The FusterCluck that is Power Platform’s Identity and Delegation model

Empower every person and every organization on the planet to achieve more.

Recently, I had some experiences with the Power Platform. As an identity guy, I was appalled at what I found as Microsoft’s identity and delegation model for these services. Let me tell you why.

About the Power Platform

Microsoft’s Power Platform consists of four distinct products and services:

  1. Power BI
    Through dashboards, Power BI can present information in a flexible and automatically updated way, based on data from several sources, including Azure databases and Microsoft 365 resources
  2. Power Apps
    Based on templates and low code development resources, people in organizations can build their own apps that interact with Microsoft 365 resources. One of the more popular templates was the room booking app. It interacts with room resources in Exchange Online.
  3. Power Automate
    Organizational processes can be automated using flow charts that can be triggered manually or run automatically based on triggers to interact with Microsoft 365 services.
  4. Power Virtual Agents
    Chatbots can be delivered to have automated conversations with employees and customers.

The four products and services have in common that it requires no coding experience and that you can easily interact with the Microsoft 365 resources and services.

Identity and Delegation within the Power Platform

All this goodness comes with a price: The products and services in the Power Platform that I had experiences with (this excludes Power Virtual Agents) are geared towards increasing personal productivity. Herein lies the problem; it doesn’t have an underpinning identity model that allows for delegation.

When talking about Power Apps and Power Automate, specifically, the Azure AD account that is used to create the apps and flows is configured to be the owner of the resource. To interact with Microsoft 365 resources, the account requires the license to do so. To interact with a calendar, for instance, requires at least the Exchange Online Plan 1 user license. When creating an exclusion in Conditional Access policies and accessing resources in Exchange Online, SharePoint Online and Teams, a Microsoft 365 E3 license soon comes into picture.

This is ideal for personal productivity, but it poses a problem, when the organization publishes the Power App towards the entire organization, the owner of the Power App leaves the organization and, understandably, admins remove the license and/or the Azure AD account of the owner. In these cases, functionality breaks.

Microsoft’s advice

Microsoft empowers every person and every organization on the planet to achieve more and advises to create a separate service account for its Power Platform products and services to avoid the above situation. Organizations have incorporated checks to ensure no organization-wide Power Platform functionality breaks when a person (or consultant) leaves the organization.

How it should be

Azure and Azure AD are mature solutions that include an identity and delegation model that works:

When third-party code runs against Azure or Microsoft 365 resources, a service principal is the way to go. It can’t be used interactively and it can be assigned and/or delegated API permissions.

When Microsoft services interact with other Microsoft services, the managed identity is the way to go. it’s tied to the Microsoft service and can be allowed access to only the Azure and Microsoft 365 resources it needs.

It’s not 100%, but it’s getting there.

How it is

The Power Platform breaks with this entire model, doesn’t offer any delegation functionality.

My opinion

I feel Power Platform’s Identity and Delegation model is out of this world. I feel Microsoft should introduce a mature identity and delegation model that aligns with the other products and services Microsoft offers.

A solution to address this situation in Power Automate is to use Logic Apps and functions. To work with these, you need create a custom connector, or you could create an app registration in Azure AD (with a service principal, an accompanying secret and permissions). It brings the challenge of having to rotate the secrets periodically.

Hat Tip

This blogpost started with a question from Hans van Panwijk. I wrote it with the help of Barbara Forbes and Luise Freese.

0  

I’m speaking at NIC X

For its tenth edition, the annual Nordic Infrastructure Conference (NICConf) has invited Raymond Comvalius and me to deliver a session again. It’s our sixt edition of this fantastic event and we’re looking forward to it!

About the Nordic Infrastructure Conference

The Nordic Infrastructure Conference (NICConf) provides IT and business professionals with unmissable networking and learning experiences from the leading Global IT experts.

NIC is the industry’s foremost collaboration and learning event offering global best in class content and structure, delivered by some of the leading technical IT speakers in the world. The main focus is on Cloud technology, automation & management, security, client & server, collaboration and productivity & analytics.

