On-premises Identity updates & fixes for July 2020

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for July 2020:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4565511 July 14, 2020

The July 14 update for Windows Server 2016 (KB4565511), updating the OS build number to 14393.3808 is a security update that includes some additional fixes.

It includes security updates to Microsoft Edge Legacy, Internet Explorer, the Microsoft Scripting Engine, Windows App Platform and Frameworks, Windows Apps, Microsoft Graphics Component, Windows Input and Composition, Windows Media, Windows Shell, the Microsoft Store, Windows Cloud Infrastructure, Windows Fundamentals, Windows Kernel, Windows MSXML, Windows File Server and Clustering, Windows Remote Desktop, Windows Update Stack, and the Microsoft JET Database Engine.

The most important security update is the update that addresses a critical Windows DNS Server Remote Code Execution Vulnerability (SIGred, Wormable, Critical, CVE-2020-1350).

We’ve notified you on July 15th to install update KB4565511 as soon as possible on Domain Controllers acting as DNS Servers and other Windows Server-based DNS Servers, because of the severity of this vulnerability.

It also addresses an issue that causes lsass.exe to stop working on a Remote Desktop Services (RDS) host when you enable Remote Credential Guard. The exception code is


Additionally, starting in July 2020, all Windows Updates will disable the RemoteFX vGPU feature because of a security vulnerability.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4558998 July 14, 2020

The July 14 update for Windows Server 2019 (KB4558998), updating the OS build number to 17763.1339 is a security update that includes some additional fixes.

It includes security updates to Internet Explorer, the Microsoft Scripting Engine, Windows App Platform and Frameworks, Windows Apps, Microsoft Graphics Component, Windows Input and Composition, Windows Media, Windows Shell, the Microsoft Store, Microsoft Edge Legacy, Windows Cloud Infrastructure, Windows Fundamentals, Windows Management, Windows Kernel, Windows Update Stack, Windows MSXML, Windows File Server and Clustering, Windows Remote Desktop, and the Microsoft JET Database Engine.

The most important security update is the update that addresses a critical Windows DNS Server Remote Code Execution Vulnerability (SIGred, Wormable, Critical, CVE-2020-1350).

We’ve notified you on July 15th to install update KB4565511 as soon as possible on Domain Controllers acting as DNS Servers and other Windows Server-based DNS Servers, because of the severity of this vulnerability.

It also addresses an issue that might cause lsass.exe to fail with the error message:

A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000008. The machine must now be restarted.

KB4559003 July 21, 2020

The July 21 update for Windows Server 2019 (KB4559003), updating the OS build number to 17763.1369 is a non-security update that includes fixes:

  • It addresses an issue that prevents Event Viewer from saving a full set of filtered events when you filter by the date.
  • It addresses an issue that continues to display the previous username hint in the smart card sign in box after a different user has used the machine with domain credentials.
  • It addresses an issue that causes lsass.exe to stop working on a terminal server when you enable Remote Credential Guard. The exception code is


  • It addresses an issue that might prevent applications from running as expected on Active Directory Federation Services 2019 (AD FS 2019) clients. This occurs when applications use an iFrame during non-interactive authentication requests and receive the X-Frame-Options header set to DENY.
  • It addresses an issue that incorrectly reports Lightweight Directory Access Protocol (LDAP) sessions as unsecure sessions in Event ID 2889. This occurs when the LDAP session is authenticated and sealed with a Simple Authentication and Security Layer (SASL) method.
  • It updates the message users receive that tells them to check their phone for notifications from the Microsoft Authenticator application. This message only appears when authentication is done using the AD FS Azure Multi-Factor Authentication (MFA) adapter.
  • It updates dcpromo.exe to remove the "Network access: Restrict clients allowed to make remote calls to SAM" policy on member servers when they are promoted to Active Directory Domain Controllers. This allows clients to make Security Accounts Manager (SAM) connections to these Domain Controllers.
  • It addresses an issue that might cause Windows 10 devices that enable Credential Guard to fail authentication requests when they use the machine certificate.
  • It addresses an issue that occurs when a standalone Remote Desktop Session (RDS)host allows multiple sessions per user. After disconnecting from a session, if you attempt to reconnect to the original session, the server creates a new session instead.

What’s New in Azure Active Directory in July 2020

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and on its blog, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for July 2020:

What’s Planned

Targeting client apps using Conditional Access

Service category: Conditional Access
Product capability: Identity Security & Protection

With the General Availability of the client apps condition in Conditional Access, new policies will now apply by default to all client applications, including legacy authentication clients. Existing policies will remain unchanged, but the Configure Yes/No toggle will be removed from existing policies to easily see which client apps are applied to by the policy.

