carried over during Windows feature updates.
  • This update addresses an issue that might create duplicate Foreign Security Principal directory objects for Authenticated and Interactive users in the domain partition. As a result, the original directory objects have “CNF” added to their names and are mangled. This issue occurs when you promote a new Active Directory Domain Controller using the CriticalReplicationOnly flag.
  • This update adds new /compress functionality to the robocopy.exe command.
  • This update adds Secure Sockets Layer (SSL) certificate authentication over HTTP/2.
  • This update adds an Azure Active Directory (AAD) device token, that is sent to Windows Update (WU) as part of each update scan. Windows Update can use this token to query for membership in groups that contain Azure AD-joined devices.
  • This update addresses an issue that fails to log events 5136 for group membership changes in certain scenarios. This occurs when you use the Permissive Modify control; for example, the Active Directory (AD) PowerShell modules use this control.
  • This update addresses an issue with setting the Restrict delegation of credentials to remote servers Group Policy setting with the Restrict Credential Delegation mode on an RDP client. As a result, the Remote Desktop Session Host tries to use Require Remote Credential Guard mode first and will only use Require Restricted Admin if the server does not support Require Remote Credential Guard.

I have been invited to present at the 2020 Hybrid Identity Protection Conference

Six Horror Stories of Hybrid Identity Mismanagement at the Hybrid Identity Protection Conference

This October, I’m joining many of my technical friends at the Hybrid Identity Protection Conference.

For those who attended The Experts Conference (TEC) and NetPro’s Directory Experts Conference (DEC) events previously, the Hybrid Identity Protection Conference promises to be at least as much fun as these events, where you’ve seen the likes of Gil Kirkpatrick, Sean Deuby, Darren Mar-Elia, Brian Desmond, Joe Kaplan and Jorge de Almeida Pinto.

About the Hybrid Identity Protection Conference

The Hybrid Identity Protection Conference

The Hybrid Identity Protection Conference is Semperis Inc.’s event in the spirit of The Expert Conference (TEC) to bring together the leading experts in the field of Identity and Access Management. The event offers a unique opportunity to spend time with peers, whose day-to-day job is to architect, manage, and protect identity management in the hybrid enterprise.

The 2020 Hybrid Identity Protection Conference is a virtual conference, offering four tracks on four days:

  1. The Crisis Management track on October 20th, 2020
  2. The Hybrid Active Directory Security track on October 21st, 2020
  3. The Hacking Identity track on October 27th, 2020
  4. The Future Proofing Identity Security track on October 28th, 2020

About my presentation

I’ll present a 60-minute session in the Crisis Management track:

Six Horror Stories of Hybrid Identity Mismanagement

October 20th, 2020, 7 PM CEST, Virtual

The Microsoft documentation provides clear-cut decisive guidance for integrating Active Directory with Azure AD. This way, Hybrid Identity should emerge. Alas, at some organizations it didn't…

Join this session to gain insights into the critical success factors that drive Hybrid Identity and the things that often get overlooked. I’ll share my views on these situations. Of course, this session covers how to avoid these situations yourself, so we all benefit. A true storyteller’s session on real-world events from a speaker with a twisted sense of humor. Be sure to check in!

Join us!

The virtual Hybrid Identity Protection Conference is a free event.
All you need to do to attend the sessions is to register for the sessions.

The 2020 Hybrid Identity Protection Conference uses BritghtTALK as the delivery platform. By registering you you confirm you intend to interact with and disclose personal information to Semperis and BrightTALK, and you have read, understood and agree to BrigtTALK’s user agreement, privacy policy and the use of cookies.


I’m speaking at the European SharePoint, Office 365 and Azure Conference (ESPC20)


I’m happy to announce that I am returning as a speaker for the European SharePoint, Office 365 and Azure Conference (ESPC) 2020 on October 14th – 15th, 2020.

About ESPC20

The European SharePoint, Office 365 & Azure Conference (ESPC) is Europe’s leading online community, providing educational resources and encouraging collaboration.

The European SharePoint, Office 365 and Azure Conference is part of QualTech Conferences and is based in Galway, Ireland. QualTech has 18 years of experience in organizing leading European IT conferences.

ESPC20 Online is a virtual conference offering you affordable, world-class Microsoft 365 learning at your fingertips, from wherever you are in the world. Tune in live Oct 14th & 15th or catch up on-demand across 100+ sessions from SharePoint, Office 365 & Azure experts.

ESPC20 was originally scheduled as an in-person event for November 9th – 12th, 2020 in Amsterdam…

About my session

I have a 45-minute session scheduled on:

Hardening Hybrid Identity in the Real World

Thursday October 15th 2020, 10 AM – 10:45  AM CEST

As organizations rely heavily on Active Directory and embrace Azure Active Directory (AD), proper configurations of their setups become more important: as Azure AD is often built upon Active Directory, you need a solid base. As Azure AD offers more functionality, it too should be tuned.

To avoid the tyranny of the default settings, in some situations, we’ll look at properly securing on-premises Active Directory Federation Services (AD FS) environments, Azure AD Connect installations and hardening Azure AD tenants to match the required levels of security to face today’s threats.

Make sure to get the best tips and tricks in this session from an MVP whose team and peers have seen and done it all in Active Directory and Azure AD.

This session consists of 30 minutes slides and demos, and 15 minutes of Q & A.

Join us!

Join us at the European SharePoint, Office 365 & Azure Conference. Learn, connect and be inspired at Europe’s largest Independent Conference on Microsoft Technologies.

Register here!


A Recap of Identity-related Announcements from Microsoft Ignite 2020

Microsoft Ignite 2020

Microsoft organized Ignite 2020 as a free digital event between Tuesday September 22nd and Thursday September 24th.

