Azure AD Connect’s v2 endpoint is now Generally Available (GA)

Azure AD Connect is Microsoft’s free tool to synchronize objects and their attributes from Active Directory Domain Services (AD DS) implementations to Azure Active Directory tenants. Many millions of organizations depend on Azure Active Directory and the APIs that the tool connects to.

Azure AD Connect’s v2 Endpoint

Microsoft has deployed a new endpoint (API) for Azure AD Connect that improves the performance of the synchronization service operations to Azure Active Directory. We reported on the Public Preview availability of this v2 endpoint roughly 8 months ago.

Now, the v2 endpoint has moved from Public Preview to General Availability.

When organizations use the new v2 endpoint, you'll experience noticeable performance gains on export and import to Azure AD. This new endpoint supports the following scenarios:

  • Syncing groups with up to 250,000 members
  • Performance gains on export and import to Azure AD

What this means

For versions of Azure AD Connect ranging from version 1.5.30.0 to 1.5.45.0, the v2 endpoint still needs to be enabled manually, using the following lines of Windows PowerShell:

Set-ADSyncScheduler -SyncCycleEnabled $false

Import-Module 'C:\Program Files\Microsoft Azure AD Sync\Extensions\AADConnector.psm1'

Set-ADSyncAADConnectorExportApiVersion 2

Set-ADSyncAADConnectorImportApiVersion 2

Set-ADSyncScheduler -SyncCycleEnabled $true

Additionally, to increase the group memberships limit, you’ll still need to manually change the Out to AAD – Group Join synchronization rule.

Further reading

HOWTO: Use Azure AD Connect’s v2 Endpoint  
HOWTO: Tell if Azure AD Connect is using the v2 Endpoint

Posted on January 14, 2021 by Sander Berkouwer in Azure AD Connect

0  

Configuration Items that are part of Azure AD Connect’s Export and Import functionality

Azure AD Connect

Azure AD Connect is a crucial component in today’s Hybrid Identity strategies. This tool takes care of the synchronization of objects and their attributes from an on-premises Active Directory environment to Azure AD. In some scenarios, it also takes care of authentication when accessing Azure AD-integrated applications.

In version 1.5.42.0, Microsoft introduced Import and Export functionality to Azure AD Connect. In this blog post, I’ll share what configuration items are part of this functionality and how Azure AD Connect handles this information upon import.

Note:
The below information is based on version 1.5.45.0 of Azure AD Connect. Export/Import functionality is a Preview feature in this version of Azure AD Connect.

Items that are part of the Export and Import functionality

Items that are part of the Export and Import functionality include:

Azure AD Connect version

The version that was used to export the configuration on is part of the export. This might allow Microsoft to determine additional configuration actions to include when importing a configuration from an older version of Azure AD Connect to a newer version of Azure AD Connect. Such actions might help in achieving configuration integrity between Azure AD Connect versions.

Currently, Microsoft exports this information as part of the policyMetadata, but there does not appear to be any special logic around this information.


Service account information

The account that runs the Microsoft Azure AD Sync service (ADSync) is exported, along with its account type.

Currently, Microsoft exports this information as part of the deploymentMetadata, but has no use for it during import. As the service account information is configured before providing the location of the exported settings, this information is not used during import.

No passwords are part of the exported settings. Any applicable password needs to be re-entered during import.


Database information

The database information is part of the export. This information indicates whether the built-in SQLExpress database is used or a full-fledged SQL Server hosts Azure AD Connect’s database.

Currently, Microsoft exports this information as part of the deploymentMetadata, but has no use for it during import. No passwords are part of the export information. Any applicable password needs to be re-entered during import.

As the database settings are configured before providing the location of the exported settings, these settings are not used during import.


User sign-in

The sign-in method(s) are part of Azure AD Connect’s Export and Import functionality. This information is typically configured on the User sign-in page of the Azure AD Connect wizard.

This piece of information would indicate the configured authentication method and whether Password Hash Synchronization is optionally enabled on the Optional features page of the Azure AD Connect configuration wizard (if not selected on the User sign-in page of the Azure AD Connect wizard).

This information is exported as the authenticationPolicy and used to configure the Azure AD Connect installation you import the JSON file with exported settings on. The information is used as the default configuration, but can be deviated from.

Write-back features

While talking about the options on the Optional features page, Azure AD Connect’s enabled write-back features are also part of the exported information.