NICConf will be hosted for the seventh time from May 31st to June 2nd, 2022. Its location will be the Oslo Spektrum in the heart of Oslo, Norway, again.

About our session

Raymond and I deliver a 60-minute session:

Properly securing Azure AD Connect and Azure AD Connect Cloud Sync

Wednesday June 1st, 4PM – 5PM CEST, Room 6

You’ve probably heard of the Active Directory tiering model and the ways to hack Azure AD Connect’s database. Running Azure AD Connect and Azure AD Connect Cloud Sync in a highly-secure networking environment with proxies and high-availability requirements.

Join Raymond Comvalius and me in this session to learn how to implement Azure AD Connect Sync or Azure AD Connect Cloud Sync in a secure way and how to monitor and audit it for proper security. Even when you’re not a security professional, you’ll find that the demos in this session make perfect sense.

Join us!

RELATED BLOGPOSTS

Pictures of the 2020 Nordic Infrastructure Conference     
I’m speaking at the 2020 Nordic Infrastructure Conference      
Pictures of NIC Future Edition     
I’m speaking at NIC Future Edition  
Pictures of the 2017 Nordic Infrastructure Conference in Oslo last week
I’m speaking at the 2017 Nordic Infrastructure Conference
Pictures of the 2015 Nordic Infrastructure Conference
I will be speaking at Nordic Infrastructure Conference 4th Edition
Pictures of the 2014 Nordic Infrastructure Conference
I will be speaking at NIC 2014

0  

Identity-related sessions at Microsoft Build 2022

Microsoft Build 2022

Microsoft organizes Microsoft Build 2022 as a free digital event between Monday May 24th 5 PM CEST and Thursday May 26th 11 AM CEST.

Microsoft Build is Microsoft’s annual conference event, aimed at software engineers and web developers using Windows, Microsoft Azure and other Microsoft technologies. First held in 2011, it serves as a successor for Microsoft's previous developer events, the Professional Developers Conference (PDC) and MIX.

During Build 2022, you can enjoy the following general and Identity-related sessions:

On demand sessions

ODBRK04 Build the SOC of the future with the Azure AD Identity Protection APIs

Speakers: Etan Basseri and Sarah Handler

Your security operations center ingests lots of data, but how can you pinpoint the most important identity-based attacks? Using Azure AD Identity Protection's API collections, you can identify risky users and workload identities, view details on risk detections, and even dismiss risk or confirm compromised accounts. In this session you will learn how easy it is to use our API collections to manage identity risk directly from the tool of your choice.

OD120 More secure, and resilient, apps built on Azure AD Continuous Access Evaluation

Speaker: Kyle Marsh

Continuous Access Evaluation, CAE, allows access to an API, resource, protected by Azure AD to be revoked in near real time. Instead of a fixed time-based access, CAE access can be based on security events like the user's password changing, MFA being applied, or even the user changing their location. In this session we will demonstrate building a client app with CAE support. We also discuss the evolution of CAE going forward.

Break-out Sessions

BRK105 Creating secure identities for apps using the Microsoft identity platform

Speakers: Saeed Akhter and Nick Gomez
Date: Wednesday, May 25 6PM – 6:35PM CEST

A key to creating secure apps is managing the identities in those apps.  Users must feel confident that the apps they use, manage identities for authentication and authorization securely.  That’s where the Microsoft identity platform can help, and it is designed to make managing identities easier with standards compliant authentication, open-source libraries, and application management tools.  Attend this session to discover how to add authentication to your app, learn about delegated permissions, and understand application permissions.

Product Roundtables

PRT152 Let's make secrets invisible for Developers

Speakers: Varun Karandikar, Jack Lichwa, Eoin Shanley and Rajeev Vijan
Date: Wednesday, May 25 5PM – 6PM CEST

Secrets are like radioactive materials. They must be handled with extreme care. No one should be managing them. In this session, we will discuss how we’re on a mission to make secrets invisible to the developers with technologies like Managed Identities on Azure resources, Azure Key vault and workload identity federation.