When creating a new policy, make sure to exclude users and service accounts that are still using legacy authentication; if you don't, they will be blocked.

Upcoming SCIM compliance fixes

Service category: App Provisioning
Product capability: Identity Lifecycle Management

The Azure AD provisioning service leverages the SCIM standard for integrating with applications. Microsoft’s implementation of the SCIM standard is evolving. Microsoft expects to make changes to the behavior around how PATCH operations are performed as well as setting the property "active" on a resource.

Group owner setting on Azure Admin portal will be changed

Service category: Group Management
Product capability: Collaboration

Owner settings on the Groups general settings page can be configured to restrict owner assignment privileges to a limited group of users in the Azure Admin portal and Access Panel. Microsoft will soon offer the ability to assign group owner privilege not only on these two UX portals but also enforce the policy on the backend to provide consistent behavior across endpoints, such as PowerShell and Microsoft Graph.

Microsoft will start to disable the current setting for organizations who are not using it and will offer an option to scope users for group owner privilege in the next few months.

Azure Active Directory Registration Service is ending support for TLS 1.0 and 1.1

Service category: Device Registration and Management
Product capability: Platform

Servers and clients will soon require to support Transport layer security (TLS) 1.2 to communicate with the Azure Active Directory Device Registration Service. Support for TLS 1.0 and 1.1 for communication with Azure AD Device Registration service will retire:

  • On August 31, 2020, in all sovereign clouds (GCC High, DoD, etc.)
  • On October 30, 2020, in all commercial clouds

What’s New

Admins can now add custom content in the email to reviewers when creating an access review Public Preview

Service category: Access Reviews
Product capability: Identity Governance

When a new access review is created, the reviewer receives an email requesting them to complete the access review. Many organizations asked for the ability to add custom content to the email, such as contact information, or other additional supporting content to guide the reviewer.

Now available in public preview, administrators can specify custom content in the email sent to reviewers by adding content in the Advanced section of the Azure AD Access Reviews blade.

Authorization Code Flow for Single-page apps Generally available

Service category: Authentications (Logins)
Product capability: Developer Experience

Because of modern browser 3rd party cookie restrictions such as Safari ITP, single page applications (SPAs) will have to use the authorization code flow rather than the implicit flow to maintain single sign-on (SSO). Therefore, MSAL.js v 2.x now supports the authorization code flow.

There are corresponding updates to the Azure portal so developers can update their single page app (SPA) to be type spa and use the auth code flow.

Azure AD Application Proxy now supports the Remote Desktop Services Web Client Generally Available

Service category: App Proxy
Product capability: Access Control

Azure AD Application Proxy now supports the Remote Desktop Services (RDS) Web Client. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, etc.

People can interact with remote apps or desktops like they would with a local device from anywhere. By using Azure AD Application Proxy organizations can increase the security of their Remote Desktop Services (RDS) deployments by enforcing pre-authentication and Conditional Access policies for all types of rich client apps.

Next generation Azure AD B2C user flows public preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Simplified user flow experience offers feature parity with preview features and is the home for all new features. Users will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. Lastly, the new, user-friendly UX simplifies the selection and creation of user flows. Try it now by creating a user flow.

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2020 Microsoft has added the following 55 new applications in the Azure AD App gallery with Federation support:

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Admins can now automate creating, updating, and deleting user accounts for the newly integrated app LinkedIn Learning.

What’s Fixed

Windows Hello for Business Sign Ins visible in Azure AD Sign In Logs

Service category: Reporting
Product capability: Monitoring & Reporting

Windows Hello for Business (WHfB) allows people to sign into Windows machines with a gesture (such as a PIN or biometric). Azure AD admins may want to differentiate Windows Hello for Business sign-ins from other Windows sign-ins as part of an organization's journey to passwordless authentication.

Admins can now see whether a Windows authentication used Windows Hello for Business by checking the Authentication Details tab for a Windows sign-in event in the Azure AD Sign-Ins blade in the Azure Portal. Windows Hello for Business authentications will include WindowsHelloForBusiness in the Authentication Method field.

Fixes to group deletion behavior and performance improvements

Service category: App Provisioning
Product capability: Identity Lifecycle Management

Previously, when a group changed from "in-scope" to "out-of-scope" and an admin clicked restart before the change was completed, the group object was not being deleted. Now the group object will be deleted from the target application when it goes out of scope (disabled, deleted, unassigned, or did not pass scoping filter).