This information is exported as the authenticationPolicy and used to configure the Azure AD Connect installation you import the JSON file with exported settings on.


Active Directory information

Information on the on-premises Active Directory is part of the exported information. This information includes the friendly name (friendlyName), the fully qualified DNS domain name (FQDN) (fullyQualifiedDomainName) and information on the Connector account (onPremisesDirectoryAccount).

For each of the domains, the DN (distinguishedName) as well as the included and excluded containers and Organizational Units (containerInclusions and containerExclusions) are exported. This information is used to configure the Azure AD Connect installation you import settings on.

Metaverse extensions

When using Azure AD Connect’s directory extensions functionality, this information is also part of Azure AD Connect’s exported information.

This information is exported as part of the metaverseExtensionPolicy section.

Source Anchor attribute

The source anchor attribute defines the attribute that is used to couple the object in Active Directory to the object in Azure AD end-to-end. The recommended practice is to use the mS-DS-ConsistencyGUID attribute.

This information is exported as userPrincipalNameAttribute as part of the identityMappingPolicy section and used to configure the Azure AD Connect installation you import the JSON file with exported settings on.

userPrincipalName attribute

The userPrincipalName attribute defines the attribute for Active Directory objects that is used as the sign-in name to Azure AD. The recommended practice is to use the userPrincipalName attribute.

This information is exported as azureSourceAnchorAttribute as part of the identityMappingPolicy section and used to configure the Azure AD Connect installation you import the JSON file with exported settings on.

User matching method

As Azure AD Connect provides multi-forest support, information is gathered on the user matching policy on the Uniquely identifying your users page of the Azure AD Connect installation wizard:

Uniquely identifying your users page of the Azure AD Connect Wizard (click to view original screenshot)

The default setting (Users are represented only once accross all directories) is documented as AlwaysProvision.

This information is exported as userMatchingPolicy as part of the identityMappingPolicy section and used to configure the Azure AD Connect installation you import the JSON file with exported settings on.

Azure AD information

The Azure AD Connect’s Export and Import functionality exports the following information on the sign-in information for the account in the Global administrator or Hybrid Identity administrator role that was used to configure Azure AD Connect:

  1. Administrator account (userPrincipalName)
  2. Azure AD Tenant ID

This information is exported as administrator and tenantid as part of the azureDirectoryPolicy section. The administrator account is pre-typed on the Connect to Azure AD page of the Azure AD Connect configuration wizard when you import the JSON file with exported settings on.

No passwords are part of the exported settings. Any applicable password needs to be re-entered during import. Multi-factor authentication needs to be performed and Privileged Identity Management approval gates passed when configuring Azure AD Connect through importing settings.

Azure AD App and attribute Filtering

Using Azure AD Connect’s Azure AD App and Attribute Filtering functionality, only the objects and attributes that are needed can be filtered for synchronization to Azure AD.

This information is the exportedAttributePolicy as part of the azureDirectoryPolicy section.

Azure AD Connect Export Deletion Threshold

The Azure AD Connect Export Deletion Threshold is part of the Azure AD Connect exported configuration.

This information is exported as exportDeletionLimit as part of the azureDirectoryPolicy section and used to configure the Azure AD Connect installation you import the JSON file with exported settings on.

Synchronization rules

The standard Azure AD Connect synchronization rules are part of the Azure AD Connect exported configuration for all the connectors, including their names, unique identifiers, immutable tags and precedence.

This information is exported as standardSynchronizationRules and customSynchronizationRules as part of the azureDirectoryPolicy section and onPremisesDirectoryPolicy. It is used to configure the Azure AD Connect installation you import the JSON file with exported settings on.

Items that are not part of the Export and Import functionality

Items that are not part of the Export and Import functionality include:

Passwords

No passwords are part of the exported settings. Any applicable password needs to be re-entered during import. Multi-factor authentication needs to be performed and Privileged Identity Management approval gates passed when configuring Azure AD Connect through importing settings.

Staging Mode

Whether Azure AD Connect runs as a Staging Mode server is not part of the exported information.

Posted on January 13, 2021 by Sander Berkouwer in Azure AD Connect

0  

Azure Active Directory Pod Identity Spoofing Vulnerability (CVE-2021-1677)

Today, for its January 2021 Patch Tuesday, Microsoft released an important security update for Azure Active Directory Pod Identities. This vulnerability is known as CVE-2021-1677 and rated with CVSSv3.0 scores of 5.5/4.8

About the vulnerability

The Azure AD pod identity feature enables users to assign identities to pods in Kubernetes clusters and fetch them from the pods using a regular IMDS (Azure Instance Metadata Service) request. When an identity is assigned to a pod, the pod can access the IMDS endpoint and get a token for that identity.