PRT 153 Improvements to the Azure Active Directory application model and API

Speakers: Suresh Jayabalan and Philippe Signoret
Date: Wednesday, May 25 6PM – 7PM CEST

We are looking to improve the Azure AD application model. If you're a ISV/developer experienced with registering applications or an admin managing application instances (i.e. service principals) in your tenant, and you want to provide feedback on the next generation application model, we'd love to work with you and learn your pain points to shape up the v.Next of the application model and API.An Azure AD application is defined by its application object, which resides in the Azure AD tenant where the application was registered. As a developer, you've used the Azure App registrations portal or the Microsoft Graph application API to register and configure application objects. You may have encountered specific issues such as the inability to group programs or the addition of non-identity configurations. In every tenant where the application is used, a service principle is created. As an administrator, you manage apps in your tenant by configuring service principals in your tenant, such as assigning users to the apps.If this resonates with you, we would love to talk to you!!We are in the very early stage of evolving the application model and we would love to talk to the developer audience at //build to get your thoughts.

0  

The May 2022 Windows Updates may cause Active Directory Authentication Failures

The May 2022 updates for all supported versions of Windows Server may cause Active Directory authentication failures. Microsoft is investigating the issue. A workaround is available for organizations experiencing issues.

The situation

The Windows updates of May 10th, 2022, address several vulnerabilities on Domain Controllers, including several of the ten LDAP Remote Code Execution vulnerabilities (CVSSv3 9.8) and an zero-day LSA Spoofing vulnerability (Important, CVE-2022-26925, CVSSv3 8.1-9.8). Another vulnerability addressed in these updates is CVE-2022-26923 (discovered by security researcher Oliver Lyak and dubbed Certifried).

Microsoft has urged Active Directory admins to update Domain Controllers as soon as possible.

The updates were released for all supported Windows Server versions:

  1. KB5014010 or KB5014006 for Windows Server 2008
  2. KB5014012 or KB5013999 for Windows Server 2008 R2
  3. KB5014017 or KB5014018 for Windows Server 2012
  4. KB5014011 or KB5014001 for Windows Server 2012 R2
  5. KB5013952 for Windows Server 2016
  6. KB5013941 for Windows Server 2019
  7. KB5013944 for Windows Server 2022

However, when the May 2022 Windows updates are installed on Domain Controllers relying on certificate authentication, authentication failures may occur.

The issue

Admins are sharing reports that they are experiencing errors:

Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect.

The cause

The Windows updates of May 10th, 2022, when installed on domain controllers cause these issues, as described by Microsoft in KB5014754

CVE-2022-26931 and CVE-2022-26923 address elevation of privilege (EoP)vulnerabilities that may occur when the Kerberos Distribution Center (KDC) services a certificate-based authentication request. Before the May 10th, 2022, security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways. Additionally, conflicts between userPrincipalName and sAMAccountName attributes introduced other emulation (spoofing) vulnerabilities that Microsoft also addressed with this security update.

When an administrator installs the May 10, 2022 Windows updates, devices will be in compatibility mode for the measures:

  1. If a certificate can be strongly mapped to a user, based on the X509IssuerSerialNumber, X509SKI or X509SHA1PublicKey mappings for the altSecurityIdentities attribute, authentication will occur as expected.
  2. If a certificate can only be weakly mapped to a user, based on the X509IssuerSubject or X509SubjectOnly mappings for the altSecurityIdentities attribute, authentication will occur as expected. However, a warning will be logged unless the certificate is older than the user. If the certificate is older than the user, authentication will fail, and an error will be logged.

Microsoft updates all devices to full enforcement mode for these measures by May 9, 2023.

The workaround

The May 2022 Windows updates set the StrongCertificateBindingEnforcement registry key in HKLM\SYSTEM\CurrentControlSet\Services\Kdc, which changes the enforcement mode of the Kerberos Distribution Center (KDC) to compatibility mode. While setting this registry key manually to 0 alleviates the encountered errors, it does not address the vulnerability. Also, Microsoft removes the registry key and its functionality on February 14th, 2023.