What’s Changed

View role assignments across all scopes and ability to download them to a csv file

Service category: RBAC
Product capability: Access Control

Admins can now view role assignments across all scopes for a role in the Roles and administrators tab in the Azure AD portal. You can also download those role assignments for each role into a CSV file.

What’s Deprecated

Azure Multi-Factor Authentication Software Development (Azure MFA SDK)

Service category: MFA
Product capability: Identity Security & Protection

The Azure Multi-Factor Authentication Software Development (Azure MFA SDK) reached the end of life on November 14th, 2018, as first announced in November 2017. Microsoft will be shutting down the SDK service effective on September 30th, 2020. Any calls made to the SDK will fail.


Azure AD Connect version is a bug fix release

Azure AD Connect Splash Screen

Last week, a new version of Azure AD Connect was released: version This version is a bug fix release.

After every fresh major release of Azure AD Connect by Microsoft, several smaller hotfix releases update the functionality to prevent issues where administrators are not able to perform certain configurations or gain access to functionality.


Fixed issues

The following issues are addressed:


No Seamless Single Sign-on when account already exists

Version addresses an issue where an admin can’t enable Seamless Single Sign On if the AZUREADSSOACC computer account is already present in the Active Directory.

This account is the equivalent of the krbtgt account, but only for Kerberos traffic to the Azure AD Kerberos endpoint. If the account already exists, it could have a different password than what is stored in Azure AD. Now, this information is exchanged for proper setup of Seamless Single Sign-On, instead of erroring out.


Version 2 Import Delta Import Conflicts

Version addresses an issue that caused a staging error during delta import actions using the Version 2 (V2) endpoint for a conflicting object that was repaired via the health portal.


Incorrect import of disabled rules

Version addresses an issue in the Import/Export configuration where a disabled custom rule was imported as enabled.

The Import/Export configuration functionality was introduced in Azure AD Connect version


Version information

This is version of Azure AD Connect.
This release is the seventh release in the 1.5 branch for Azure AD Connect. It was made available for download on July 29, 2020.


Download information

You can download Azure AD Connect here.
The download weighs 96.6 MB.


The video of my Netwrix webinar on migrating to the Cloud is now available

Recording a webinar

Yesterday, I presented a 75-minute session on the three approaches to migrating to the cloud, together with Netwrix’ Russel McDermott. Now, a mere working day after the webinar, the Netwrix team has done everyone a huge favor by already placing the video recording online for everyone to watch:



Enjoy! Thumbs up

Simply press the red Watch now buttons and enjoy!
The slides are also available for you to download, although these webinars were mostly demos-only.

This webinar and its video are offered free of charge, thanks to the sponsoring by Netwrix. By accessing the webinars, full-length videos and slides you agree to their privacy policy.


About Netwrix

Netwrix logoNetwrix empowers information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.


TODO: Change apps, scripts, alerts and policies to cover the new role names in the Microsoft Graph API

Microsoft Graph API

Starting today, Microsoft is making changes to resolve the inconsistent naming of built-in role names between the Microsoft 365 admins center, the Azure AD portal and the Microsoft Graph API.

In total, 10 role names will be changed, and this impacts any application, script, alerts and/or policies that may refer to any of these role names.

Microsoft announced this change on June 11th, 2020, on the Microsoft 365 Message center.


What’s being changed?

The below table provides an overview of the changes that are being made to the names:

Changes to Built-in Roles (click for original sized picture)

The changes are highlighted in blue for your convenience.


When is this changed?

Azure Active Directory is used by millions of organizations. Implementing these changes takes time. Microsoft start converting Azure Active Directory tenants on July 30th, 2020, and expects to finish the roll-out on August 14th, 2020.


An approach to change

Here is an approach to deal with the changes Microsoft will be making in Azure AD tenants the coming two weeks:

  1. Evaluate the state of apps, scripts, alerts and policies in your Azure AD tenant(s).
  2. Avoid the use of role names in apps, scripts, alerts and policies. Instead use the corresponding role IDs, where possible.
  3. Monitor the functionality of scripts, alerts and policies in your Azure AD tenant, to detect failing functionality in a relatively short period of time.
  4. Change apps, scripts, alerts and policies in your Azure AD tenant that continue to rely on role names for their functionality after Microsoft makes the changes to your Azure AD tenant(s). Make changes in test, development and/or acceptance environment before implementing in production.