The Kubenet network plugin is susceptible to ARP spoofing. This makes it possible for pods to impersonate as a pod with access to an identity. Using CAP_NET_RAW capability, a pod that is controlled by an attacker could request a token as a pod it’s impersonating. An attacker who successfully exploited this vulnerability can laterally steal the identities that are associated with different pods.

Addressing the vulnerability

By default, Azure Kubernetes Service (AKS) clusters use Kubenet. This way, a virtual network and subnet are created, nodes get an IP address from a virtual network subnet and Network address translation (NAT) is then configured on the nodes. Pods receive an IP address hidden behind the node IP.

With Azure Container Networking Interface (CNI), every pod gets an IP address from the subnet and can be accessed directly. Each node has a configuration parameter for the maximum number of pods that it supports. The equivalent number of IP addresses per node are then reserved up front for that node.

Organizations with existing Azure Kubernetes Service (AKS) clusters need to re-deploy their cluster(s) and use Azure CNI instead of the default Kubenet.

Call to action

Please re-deploy any previously deployed Azure Kubernetes Service (AKS) clusters using Azure Container Networking Interface (CNI)  instead of Kubenet (default).

Starting from version 1.7, the Azure AD Pod Identity feature is disabled by default on clusters with Kubenet network plugin. The NMI pods will fail to run with the following error:

AAD Pod Identity is not supported for Kubenet

Further reading

CVE-2021-1677 Azure Active Directory Pod Identity Spoofing Vulnerability  
Configure Azure CNI networking in Azure Kubernetes Service (AKS)     
Deploy AAD Pod Identity in a Cluster with Kubenet

Posted on January 12, 2021 by Sander Berkouwer in Azure Active Directory, Enterprise Security, Security Updates

0  

KnowledgeBase: You receive error ‘The directory service was unable to allocate a relative identifier’ when installing Azure AD Connect

Azure AD Connect

Sometimes, the installation of Azure AD Connect can mess up your project deadlines in mere seconds. In this blogpost, I want to share an error that kept the admins of an organization occupied for several days, while it was relatively (har har) easy to fix.

The situation

An organization wants to configure Azure AD Connect. An admin downloads Azure AD Connect, and runs it.

On the Welcome to Azure AD Connect page, the admin selects the I agree to the license terms and privacy notice. option and hits the Continue button. On the Express Settings page, the admin clicks Customize.

The issue

On the Install required components page, the admin clicks Continue. Instead of being taken to the User Sign-in page, the admin is confronted with an error message:

Unable to install the Synchronization Service. The directory service was unable to allocate a relative identifier error in Azure AD Connect (click for original screenshot)

Unable to install the Synchronization Service. The directory service was unable to allocate a relative identifier.

In the Application Log in Event Viewer (eventvwr.exe) several events can be found with Event ID 906 and source AzureActiveDirectorySyncEngine.

The cause

This issue is caused by an absence of available relative identifiers (rIDs) in Active Directory. Azure AD Connect needs a relative identifier to create the connector account in Active Directory. All objects in Active Directory have a security identifier (sID), that is comprised of the relative identifier (rID) and the sID namespace for the domain:

This issue in Azure AD Connect may be caused by:

  1. RID Exhaustion; a total absence of available rIDs in Active Directory,
  2. A Domain Controller who has exhausted its rID pool and is unable to obtain a new rID Pool from the Domain Controller acting as the RID Pool Master, or,
  3. Mangled RID Pool Master information in Active Directory.

The solution

To solve this issue, we need to know if we’ve exhausted all the rIDs in Active Directory. This is the issue from the above list that would be most troublesome.

To get this information, we need to run the following line of commands on the Command Prompt (cmd.exe):

dcdiag /test:ridmanager /v | find /i "Available RID Pool"

The output will show you the used relative identifier compared to the maximum amount of available RIDs in the environment. If you still have available rIDs in Active Directory, then you can continue with the next step. If you’ve exhausted all rIDs, you can double the RID Pool if all your Domain Controllers run Windows Server 2008 R2 with KB2642658 installed, or newer versions of Windows Server.