While Microsoft is working on a solution, Active Directory admins can use a workaround by manually mapping certificates to users in Active Directory using the altSecurityIdentities attribute of the user’s object. For more information use the information in HowTo: Map a user to a certificate via all the methods available in the altSecurityIdentities attribute on Microsoft Docs.

0  

I’m speaking at Techorama Belgium 2022

Techorama Belgium 2022

I’m proud to share that I’ll be presenting at Techorama Belgium for the fourth time as an accepted speaker for Techorama Belgium 2022.

About Techorama

Techorama Belgium is a yearly international technology conference that takes place at Kinepolis Metropolis Antwerp. Techorama welcomes 1700 attendees, a healthy mix between developers, IT Professionals, Data Professionals and SharePoint professionals. Techorama’s commitment is to create a unique conference experience with quality content and the best speaker line-up.

Techorama Belgium 2022 is held from May 23, 2022 to May 25, 2022 and includes awesome keynotes and sessions by Richard Campbell, John Craddock, Peter Daalmans, Ronny de Jong, Johan Delimon, Barbara Forbes, Luise Freese, Martina Grom, Rasmus Hald, Robert Hedblom, Pim Jacobs, Tom Janetscheck, Wim Matthyssen, Aleksandar Nikolic, Mustafa Toroman, Kenneth van Surksum, Sam Vanhoutte, Dieter Wijckmans and many others.

About my session

I’m presenting a 60-minute session as part of the Modern Workplace track:

Windows Hello for Business Hybrid Access: How Does It Work Under The Covers?

Wednesday May 25, 2022 1:45PM-2:45PM, Room 1

As weak, stolen and cracked passwords are at the root of 80% of cybersecurity incidents, Passwordless has the potential to change the world.

Under the covers, Windows Hello for Business, Microsoft's Passwordless solution, has already changed the authentication paradigm for Active Directory. Regardless of the device being domain-joined, hybrid Azure AD-joined or Azure AD-joined, you can access organizational resources without specifying credentials.

In this session, I’ll explain how Windows Hello works in all three scenarios and what you need to get it going for your organization.

Join us!

Techorama Belgium 2022 offers tickets for the workshops on May 23rd, the sessions on May 24th and May 25th and combi tickets for both. You can buy tickets here.

FURTHER READING

Identity-related sessions at Techorama Belgium 2021 Spring Edition   
Pictures of Techorama Belgium 2019 
I’m speaking at Techorama Belgium 2019 
Pictures of Techorama Belgium 2018
I’m speaking at Techorama Belgium 2018
Pictures of Techorama 2017
I’m speaking at Techorama Belgium 2017

0  

The May 2022 Patch Tuesday addresses an LSA Spoofing vulnerability (Important, CVE-2022-26925, CVSSv3 8.1-9.8)

Windows Server

When looking at the May 2022 Patch Tuesday today, I noticed an update that specifically addresses an LSA Spoofing vulnerability. This vulnerability is specific to Domain Controllers (in the default configuration), so this sparked my interest in the update.

About the vulnerability

A spoofing vulnerability exists in the Windows Local Security Authority (LSA). This vulnerability is described in detail in CVE-2022-26925.

To exploit this vulnerability, an unauthenticated attacker could call a method on the LSARPC interface and coerce the Domain Controller to authenticate to the attacker using NTLM. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read or modify network communications. This is commonly referred to as a Meddler-in-the-Middle (MitM) attack.

As the Common Vulnerability Scoring System (CVSS) v3 score of this vulnerability is 8.1/7.1, but the combined CVSS score would be 9.8, when this vulnerability is chained with the NTLM Relay Attacks on Active Directory Certificate Services (AD CS) outlined in KB5005413.

Raphael John with Bertelsmann Printing Group responsibly disclosed this vulnerability to Microsoft.

About the update

The update detects anonymous connection attempts in LSARPC and disallows it. Additionally, Microsoft recommends following the information in ADV210003 Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) to further protect the AD CS environment.

Affected Operating Systems

Most of the above vulnerabilities exist in all supported Windows and Windows Server Operating Systems. Although support for Windows Server 2008 and Windows Server 2008 R2 has ended, Microsoft has made updates available for all Windows Server platforms.