While consistency is key in large deployments, fixing inconsistencies after having functioned in production for a long time is hard.

These changes impact previous blog posts here. For instance, the blog post last week on configuring an alert to notify when an additional person is assigned the Azure AD Global Administrator role references one of the changed role names, and will be updated.


Happy Birthday, Windows 10!

Windows 10

On July 29th, 2015, Microsoft made Windows 10 generally available to people worldwide. Today, we celebrate Windows 10’s 5th anniversary!

At its release, Windows 10 offered many new features, including its new release schedule, Cortana, the Action Center and Microsoft Edge.

Its identity, security and management features make a lot of difference for large organizations, when compared to Windows 7 (support ended on January 14th, 2020) and Windows 8.1. So let’s take a look at the history of some of the features that we’ve grown to love in Windows 10:



Windows 10, version 1507

Windows 10 RTM, codenamed Threshold 1 with build number 10240.18638 introduced a lot of features, by default, like the then new Microsoft Edge, Cortana, UEFI Secure Boot, virtualization-based security (VBS), Always-on and App-triggered VPN connections and new audit subcategories, on capable devices.

In Identity terms, the initial version of Windows 10 introduced Windows Hello, Azure AD Join and automatic BitLocker Drive Encryption for Azure AD-joined InstantGo-capable devices with recovery information stored in Azure AD.

Expanding on the functionality of Windows 8.1, Windows 10 RTM offered extensive mobile device management (MDM) support, including capabilities to manage AppLocker, Microsoft Store and VPN.

Windows 10, version 1511

The RTM version was superseded on November 12th, 2015 by with Windows 10 ‘Threshold 2’, version 1511. This was the last version of the ‘Threshold’ codenamed Windows 10 versions. This version of Windows 10 introduced the Microsoft Store for Business and the initial Credential Guard features.



Windows 10, version 1607

Windows 10’s Anniversary update on August 2nd 2016 (version 1607) was the first release of the ‘Redstone’ codenamed Windows 10 versions. This version introduced Windows Hello for Business, including Group Policy settings and Windows Defender Advanced Threat Protection (ATP).

In Identity terms, this third release of Windows 10 introduced the ability to use Remote Desktop Connection to Azure AD-joined devices and the Shared PC mode concept.

Windows 10, version 1703

If your organization wanted to join devices to Azure AD in bulk, then Windows 10, version 1703, released on April 5th, 2017, was the answer to your questions. Organizations that were rolling out Windows Hello for Business gained the ability to reset a forgotten PIN without deleting company managed data or apps on devices managed by Microsoft Intune.

It also offered new features for Windows Defender Advanced Threat Protection (ATP), Windows Defender Antivirus, Device Guard, Credential Guard and mobile device management. Windows 10 version 1607 introduced mobile application management (MAM) support to Windows 10.

Windows 10, version 1709

The Fall Creators Update (Windows 10 version 1709), introduced Windows AutoPilot. Windows Defender Application Guard and Exploit Guard were introduced, next to improvements for Windows Defender ATP and Device Guard.

In Identity terms, Windows 10 version 1709 introduced multi-factor unlock for Windows Hello for Business, based on location and proximity of paired Bluetooth devices. With these settings enabled, Windows 10 can be configured to automatically lock when the person leaves the device unattended.

Windows 10, version 1803

On April 30th, 2018, Microsoft made Windows 10, version 1803 generally available. This version of Windows 10 introduced ‘S mode’ to lockdown devices to the fullest and enjoy the most of the batteries in Windows 10 devices.

From an identity point of view, Windows 10 version 1803 introduced many Windows Hello for Business improvements, including support for FIDO2 security keys for Azure AD-joined devices.

Windows 10, version 1809

The last member in the Redstone family of releases , version 1809, was released on November 13th 2018 after two initial snags. Windows 10 version 1809 introduced  expanded management capabilities, improvements to Windows Defender ATP, Windows Defender Application Guard, and it introduced Kernel DMA Protection.

In Identity terms, Windows 10 version 1809 introduced the Fast Sign-in functionality, Remote Desktop with Biometrics and was the first version that enabled Windows Defender Credential Guard by default on Azure AD-joined Windows 10 S devices.


Latest releases

After five releases, the Redstone family of releases came to an end.

Windows 10 version 1903

Version 1903 (or 19H1) was the first version that didn’t carry the codename. However, it did carry a load of new functionality, including Windows AutoPilot White Glove deployment, and many improvements to Windows Defender ATP, Windows Defender Firewall and Windows Defender System Guard.