If you still have available rIDs in Active Directory, you can seize the RID Pool master on a Domain Controller that is known healthy, using Windows PowerShell.

Open an elevated Windows PowerShell window on a known-good Domain Controller and run the following line of Windows PowerShell, replacing the Target-DC with the name of the Domain Controller:

Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole RIDMaster -Force

Type a Y to answer the question Do you want to move the role ‘RIDMaster’ to server ‘Target-DC.domain.tld’? Then, press the Enter button.

Close the Windows PowerShell window.

Now you can install Azure AD Connect without problems.

Posted on January 11, 2021 by Sander Berkouwer in Active Directory, Azure AD Connect

0  

The video of my presentation at IT Pro|Dev Connections is now available

IT Pro | Dev Connections

IT Pro|Dev Connections is a conference organized by the largest Greek communities for everyone in the Computer and Information Technology industry. The content focuses on products, technologies and services that are "hot" or up and coming and provide valuable knowledge to the participants.

On December 13th, 2020, I presented the following 50-minute session at the 2020 IT Pro | Dev Connections Greece conference:

 

Increasing the security of on premises Active Directory with Azure AD

Would you believe a networking infrastructure can become more secure by adding cloud to it? In this session, I share my real-world experiences with how Azure AD-based technologies make the on-premises environments of my customers more secure. Air-gapping and the accompanying immense challenges for updating, activating and monitoring for admins are truly referred back to the 80s in this session. I've met a lot of old-fashioned CISOs the last couple of years that truly believed air-gapping their environments and requiring multi-multi-multi-factor authentication for access off-premises was the way to go. In this session, I show how organizations can:

  •  Require multi-factor authentication only when needed because of risk
  • Get notified of leaked credentials
  • Ban bad passwords
  • Manage fragile Domain Controllers better
  • Get back on top of the millions of events that currently burden down their current SIEM solution

I've built a couple of exciting demos to showcase the strengths of Azure AD, Azure AD Connect Health and Azure Sentinel to really show the strength of Azure AD, even when your organization isn't looking for the typical benefits Azure AD brings.

 

THANK YOU

Thank you to the Greek IT professional community autoexec.gr, the Greek developers community, dotNETZone.gr and their many sponsors for organizing the 2020 IT Pro | Dev Connections Greece conference and inviting me as a speaker.

Enjoy! Thumbs up

Posted on January 8, 2021 by Sander Berkouwer in Uncategorized

0  

On-premises Identity-related updates and fixes for December 2020

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

These are the Identity-related updates and fixes we saw for December 2020:

 

Windows Server 2016

We observed the following update for Windows Server 2016:

KB4593226 December 8, 2020

The December 8 update for Windows Server 2016 (KB4593226), updating the OS build number to 14393.4104 is a security update that includes quality improvements.

KB4593226 addresses an important Kerberos Security Feature Bypass Vulnerability, known as CVE-2020-16996, rated with CVSSv3 scores of 6.5 and 5.7. If you use Protected Users and Resource-Based Constrained Delegation (RBCD), you may experience this security vulnerability.

 

Windows Server 2019

We observed the following update for Windows Server 2019:

KB4592440 December 8, 2020

The December 8 update for Windows Server 2019 (KB4592440), updating the OS build number to 17763.1637 is a security update that includes quality improvements.

KB4592440 addresses an important Kerberos Security Feature Bypass Vulnerability, known as CVE-2020-16996, rated with CVSSv3 scores of 6.5 and 5.7. If you use Protected Users and Resource-Based Constrained Delegation (RBCD), you may experience this security vulnerability.

Posted on January 7, 2021 by Sander Berkouwer in Active Directory, Security Updates

0  

HOWTO: Create an LDAP Connector account in AD LDS for Azure AD Connect

Azure AD Connect

Recently, I showed you how to synchronize an Active Directory Lightweight Directory Services (AD LDS) or an LDAP v3-compatible directory to Azure AD using Azure AD Connect.

In that blogpost, I listed as one of the requirements that you need a service account that is part of the LDAP tree and has sufficient permissions to enumerate the attributes for the objects in scope.

In this blogpost, I’ll show you how to create this account in an existing Active Directory Lightweight Directory Services (AD LDS) implementation.