CVE-2022-29130 and CVE-2022-22012 are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.

CVE-2022-29131 only applies to Domain Controllers running Windows Server 2019, Windows Server, version 20H2 and Windows Server 2022.

Known Issues

When installing this update on Domain Controllers and running backups from systems running Windows Server 2008 (with Service Pack 2) and Windows Server 2008 R2, the backup software will break.

Microsoft recommends to contact the manufacturer of your backup software for updates and support, after installing the updates that address this vulnerability

 

Call to Action

I urge you to install the necessary security updates on Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Domain Controllers, in the production environment.

0  

The May 2022 Patch Tuesday addresses 10 LDAP Remote Code Execution vulnerabilities (Critical, CVSSv3 9.8)

Windows Server

When looking at the May 2022 Patch Tuesday today, I noticed ten updates that specifically address Remote Code Execution (RCE) vulnerabilities in Windows LDAP. These vulnerabilities are specific to Domain Controllers (in the default configuration), so this sparked my interest in these updates.

Ten Windows LDAP RCE vulnerabilities

Ten Windows LDAP remote code execution vulnerabilities were addressed:

  1. CVE-2022-22012 Windows LDAP Vulnerability (CVSSv3 9.8/8.5)
  2. CVE-2022-22013 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  3. CVE-2022-22014 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  4. CVE-2022-29128 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  5. CVE-2022-29129 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  6. CVE-2022-29130 Windows LDAP Vulnerability (CVSSv3 9.8/8.5)
  7. CVE-2022-29131 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  8. CVE-2022-29137 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  9. CVE-2022-29139 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  10. CVE-2022-29141 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)

These vulnerabilities all allow remote code execution on Domain Controllers over the network. For most of the above vulnerabilities, the  attacker or targeted user would need an authenticated normal user account. The attacker would send a specially crafted request to a vulnerable Domain Controller. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account.

As the Common Vulnerability Scoring System (CVSS) v3 score of two of these vulnerabilities is 9.8/8.5, the May 2022 cumulative update can be considered a Critical update for Domain Controllers.

Affected Operating Systems

Most of the above vulnerabilities exist in all supported Windows and Windows Server Operating Systems. Although support for Windows Server 2008 and Windows Server 2008 R2 has ended, Microsoft has made updates available for all Windows Server platforms.

CVE-2022-29130 and CVE-2022-22012 are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.

CVE-2022-29131 only applies to Domain Controllers running Windows Server 2019, Windows Server, version 20H2 and Windows Server 2022.

Call to Action

I urge you to install the necessary security updates on Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Domain Controllers, in the production environment.

0  

On-premises Identity-related updates and fixes for April 2022

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

This is the list of Identity-related updates and fixes we saw for April 2022:

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5012596 April 12, 2022

The April 12, 2022 update for Windows Server 2016 (KB5012596) updating the OS build number to 14393.5066 is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses a heap leak in PacRequestorEnforcement that degrades the performance of a Domain Controller.
  • It addresses an issue that affects the Key Distribution Center (KDC) Proxy. The KDC Proxy cannot properly obtain Kerberos tickets for signing in to Key Trust Windows Hello for Business.
  • It addresses an issue that prevents you from changing a password that has expired when you sign in to a Windows device.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5012647 April 12, 2022

The April 12, 2022 update for Windows Server 2019 (KB5012647) updating the OS build number to 17763.2803is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses a known issue that causes DNS stub load failures on a Windows Server that is running a DNS Server.
  • It addresses an issue that prevents you from changing a password that has expired when you sign in to a Windows device.
  • It addresses a heap leak in PacRequestorEnforcement that degrades the performance of a domain controller.
  • It addresses an issue that affects the Key Distribution Center (KDC) Proxy. The KDC Proxy cannot properly obtain Kerberos tickets for signing in to Key Trust Windows Hello for Business.
  • It addresses an issue that causes the Move-ADObject command to fail when you move computer accounts across domains. The error message is:

Multiple values were specified for an attribute that can have only one value

  • It addresses an issue that might prevent a DNS Server query resolution policy from working as expected when you specify a fully qualified domain name (FQDN) and subnet conditions.
  • It addresses an issue that might cause domain joining to fail in environments that use disjoint DNS hostnames.
  • It addresses an issue in which modern browsers fail to correctly render HTML that is generated by gpresult/h.
  • It addresses an issue that causes the Group Policy Management Console to stop working after you close it as the GPOAdmin.dll fails. The system logs Application Error Event ID 1000 and error:

0xc0000005 (STATUS_ACCESS_VIOLATION)

  • It addresses an issue that might cause the Group Policy Service to stop processing telemetry information for Group Policy Registry Preferences.
  • It addresses an issue that prevents events with Event ID 4739 from displaying the new values of certain attributes after a policy change.
  • It addresses an issue that prevents you from accessing Server Message Block (SMB) shares using an IP Address when SMB hardening is enabled.
  • It addresses an issue that causes stop error 0x1E in the SMB Server (srv2.sys).
  • It addresses an issue that occurs when the Best Practices Analyzer (BPA) values for SMB have not been updated for more recent platforms.
  • It addresses an issue in Active Directory Federation Services (AD FS) that prevents Android device users from signing in to some Microsoft applications, such as Microsoft Outlook or Microsoft Teams. This issue occurs after rolling over token signing and decrypting certificates, resetting a user's password, or when an administrator has revoked refresh tokens.
  • It addresses an issue that prevents the Back button of the credentials window as part of the AD FS sign-in pages, from being visible in high contrast black mode.

KB5012636 April 21, 2022 Preview

The April 21, 2022 update for Windows Server 2019 (KB5012636) updating the OS build number to 17763.2867 is a preview update that includes the following Identity-related improvements:

  • It addresses an issue that causes the Key Distribution Center (KDC) code to incorrectly return the following error message during domain controller shutdown:

KDC_ERR_TGT_REVOKED

  • It addresses an issue that might fail to copy the security portion of a Group Policy to a machine.
  • It addresses an issue that causes the primary domain controller (PDC) of the root domain to generate warning and error events in the System log. This issue occurs when the PDC incorrectly tries to scan outgoing-only trusts.
  • It addresses an issue that might occur when you use Netdom.exe or the Active Directory Domains and Trusts snap-in to list or modify name suffixes routing. These procedures might fail. This issue occurs after installing the January 2022 security update on the primary domain controller emulator (PDCe). The error message is:

Insufficient system resources exist to complete the requested service.

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5012604 April 12, 2022

The April 12, 20222 update for Windows Server 2022 (KB5012604), updating the OS build number to 20348.643 is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that prevents you from changing a password that has expired when you sign in to a Windows device.
  • It addresses a heap leak in PacRequestorEnforcement that degrades the performance of a domain controller.
  • It addresses an issue that returns an error message when you browse for a domain or organizational unit (OU). This issue occurs because of improper zeroing out of memory.
  • It addresses an issue that affects the Key Distribution Center (KDC) Proxy. The KDC Proxy cannot properly obtain Kerberos tickets for signing in to Key Trust Windows Hello for Business.
  • It addresses an issue that causes the Move-ADObject command to fail when you move computer accounts across domains. The error message is:

Multiple values were specified for an attribute that can have only one value

  • It addresses an issue that might prevent a DNS Server query resolution policy from working as expected when you specify a fully qualified domain name (FQDN) and subnet conditions.
  • It addresses an issue that might cause domain joining to fail in environments that use disjoint DNS hostnames.
  • It addresses an issue in which modern browsers fail to correctly render HTML that is generated by gpresult/h.
  • It addresses an issue that might cause the Group Policy Service to stop processing telemetry information for Group Policy Registry Preferences.
  • It addresses an issue that prevents events with Event ID 4739 from displaying the new values of certain attributes after a policy change.
  • It addresses an issue that prevents you from accessing Server Message Block (SMB) shares using an IP Address when SMB hardening is enabled.
  • It addresses an issue that occurs when the Best Practices Analyzer (BPA) values for SMB have not been updated for more recent platforms.
  • It addresses an issue in Active Directory Federation Services (AD FS) that prevents Android device users from signing in to some Microsoft applications, such as Microsoft Outlook or Microsoft Teams. This issue occurs after rolling over token signing and decrypting certificates, resetting a user's password, or when an administrator has revoked refresh tokens.
  • It addresses an issue that prevents the Back button of the credentials window as part of the AD FS sign-in pages, from being visible in high contrast black mode.