In Identity terms, it carried a Windows Hello FIDO2 certification and brought a streamlined Windows Hello PIN reset experience.

Windows 10 version 1909

On November 12, 2019, Microsoft made Widows 10 version 1909 (or 19H2) available. Widely observed as a small update to Windows 10 version 1903, it did provide new functionality, like an experimental implementation of TLS 1.3 and Windows Sandbox. Its integration with Azure AD, Microsoft Endpoint Manager and Desktop Analytics was unparalleled.

Windows 10 version 2004

The latest version of Windows 10 that was introduced in the past five years is Windows 10 version 2004. It was made generally available on May 27th, 2020.

From an identity point of view, Windows 10 version 2004 introduced FIDO2 for hybrid environments in capable networking environments, Windows Hello for Microsoft Accounts and Windows Hello in safe mode (with PIN).

An important change, however, was that starting with Windows 10, version 1909 (19H2), Microsoft supports Windows 10 *H2 for 30 months when they are Windows 10 Enterprise, Windows 10 Education or Windows 10 Enterprise IOT installations:

Windows 10 Support Cadence

For enterprise and large education organizations, this means they will be focusing on *H2 releases, going forward.



I feel Windows 10 is an awesome Operating System.


HOWTO: Determine your Azure AD tenant’s object limit and count

Azure Active Directory

Azure Active Directory is Microsoft’s Identity as a Service platform. It is a global service, used by millions of organizations worldwide. To make the service useable for all of these organizations, Microsoft works with limits. In Azure Active Directory, one such limit it the object limit.

All Azure AD’s limits are described on the Azure AD service limits and restrictions page on Microsoft Docs. For Azure AD’s object limit, the following is shared:

A maximum of 50,000 Azure AD resources can be created in a single directory by users of the Free edition of Azure Active Directory by default. If you have at least one verified domain, the default Azure AD service quota for your organization is extended to 300,000 Azure AD resources. This service limit is unrelated to the pricing tier limit of 500,000 resources on the Azure AD pricing page. To go beyond the default quota, you must contact Microsoft Support.


When troubleshooting Azure AD Connect synchronization problems, Azure AD scalability challenges and other vague cloud behavior, it might be beneficial to know your Azure AD tenant’s object limit. This can also be useful when you have a support request to extend the object limit.


How to determine the object limit and count

You can query your organization’s Azure AD object limit through the Microsoft Graph API. You can query the Graph API through PowerShell, but let’s use the Graph Explorer method, instead. Perform these steps:

  • Open a browser.
  • Navigate to the Graph Explorer at aka.ms/ge.
  • In the left navigation pane, click the blue Sign in to Graph Explorer button or click the blue user button at the top of the Graph Explorer interface, depending on your devices resolution and browser window size.
  • Sign in with an account in the Azure AD tenant.

If this is the first time you use the Graph Explorer with this Azure AD tenant, sign in with a user that has privileges to consent to applications. By default, the Global Administrator role, Application Administrator role and Cloud Application Administrator role have these permissions, but when an admin for the organization has allowed people in the organization to consent to User.Read permissions, any user account in the Azure AD tenant can be used.

  • Perform multi-factor authentication, when prompted.
  • On the Permissions requested page, click Accept.
    The button in the Graph Explorer website should now be replaced with your account information.
  • At the top of the main pane, next to GET, change the Graph API version from v1.0 to beta. Then, change the end of the url from me/ to organization/.
  • Click the Run query button.

Graph Explorer - Organization - DirectorySizeQuota

  • In the main pane, you should now see the JSON-formatted response. Scroll down, until you come to directorySizeQuota. Underneath, you will find the used and total values, representing the number of objects in the Azure AD tenant, and the maximum allowed number of objects in the Azure AD tenant.
  • Click the little cog to the right of the account and select Sign out from the context menu.
  • Close the browser.



The number of accounts in the Azure AD tenant and the object limit might be useful one day. It’s a good thing Microsoft added it to the Microsoft Graph Beta in March 2020.

The above 'used' number is comparable to the use of Distinguished Name Tags (DNTs) and relative Identifiers (rIDs) in Active Directory. To expose these numbers, follow the steps in my blogposts New features in AD DS in Windows Server 2012, Part 14: RID improvements and New features in AD DS in Windows Server 2012, Part 18: DNTs Exposed. Similarly, you might want to know those numbers to see if your organization is reaching any limit and you might want to up the artificial RID ceiling.