Ignite is Microsoft’s yearly event for IT Professionals and developers. At Microsoft Ignite they connect with IT leaders from around the world. They hear from industry thought-leaders on the changing landscape of IT, they find new technology partners and they see how others are transforming businesses. Ignite is a one-of-a-kind experience designed to fuel business, connections, and the future forward.

During Microsoft Ignite 2020, Microsoft made the following Identity-related announcements:

Header-based authentication in Azure AD Application Proxy Coming Soon

The Azure AD Application Proxy currently provides access to on-premises web application through SAML-based, Integrated Windows or password-based authentication, or through a link in the Azure AD Access Panel or Office 365 App launcher.

Header-based authentication in Azure AD Application Proxy enables organizations to move header-based authentication apps from legacy on-premises authentication systems, and natively connect them to Azure AD.

This Azure AD App Proxy feature will be available in Public Preview by November 2020.

New Partners for Secure Hybrid Access

Next to Akamai, Citrix, F5 and ZScaler, the following organizations will provide secure hybrid access:

  • Cisco
  • Fortinet
  • Kemp
  • PaloAlto
  • Strata

These integrations enable secure single sign-on for legacy applications that require Integrated Windows Authentication, header-based, LDAP, SSH and non-HTTP authorization.

Single Sign-on for Apple iOS Public Preview

The Microsoft Enterprise SSO plug-in for Apple devices provides single sign-on (SSO) for Azure AD accounts across all applications that support Apple's Enterprise Single Sign-On feature. Microsoft worked closely with Apple to develop this plug-in to increase your application's usability while providing the best protection that Apple and Microsoft can provide.

In this Public Preview release, available since September 15th, 2020, the Enterprise SSO plug-in is available only for iOS devices and is distributed in certain Microsoft applications.

The Microsoft Enterprise SSO plug-in for Apple devices offers the following benefits:

  • Provides SSO for Azure AD accounts across all applications that support Apple's Enterprise Single Sign-On feature.
  • Delivered automatically in the Microsoft Authenticator and can be enabled by any mobile device management (MDM) solution.


Deep app integrations for user lifecycle

Organizations that adopt popular SaaS applications will get new capabilities to simplify user lifecycle management thanks to the deep integrations between Azure AD and leading SaaS apps. Here are two new integrations:

  • With ServiceNow’s upcoming Paris Release (September 2020 platform update), IT and hiring managers can automatically provision application access for new hires through Azure AD, increasing productivity for new hires and support teams. This integration automates the whole onboarding workflow from case creation in ServiceNow HR Service Delivery, to role assignment by hiring manager, and application provisioning by IT based on the new hire’s role. This integration is Generally Available on September 16th, 2020.
  • Adobe has announced app provisioning integration with Azure AD based on the SCIM standard for its core Adobe Identity Management platform across Adobe Creative Cloud, Adobe Document Cloud and Adobe Experience Cloud. This includes an updated Adobe admin experience based on insights from Microsoft IT. This integration will be in a Private Preview by the end of September 2020 and publicly available for Azure AD and Adobe customers by December 2020.

Organizations can leverage these new features within the app administration consoles.

Conditional Access APIs General Availability

Conditional Access is a policy engine in Azure Active Directory that helps organizations set granular adaptive access controls for the right balance of security and productivity. The new capabilities will protect users more comprehensively and at scale, with new insights, automation, and at lower total cost of ownership.

Quickly enabling remote work while keeping company data safe presents new challenges in identity and access management and amplifies the old challenges. Organizations need to be able to deploy access policies quickly and at scale and be confident in their coverage.

Conditional Access APIs in Microsoft Graph allow administrators to manage all aspects of Conditional Access policies as code, achieving greater scale and automation.

To get going with the Conditional Access APIs, take a look at

Conditional Access Insights General Availability

Conditional Access Insights and recommendations for enforced Conditional Access policy are now available in the Azure AD advisor tool to help administrators understand the gap in policy coverage and troubleshoot issues.

Unified pricing and security features for External Identities Public Preview

As shared by Alex Simons in the September 1st blogpost on ‘Azure Active Directory External Identities goes premium with advanced security for B2C’, you can now use Conditional Access policies for Azure AD B2C and Identity Protection for Azure AD B2C.

Additionally, an update was shred to the pricing that makes all Azure AD External Identities features more predictable and affordable with support for premium security features, like Conditional Access and (dynamic) group memberships.

Whether an organization uses Azure AD B2C, B2B collaboration or the new self-service sign-up features in Azure AD, securing and managing external users is more affordable than ever, with the first 50,000 monthly active users (MAU) free at both the Premium P1 and Premium P2 tiers.

Decentralized Identity and Verifiable Credentials Pilot

Microsoft is partnering with the MilGears program for the U.S. Department of Defense and Trident University on a Decentralized Identity pilot, using verifiable credentials. MilGears helps service members plan for their next career steps by highlighting future possibilities and helping them visualize how to reach those goals.

Verifiable credentials are digital cards that prove information about people, organizations and things, based on a new identity open standard. By using verifiable credentials in this program, we are making it faster and easier for military veterans and retiring service members to enroll in higher education and jump-start their civilian careers.

Service members in this pilot program can now have a verified service record and transcript of completed courses in a digital wallet on their phone. They can share this record directly with a university or employer. Universities can validate personal information from service members in seconds without the burden of storing records or other sensitive data. It helps protect privacy for the individual and saves time and resources for organizations.

These new capabilities seamlessly integrate with the existing identity systems. To enable this new type of credential verification, DoD MilGears creates a digital transcript using verifiable credentials. When service members log into their account, they can scan a QR code with the Microsoft Authenticator app, accept the credential and add it as a card in their app.

The credential is now owned by the individual and can be stored locally on the device and shared with a university (for right now, Trident University) or an employer.