KB5012637 April 25, 2022 PREVIEW

The April 25, 2022 update for Windows Server 2022 (KB5012637) updating the OS build number to 20348.681 is a preview update that includes the following Identity-related improvements:

  • It addresses an issue that causes Kerberos authentication to fail when a client machine attempts to use the Remote Desktop Protocol (RDP) to connect to another machine while Remote Credential Guard is enabled. The error is:

0xc0030009 (RPC_NT_NULL_REF_POINTER)

  • It addresses an issue that might fail to copy the security portion of a Group Policy to a machine.
  • It addresses an issue that causes the Key Distribution Center (KDC) code to incorrectly return the following error message during domain controller shutdown:

KDC_ERR_TGT_REVOKED

  • It optimizes the Active Directory Federation Services (AD FS) artifact database by deleting expired artifacts
  • It addresses an issue that might occur when you use Netdom.exe or the Active Directory Domains and Trusts snap-in to list or modify name suffixes routing. These procedures might fail. This issue occurs after installing the January 2022 security update on the primary domain controller emulator (PDCe). The error message is:

Insufficient system resources exist to complete the requested service.

  • It addresses an issue that causes the primary domain controller (PDC) of the root domain to generate warning and error events in the System log. This issue occurs when the PDC incorrectly tries to scan outgoing-only trusts.
0  

What's New in Azure Active Directory for April 2022

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for April 2022:

What’s New

Microsoft Defender for Endpoint Signal in Identity Protection General Availability

Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection now integrates a signal from Microsoft Defender for Endpoint (MDE) that will protect against Primary Refresh Token (PRT) theft detection.

A PRT is a JSON Web Token (JWT) that's specially issued to Microsoft first-party token brokers to enable single sign-on (SSO) across the applications used on those devices. Attackers can attempt to access this resource to move laterally into an organization or perform credential theft. This detection will move users to high risk and will only fire in organizations that have deployed MDE. This detection is low-volume and will be seen infrequently by most organizations. However, when it does occur it's high risk and users should be remediated.

Customer data storage for Japan customers in Japanese datacenters General Availability

Service category: App Provisioning
Product capability: GoLocal
Clouds impacted: Public (Microsoft 365, GCC)

From April 15, 2022, Microsoft began storing Azure AD’s Customer Data for new tenants with a Japan billing address within the Japanese datacenters.

Enabling customization capabilities for SSPR hyperlinks, footer hyperlinks and browser icons in Company Branding Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft updated the Company Branding functionality on the Azure AD and Microsoft 365 sign-in experience to allow customizing Self-service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon.

Integration of Microsoft 365 App Certification details into Azure AD UX and Consent Experiences Public Preview

Service category: User Access Management
Product capability: Authorization/Access Delegation
Clouds impacted: Public (Microsoft 365, GCC)

Microsoft 365 Certification status for an app is now available in Azure AD consent user experience (UX), and custom app consent policies. The status will later be displayed in several other Identity-owned interfaces such as enterprise apps.

Organizations can replace all references to Microsoft on the Azure AD authentication experience Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft updated the Company Branding functionality on the Azure AD and Microsoft 365 sign-in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon.

Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels Public Preview

Service category: Access Reviews
Product capability: Identity Governance

Use Azure AD Access Reviews to review access of B2B direct connect users in Teams shared channels.