 

Creating the Azure AD Connect service account

Creating the Azure AD Connect service account, consists of five steps:

  1. Creating the account
  2. Provisioning a password
  3. Enabling the account
  4. Setting the userPrincipalName
  5. Adding the account to the Administrators role

Note:
If the Active Directory Module for Windows PowerShell is not installed on the Windows installation, install the Remote Server Administration Tools (RSAT) for the Windows version. On Windows Server, install it with the following line of Windows PowerShell:

Install-WindowsFeature RSAT-AD-PowerShell

 

Creating the account

First, we need to create the LDAP Connector account in Active Directory Lightweight Directory Services (AD LDS). To this purpose we use the following line of Windows PowerShell on a Windows (Server) installation with the Active Directory module installed:

New-ADUser -Name SA_AADC -Path 'CN=users,dc=domain,dc=tld' -GivenName Service -Surname Account -SamAccountName SA_AADConnect -Server 'server:389'

 

Provisioning a password

Next, we’ll provision a password for the service account with the following line of Windows PowerShell:

Set-ADAccountPassword -Identity 'cn=SA_AADC,CN=users,dc=domain,dc=tld' -NewPassword (ConvertTo-SecureString -AsPlainText 'P@ssw0rd' -Force) -Server 'server:389'

 

Enabling the account

Now, that the account has a password, we can successfully enable the account with the following line of Windows PowerShell:

Enable-ADAccount -Identity 'cn=SA_AADC,CN=users,dc=domain,dc=tld' -Server 'server:389'

 

Setting the userPrincipalName

Let’s set the userPrincipalName attribute for the service account. To this purpose, we’ll use ADSI Edit (adsiedit.msc). Follow the below steps:

  • Press Start and start typing adsiedit.msc.
  • In the search results, click on ADSI Edit to start it.
    The ADSI Edit window appears.
  • From the Action menu, choose the Connect to… option.
    The Connection Settings pop-up window appears.
  • In the Connection Point area, select the Select or type a Distinguished Name or Naming Context: option. Type the distinguished name, like CN=users,DC=domain,DC=tld.
  • In the Computer area, select the Select or type a domain or server: (Server | Domain [:port]) option. In the field below, type the information to connect to the Active Directory Lightweight Directory Services (AD LDS) instance:

  • Click OK.
  • The structure of the AD LDS implementation is now available in the left navigation window of the ADSI Edit window. Dig down until you get to the service account you created earlier.
  • Right-click the service account and select Properties from the context menu.
    The Properties window opens.
  • In the list with Attributes: scroll down to the userPrincipalName attribute.
  • Select the attribute and click the Edit button.
    The String Attribute Editor pop-up opens.
  • In the Value: field, type a userPrincipalName, like sa_aadc@dirteam.com.
  • Click OK to save the userPrincipalName value and close the pop-up window.
  • Click OK in the Properties window to close it.

 

Adding the account to the Administrators role

We’re almost done. We only configure the service account as a member of the Administrators role in Active Directory Lightweight Directory Services (AD LDS). Perform these steps, while still connected in ADSI Edit:

  • In the left navigation pane of the ADSI Edit windows, navigate to the CN=Roles container.
  • In the main pane, select the CN=Administrator role and right-click it.
  • Select Properties from the context menu.
    The Properties window appears.
  • In the list with Attributes: scroll down to the member attribute.
  • Select the attribute and click the Edit button.\
  • The Multi-valued Distinguished Name With Security Principal Editor window appears.
  • In the Multi-valued Distinguished Name With Security Principal Editor window, click the Add DN… button.
    The Add Distinguished Name (DN) pop-up window appears.
  • In the field enter the distinguished name (DN) for the service account, like CN=SA_AADC,CN=users,DC=domain,DC=tld.
  • Click OK.
  • Click OK in the Multi-valued Distinguished Name With Security Principal Editor window to add the service account to the Administrators role and close the window.
  • Click OK to save the changes and close the Properties window.
  • Close ADSI Edit.

 

Concluding

Creating a service account in Active Directory Lightweight Directory Services (AD LDS) is slightly different than creating one in Active Directory Domain Services (AD DS), but the process is more or less the same, as are the tools to do so.

Now, you can specify the distinguished name of the service account in Azure AD Connect.

Posted on January 6, 2021 by Sander Berkouwer in Active Directory Lightweight Directory Services, Azure AD Connect

0  

HOWTO: Set the Retention Period for the Azure Log Analytics Workspace where you stream Azure AD logs to

When you stream Azure AD logs to an Azure Log Analytics workspace, you might just do it to get an alert to notify when an additional person is assigned the Azure AD Global Administrator role or when an Azure AD emergency access account is used. For these purposes, the default retention period for an Azure Log Analytics workspace suffices. However, you might want to change the retention period for the Azure Log Analytics workspace, when you want to perform analytics on a larger timeframe, when you want to limit your spend or when you want to adhere to privacy regulations.