HOWTO: Enable Extended Protection for Authentication on the SQL Servers hosting the AD FS and Azure AD Connect databases

This entry is part 27 of 27 in the series Hardening Hybrid Identity

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In the pervious post of this series, we discussed encrypting traffic between AD FS Servers, servers running Azure AD Connect and SQL Servers hosting their databases. Today, let’s dive into enabling Extended Protection for Authentication.


Why enable Extended Protection for Authentication?

Extended Protection for Authentication is a feature of the network components implemented by the Operating System (OS). The feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA). SQL Server is more secure when connections are made using Extended Protection.

Extended Protection offers service binding or channel binding, depending on the SQL client using encryption to communicate with the SQL Server(s) or not:

  • Service Binding (when encryption is not used)
    Service binding requires AD FS Servers and Azure AD Connect installations to send a signed service principal name (SPN) of the SQL Server service that the client intends to connect to. As part of the authentication response, the service validates that the SPN received in the packet matches is its own SPN.
  • Channel Binding (when encryption is used)
    Channel binding establishes a secure channel between the AD FS Servers, Azure AD Connect installations and the instance of the SQL Server service hosting the databases for these services. The SQL Server service verifies the authenticity of the client by comparing the client's channel binding token (CBT) specific to that channel, with its own CBT.

This way, Extended Protection for Authentication addresses up to two specific authentication relay attacks, where an attacker would use the credentials to masquerade as a legitimate server and authenticate to the Microsoft SQL Server(s)hosting the AD FS and Azure AD Connect databases :

  1. Luring attacks
    In a luring attack, the AD FS Server and/or Azure AD Connect installation is lured to voluntarily connect to the attacker instead of the SQL Server. Service Binding and Channel Binding both protect against this type of attacks.
  2. Spoofing attacks
    In a spoofing attack, the AD FS Server and/or Azure AD Connect installation intends to connect to a valid service, but is unaware that one or both of DNS and IP routing are poisoned to redirect the connection to the attacker instead. Channel binding protects against this type of attacks.

However, Windows Server does not enable Extended Protection, by default.


Why wouldn’t you enable Extended Protection for Authentication?

There are several reasons why you might not want or be able to enabled Extended Protection for Authentication:

Increase in SQL Server load

Depending on encryption being used or not, the impact of enabling Extended Protection for Authentication is significant on the load of the SQL Server service.

Service Binding incurs a one-time, negligible cost, but it does not address spoofing attacks. Channel Binding, on the other hand, incurs a larger runtime cost, because it requires Transport Layer Security (TLS) encryption of all the session traffic.

When you have encryption enabled for the traffic between AD FS Servers, servers running Azure AD Connect and SQL Servers hosting their databases, the increase in load is nihil; all traffic already uses TLS.

Operating System and SQL Server version requirements

Extended Protection for Authentication requires your SQL Server(s), your AD FS Server(s), your Azure AD Connect server(s), but also all other services, applications and systems that access databases on the SQL Server(s) to run Windows 7, or a newer version of Windows, or Windows Server 2008 R2, or a newer version of Windows Server.

Additionally, the Microsoft SQL Server installation must run SQL Server 2008 R2, or a newer version of Microsoft SQL Server.


Getting ready

To configure Extended Protection for Authentication, you’ll need an account that has local administrator privileges on the Windows Server and system admin (sa) privileges within Microsoft SQL Server.

These privileges are required on each SQL Server, but they do not have to be the same credentials for every SQL Server hosting AD FS and Azure AD Connect databases.


Enabling Extended Protection for Authentication

To enable Extended Protection for Authentication for AD FS Servers, servers running Azure AD Connect and SQL Servers hosting the AD FS and Azure AD Connect databases, perform these steps:

Configure Windows Server

To configure Windows Server to offer Extended Protection for Authentication, run the following lines of Windows PowerShell in an elevated Windows PowerShell window:

$RegPath = "HKLM:\System\CurrentControlSet\Control\LSA\"

New-ItemProperty -Path $RegPath -Name SuppressExtendedProtection -Value 0 -PropertyType DWORD

New-ItemProperty -Path $RegPath -Name LmCompatibilityLevel -Value 3 -PropertyType DWORD



Configure SQL Server

To configure Microsoft SQL Server to take advantage of Extended Protection for Authentication, perform these steps:

  • Open SQL Server Configuration Manager.
  • In SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for <server instance>, and then select Properties.
  • In the Protocols for <instance name> Properties dialog box, on the Advanced tab, make the following changes:
    • For the Accepted NTLM SPNs field, define all service principal names for the SQL Server.