New MS Graph APIs to configure federated settings when federated with Azure AD Public Preview

Service category: MS Graph
Product capability: Identity Security & Protection
Clouds impacted: Public (Microsoft 365, GCC)

Microsoft announced the public preview of following MS Graph APIs and PowerShell cmdlets for configuring federated settings when federated with Azure AD:

  1. Get settings for a federated domain: Get-MgDomainFederationConfiguration
  2. Create settings for a federated domain: New-MgDomainFederationConfiguration
  3. Remove settings for such a domain: Remove-MgDomainFederationConfiguration
  4. Update settings for such a domain: Update-MgDomainFederationConfiguration

Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users Public Preview

Service category: Role-based Access Control (RBAC)
Product capability: Authorization /Access Delegation
Clouds impacted: Public (Microsoft 365, GCC)

Microsoft added functionality to session controls allowing admins to reauthenticate a user on every sign-in if a user or particular sign-in event is deemed risky, or when enrolling a device in Intune.

Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD Public Preview

Service category: MS Graph
Product capability: Identity Security & Protection
Clouds impacted: Public (Microsoft 365, GCC)

Microsoft announced a new security protection that prevents bypassing of cloud Azure AD multi-factor authentication (MFA) when federated with Azure AD. When enabled for a federated domain in an Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD MFA by imitating that MFA has already been performed by the identity provider. The protection can be enabled via the new  federatedIdpMfaBehavior security setting.

Microsoft highly recommends enabling this new protection when using Azure AD MFA  for federated users.

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: Third Party Integration

In April 2022, Microsoft added the following new applications in the Azure AD App gallery with Federation support:

  1. X-1FBO
  2. select Armor
  3. Smint.io Portals for SharePoint
  4. Pluto
  5. ADEM
  6. Smart360
  7. MessageWatcher SSO
  8. Beatrust
  9. AeyeScan
  10. ABa Customer
  11. Twilio Sendgrid
  12. Vault Platform
  13. Speexx
  14. Clicksign
  15. Per Angusta
  16. EruditAI
  17. MetaMoJi ClassRoom
  18. Numici
  19. MCB.CLOUD
  20. DepositLink
  21. Last9
  22. ParkHere Corporate
  23. Keepabl
  24. Swit

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: Third Party Integration
Clouds impacted: Public (Microsoft 365, GCC)

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

What’s Changed

3 stages of approval in Entitlement management General Availability

Service category: Other
Product capability: Entitlement Management
Clouds impacted: Public (Microsoft 365, GCC)

This update extends the Azure AD entitlement management access package policy to allow a third approval stage. This will be able to be configured via the Azure portal or Microsoft Graph.

Improvements to Azure AD Smart Lockout General Availability

Service category: Identity Protection
Product capability: User Management
Clouds impacted: Public (Microsoft 365, GCC), China, US Gov(GCC-H, DOD), US Nat, US Sec

With a recent improvement, Azure AD Smart Lockout now synchronizes the lockout state across Azure AD datacenters, so the total number of failed sign-in attempts allowed before an account is locked out will match the configured lockout threshold.

0  

You’re invited to the IT-University Masterclass – Securing Active Directory using cloud services… Say What!?

Online Masterclass

On May 9th, 2022, I will be presenting a masterclass, together with Raymond Comvalius for IT-University.nl. Dutch Raymond and I will be presenting on establishing device trust in the modern age.

Over 95% of organizations over 50 people use Active Directory today. Active Directory is the main target for attackers. This leads to data leaks all over the world. We see reports every week of hacks where Active Directory was used and/or abused.

From Microsoft’s cloud services, there are a couple of services that you can use to increase the information security of Active Directory and avoid confidentiality, integrity and availability issues. In this masterclass, we show you how to use these services.

Learn how to configure and manage Azure AD Connect from two Microsoft MVPs who know a thing or two about this stuff.

Mark your calendar!

Mark your calendar for May 9th, 2022 between 8 PM and 10 PM CEST for this free webinar. Register here.

The webinar will be delivered in Dutch.

About IT-University

This webinar is sponsored by IT-University.nl.
IT-University is a Dutch educational organization, specialized in  IT courses following the new world of learning. IT-University offers an Online Academy, webinars and masterclasses.

By registering for this masterclass, you submit your information to IT-University, who will use it to communicate with you regarding this event and their other services.

0