In this blogpost, I’ll show you how to set the retention period for the Azure Log Analytics Workspace where you stream Azure AD logs to.

 

Assumptions

For the purpose of this blogpost, I’ll make the following assumptions:

  • You have an Azure Log Analytics workspace.
  • You know the Azure Log Analytics billing structure, and how spend is probably not an issue when your organization counts 300 persons or less.
  • Your Azure Log Analytics workspace is configured with the default 30-day retention period.

 

How to configure the Retention Period

Perform these actions to set the Retention Period for the Azure Log Analytics workspace:

  • Sign into the Azure Portal with an account that has Global administrator privileges and is assigned an Azure AD Premium license.
  • In the Azure portal, click All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces from the list.
  • Select the Azure Log Analytics workspace you want to set the Retention Period for.
    The Log Analytics workspace pane opens.
  • In the menu on the left of the pane, choose Usage and estimated costs.
  • At the top of the main pane, click Data Retention.
    The Data Retention blade opens.
  • Select an appropriate retention period using the slider, up to 730 days (2 years).
  • Click OK.
    The Data Retention blade closes.
  • Sign out of the Azure Portal and/or close the browser.

 

Concluding

Using Azure Log Analytics with optimal settings helps organization to gain visibility, reduce cost, ensure privacy and meet regulatory compliance. Data retention is a key setting. Set it wisely.

Further reading

Calculating your Azure Log Analytics bill when you stream your Azure AD logs to it
TODO: Stream additional logs from Azure AD for optimal visibility
Getting to know the devices that people in your organization use App Passwords on
HOWTO: Set an alert to notify when an additional person is assigned the Azure AD Global Administrator role
HOWTO: Set an alert to notify when an Azure AD emergency access account is used
Getting Started with Azure Monitor Workbooks for Azure Active Directory

Posted on January 5, 2021 by Sander Berkouwer in Azure Active Directory, Azure Log Analytics

0  

What's New in Azure Active Directory for December 2020

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for December 2020:

 

What’s New

Azure AD B2C Phone Sign-up and Sign-in using Built-in Policy Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

B2C Phone Sign-up and Sign-in using Built-in Policy enable IT administrators and developers of organizations to allow their end-users to sign-in and sign-up using a phone number in user flows.

 

Security Defaults now enabled for all new tenants by default General Availability

Service category: Other
Product capability: Identity Security & Protection

To protect user accounts, all new Azure AD tenants created on or after November 12, 2020, will come with Security Defaults enabled. The Security Defaults feature enforces multiple policies including:

  • Requires all users and admins to register for MFA using the Microsoft Authenticator App
  • Requires critical admin roles to use MFA every single time they sign-in. All other users will be prompted for MFA whenever necessary.
  • Legacy authentication will be blocked tenant wide.

 

Entitlement Management available for tenants in Azure China cloud General Availability

Service category: User Access Management
Product capability: Entitlement Management

The capabilities of Entitlement Management are now available for all Azure AD tenants in the Azure China cloud.

 

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Admins can now automate creating, updating, and deleting user accounts for these newly integrated apps:

 

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In December 2020 Microsoft has added these 18 new applications in the Azure AD App gallery with Federation support:

 

What’s Changed

Support for groups with up to 250K members in Azure AD Connect General Availability

Service category: Azure AD Connect
Product capability: Identity Lifecycle Management

Microsoft has deployed a new endpoint (API) for Azure AD Connect that improves the performance of the synchronization service operations to Azure Active Directory. When the new V2 endpoint is used, admins experience noticeable performance gains on exports and imports to Azure AD. This new endpoint supports the following scenarios:

  • Syncing groups with up to 250k members
  • Performance gains on export and import to Azure AD

 

Navigate to Teams directly from My Access portal

Service category: User Access Management
Product capability: Entitlement Management

Users can now launch Teams directly from their My Access portal. To do so, they sign-in to My Access, navigate to Access packages, then go to the Active tab to see all access packages they already have access to. When they expand the access package and hover on a team in Teams, they can launch it by clicking on the Open button.