Service Principal Names are typically created for the NetBIOS hostname and the fully qualified domain name. Be sure to include both.

    • For the Extended Protection field, choose Required, instead of Off (default) or Allowed from
      the drop-down list.
  • Click Apply, and then click OK to close the dialog box.
  • Restart the SQL Server service.



Most of the blogposts in this Hardening Hybrid Identity series cover protections , preventing malicious people from gaining access from outside of the network to the network. Just like encrypting the traffic, this particular protection prevents insider threats. Specifically, Extended Protection for Authentication prevents replaying authentication requests when a malicious person is already on the network.

Further reading

Connect to the Database Engine Using Extended Protection
Microsoft Security Advisory 973811 – Extended Protection for Authentication
Extended Protection available in SQL Server 2008 R2
SQL Server's Extended Protection
Packt | Using extended protection to prevent authentication relay attacks


What’s New in Identity from Microsoft Inspire 2020

Microsoft Inspire 2020

Microsoft Inspire is Microsoft’s annual event where it kicks off its fiscal year with its partner community. Inspire is Microsoft’s way to explain what’s coming in the year ahead and work together to find shared solutions for customers.

This year’s Inspire event brought us the following Identity-related news:


New Surface Hub OS featuring Azure AD Join Updates Public Preview

Microsoft is excited to announce the latest version of the Surface Hub operating system: Windows 10 Team 2020 Update, is now available for preview through the Windows Insider Program.

This update addresses top customer requests, starting with full support for organizations using Azure Active Directory (Azure AD) to manage their Surface Hub devices:

  • Single sign-on (SSO) for Azure AD joined devices
    When users sign in with their Microsoft 365 credentials to “My meetings and files”, their user credentials flow seamlessly from app to app – including Microsoft 365 experiences in the browser.
  • Conditional access (CA) for Azure AD joined devices
    IT admins can deploy device-level security policies to their Azure AD joined Surface Hub to control access to organizational resources in accordance with corporate security and compliance requirements.
  • Support for non-Global admins for Azure AD joined devices
    Organizations can choose a more granular set of admins within their admin hierarchy to manage Surface Hub. For more information, see Admin group management.
  • Modern authentication for cloud device accounts
    Surface Hub supports Exchange Web Services (EWS) and Active Directory Authentication Library (ADAL) based authentication to connect to Exchange, allowing organizations to deprecate the use of Basic authentication. For details, see Modern authentication on Surface Hub.

Learn more.


Microsoft Authentication Library (MSAL) for JavaScript Generally Available

The Microsoft Authentication Library (MSAL) for JavaScript has now been released as version 2.0 and allows organizations to use the authorization code flow in production. MSAL.js 2.0 will first make a request to the /authorize endpoint to receive an authorization code protected by Proof Key for Code Exchange (PKCE). This code is sent to the Cross Origin Resource Sharing (CORS) enabled /token endpoint and exchanged for an access token and 24 hour refresh token, which can be used to silently obtain new access tokens.

To take advantage of the latest recommended authentication flow in browser-based applications, follow the quickstart or tutorial.


Windows Admin Center version 2007 offers a new version of the Active Directory tool Generally available

Windows Admin Center version 2007 has been announced generally available.

This release is pronounced as “twenty oh-seven” in regard to this year and month, and not in reference to the year 2007.

This release includes a new version, version 0.85.0, of the Active Directory tool based on all the feedback Microsoft received from User Voice! Some of the changes from the preview version include:

  • Search with more descriptive queries using PowerShell Expression Language syntax
  • Filter by object type or run range-based queries
  • Search for users with a password count over a certain threshold
  • More connected experience
  • Ability to unlock users

Go to Settings > Extensions to install it the new version of the Active Directory tool.



A newly designed Yammer, with a reimagined user experience for both web and mobile built with the Fluent Design System, is now loaded with new features and integrations that power communities, engagement and knowledge across Microsoft 365.

Yammer now supports external guests in communities, powered by Azure AD B2B, so that all communities can host live events and take advantage of Microsoft 365 compliance benefits. AzureAD  B2B also brings external communities to organizations using Yammer in the European Union.

Microsoft 365 Global Admins can configure access to the new Yammer through the Yammer admin portal. Admins can enable the toggle in the suite header and choose the default experience for their network: classic Yammer or the new Yammer.

Learn more.