Posted on January 4, 2021 by Sander Berkouwer in Azure Active Directory, Azure AD Connect, What's New

0  

2020 Hindsight

2020

It’s that time of the year again. Businesses are finishing off 2020 and people start to reminisce of all the good, the bad and the ugly. This year, I’ll join the people who look back at another trip around our sun on our beautiful planet Earth.

Let’s look back!

January 2020

At work, I’m still amazed by the organizations that look for us for our expertise. Selling identity federation to a municipality, designing authentication for governmental dashboards, helping an organization say ‘No’ to Okta and creating the identity roadmap for the 4th bank in the country? Yes, please.

February 2020

Raymond and I were invited back to the Nordic Infrastructure Conference this year.

With Rolf and Aleksandar in the Speaker Room for Azure Saturday in Belgrade. Good company!

I also presented at the first Azure Saturday in Belgrade, on February 2020’s bonus day. Meanwhile the international flair for doing things reached our first French customer. Also, I learned it’s a luxury to be able to sell ‘No’.

March 2020

In recent years, March was the month I visited Microsoft in Redmond for the annual Global MVP Summit. Not this year… As we headed into a lockdown, we, as Europeans, were also banned from flying into the USA. No worries, as Microsoft turned the event around as a virtual event.

During the first weeks of our lockdown it was nice weather outside, so we tried not to think about Corona.

Not Corona. Desperados.

April 2020

My usual speaking engagements in the Balkans in April were all cancelled this year. Instead, we doubled down on creating value for our Dutch customers. I Implemented Hybrid Identity at a large law firm and implemented Veeam Backup for Office 365 for a public safety organization… all remote.

May 2020

Working From the Dining Table at Home. Putting my books to good use! ;-)

In May of 2020 we started a new service. Customers could now ask us for a Microsoft Cloud Security assessment. Oftentimes, the assessment was paid for by our local Microsoft subsidiary, making it virtually impossible for customers to say ‘No’. We’ve performed a lot of these assessment since May and have created a nice overview of common challenges in our region.

June 2020

With the lockdown slowly being lifted, I began visiting the customers that really couldn’t wait, but also couldn’t be helped remotely. I visited the other Dutch nuclear facility for some Active Directory security consulting, troubleshat AD FS problems at a large governmental organization, re-implemented Hybrid Identity at a health care provider and performed an Active Directory assessment for a hospital.

July and August 2020

In July, I started with a new remote customer. Not because we needed to, but because we could. I wrote their Hybrid Identity design after asking them what they wanted specifically during our typical workshops.

Supercharging our way to France

We also took our car and drove to the South of France. We needed a vacation and opted to join friends as they already had fun for a week at a local camp site. Going from supercharger to supercharger, we made it to the site in only 12 hours. Going back, we made stops at regular gas stations and experienced Ionity and FastNed services. Smooth sailing.

September 20202

I would be lying when I claimed COVID-19 didn’t take its toll on us. I’ve lost my father in law and in the process went into quarantine for two weeks to make sure we didn’t infect anybody else. Luckily, location doesn’t matter for my work.

Deji Akomolafe, Matt Liebowitz and I spent way too much time on our 60-minute session on virtualizing Active Directory the right way for VMworld 2020, but the result is breathtaking and something that stands out from other sessions. Doing Ask the Experts sessions at Microsoft Ignite was also rewarding and got me wanting for more.

Raymond, Huy and I at Mad Mick's BreakAway Cafe in Rotterdam, the Netherlands

In troubled times, I feel community is important. Raymond and I sat down with Huy, the new Enterprise Mobility MVP in our region. This way, we welcomed him into the MVP Community on one of the sparse days we were still allowed in pubs without masks.

October 2020

Luckily, October ushered in a new speaking season with sessions at the Hybrid Identity Protection Conference and Veeam Live. It’s nowhere near meeting your fellow speakers at these events, but the virtual speaker drinks made sure we caught up, at least.

November and December 2020

As Eastern Europe emerged from lockdown, I was invited to speak at the virtual NT Conference in Slovenia and at IT Pro|Dev Connections Greece. Meanwhile, I worked with remote customers; some big projects, like the one I started in August, others small 4-hour troubleshooting engagements. Enough to keep me on my toes and share experiences with you.

Goodbye 2020!

With one day left in 2020 (March 306th, 2020), I wish you all the best for 2021!

Posted on December 30, 2020 by Sander Berkouwer in Community, Personal

0