Coming soon to Teams, a new feature in the Shifts scheduling module will make it easier for managers to create team schedules while alerting them to potential schedule conflicts. Task publishing, now in private preview, enables teams to delegate tasks to specific locations — such as a retail store — and track their progress through real-time reports.

For IT administrators, firstline worker and manager policy packages, now generally available, will streamline policy assignment with pre-defined settings tailored for their entire firstline workforce. Shifts audit logs are now generally available, providing IT admins a unified view and ability to search for Shifts activities such as clocking in or out and editing Shifts.

Learn more.



Dynamics 365 Fraud Protection, now available, adds two new capabilities: Account Protection and Loss Prevention.

  • Account Protection helps protect online revenue and reputation by counteracting fraudulent account access, fake account creation and account takeover, and by safeguarding user accounts from abuse and fraud.
  • Loss Prevention helps protect revenue by identifying potential fraud on returns and discounts arising from omni-channel purchases, enabling store managers and investigators to quickly take action to mitigate losses. Both capabilities were previously available via preview.

Learn more.



Double Key Encryption for Microsoft 365 allows organizations to protect the most confidential data while maintaining full control of the encryption key. It is new and is available in public preview today, July 21.

With Microsoft Information Protection, Microsoft has been helping organizations classify and protect their sensitive data that meets most of their data protection needs. However, in highly regulated industries such as financial services and healthcare, organizations have data that need the highest level of protection and even more control. This could include trade secrets, formulae, designs, code, and algorithms, etc. This capability provides greater depth for protecting data that might represent a small volume of the overall data but is nevertheless mission critical.

Double Key Encryption for Microsoft 365 protects data by encrypting it with two keys, one key in control  of the organization and the second key stored securely in Microsoft Azure. To view the data, one must have access to both keys. Since Microsoft can access only the key in Azure (with all the BYOK assurances), data is unavailable to Microsoft, ensuring enhanced data privacy and security.

Learn more.


AKS-managed Azure Active Directory support generally available

Azure Kubernetes Service (AKS)-managed Azure Active Directory (Azure AD) support is now generally available. This simplifies AKS integration with Azure AD. Organizations are no longer required to create client apps or service apps or require tenant owners to grant elevated permissions. AKS creates appropriate roles/role bindings with group memberships though delegated permissions to facilitate administration.

Learn more


Further Reading

Building better identity solutions with our partners at Microsoft Inspire
New Surface Hub OS update released for public preview
MSAL.js 2.0 is now generally available with support for authorization code flow
AKS-managed Azure Active Directory support is now generally available
Windows Admin Center version 2007 is now generally available!


Achieving Active Directory-as-a-Service with VMware vRealize Orchestrator

Virtualizing Domain Controllers

VMware’s vRealize Orchestrator is a product used by many virtualization admins to automate common tasks. Today, we’re looking at using vRealize Orchestrator to enable automation of common Active Directory tasks, so Active Directory admins may benefit from this solution using the publicly available blueprints for Active Directory.


About vRealize Orchestrator

vRealize Orchestrator helps simplify the automation of complex IT tasks. It offers drag-and-drop workflows, and integrates with vRealize Suite and vCloud Suite to further improve service delivery efficiency, operational management and IT agility.

vRealize Orchestrator is included as part of vSphere and/or vRealize Automation entitlements. vRealize Automation-focused functionality within vRealize Orchestrator is only available as part of vRealize Automation entitlement (standalone or vRealize Suite Advanced/Enterprise license keys).

The vRealize Orchestrator functionality can be greatly expanded using ready-built blueprints. These blueprints, among other downloads, are available through the VMware Solutions Exchange.


Active Directory vRealize Orchestrator Blueprints

The following VMware-authored Active Directory-focused blueprints are available from the VMware Solutions Exchange for vRealize Automation:

  1. Change user password in Active Directory
  2. Create user in Active Directory
  3. Create user group in Active Directory
  4. Add user to user group in Active Directory

These blueprints can be added to vRealize Orchestrator workflows:


This way, for instance, you can create a workflow that accommodates new hires. This type of workflow would typically create a new user in Active Directory, populate the necessary group memberships based on the role and provision a new VMware Horizon virtual desktop.



Throughout this series on virtualizing Domain Controllers, we focused on the availability, integrity and confidentiality of running Domain Controllers as virtual machines on top of VMware vSphere. VMware’s vRealize Orchestrator really adds another layer of benefits to Active Directory admins. In VMware’s suite of products, this might be your best shot at achieving Active Directory-as-a-Service.