Pictures of WAZUG.nl Meetup 47

Yesterday, I presented on devices in the context of Azure Active Directory for the Dutch Azure User Group (WAZUG.nl) at Centric’s headquarters in Gouda, the Netherlands.

The Centric headquarters in Gouda (click for larger photo)Title Slide 'Devices and Azure AD: Who, what, where?' (click for original screenshot)

After working hours, we gathered at the dinner buffet, consisting of Chinese food from Restaurant Hong Kong. Straight after I arrived, I hooked up my device and showed the title slide on both screens.

After this meal and a short introduction by Centric, it was my task to share my knowledge on the five ways you can join devices and servers to Azure Active Directory, the impact of the (default) device settings in the Azure Portal, Windows Hello for Business as the first step towards a password-less future and my recommended practices.

Presenting the Title slide (click for larger photo, by Carlo Schaeffer)
Providing some backgrounf (picture by Carlo Schaeffer)Presenting for an audience (photo by Iwan Bel)

After a short break, Sebastiaan Brozius and Theo van Drimmelen from Solvinity presented on automatically deployed hybrid Dev/Test environments.

After that, we enjoyed drinks at the bar.

I had a lot of fun. Thumbs up 
Thank you!

0  

Windows Server 2016’s April 2018 Quality Update brings three Active Directory Domain Services fixes

Windows Server 2016

Windows Server 2016’s April 2018’s Cumulative Quality Update, bringing the OS version to 14393.2214, offers three fixes for issues you might be experiencing on Windows Server 2016-based Active Directory Domain Controllers.

 

About Windows Server 2016 Updates

Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016.  This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.

 

Active Directory Domain Services fixes

Authentication Policy Auditing Mode blocks NTLM

The first fix addresses an issue that blocks failed NTLM authentications instead of only logging them when using an authentication policy with audit mode turned on. Netlogon.log may show the following:

SamLogon: Transitive Network logon of <domain>\<user> from <machine2> (via <machine1>) Returns 0xC0000413

SamLogon: Transitive Network logon of <domain>\<user> from <machine2> (via <machine1>) Entered

NlpVerifyAllowedToAuthenticate: AuthzAccessCheck failed for A2ATo 0x5. This can be due to the lack of claims and compound support in NTLM

 

Restoring invalid backlink attribute logic

The second fix addresses an issue that prevents you from modifying or restoring Active Directory objects that have invalid backlink attributes populated in their class. The error you receive is:

Error 0x207D An attempt was made to modify an object to include an attribute that is not legal for its class.

 

Running the Administrative Center with PowerShell Transcripting enabled

The third fix addresses an issue that prevents the Active Directory Administrative Center (dsac.exe) from running on a client that has PowerShell Transcripting enabled. The following error appears:

Cannot connect to any domain. Refresh or try again when connection is available.

The PowerShell transcript feature is an effective way to log, audit and trace back malicious code run through PowerShell on Domain Controllers. System-wide PowerShell Transcripting can be enabled through Group Policy, Desired State Configuration and through the Start-Transcript PowerShell Cmdlet.

 

Call to action

When you experience any one of these issues, you are invited to install Windows Server 2016’s April 2018’s Cumulative Quality Update (KB4093120) on your Active Directory Domain Controllers to resolve them.

Known Issues

There are no known issues with this update, to date.

0  

Azure AD Connect version 1.1.751.0 was released as a hotfix last week

Azure AD Connect Splash Screen

Last week, Microsoft released Azure AD Connect version 1.1.751.0. This release of Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments to Azure Active Directory is a HotFix release.

This means it is not offered to organization running Azure AD Connect using the Automatic Upgrade functionality. Instead, it is available for download, only.

 

What’s Fixed

Azure AD Sync

An issue was corrected where automatic Azure instance discovery for China tenants was occasionally failing.

AD FS Management

There was a problem in the configuration retry logic that would result in an ArgumentException stating:

an item with the same key has already been added.

This would cause all retry operations to fail.

 

Version information

This is version 1.1.751.0 of Azure AD Connect.
It was signed off on on April 12, 2018.

 

Concluding

At first sight, making a version of Azure AD Connect available for download only would not make much sense. However, the two fixes apply to the initial configuration part of Azure AD Connect and, thus,  do not affect organizations currently running Azure AD Connect without problems (after configuration).

Surely, these fixes flow into next versions of Azure AD Connect that will be made available for automatic upgrades. There’s no hurry, though.

0  

Azure Multi-Factor Authentication Server 8.0.0.3 is here

Microsoft Azure Multi-Factor Authentication

When looking back, I realized we’ve been working with Microsoft’s on-premises Azure Multi-Factor Authentication (MFA) Server version  7.3.0.3 for a year. This week, Microsoft released a new version of it’s on-premises authentication security product: version 8.0.0.3.

 

What’s New

Registration experience improvements on mobile

Using MFA Server’s mobile portal, end-users may register the authenticator app on their mobile device using a QR-code. This experience has been improved.

Improved interaction with AD Sync

Azure MFA Server leverages MFA Providers in Azure Active Directory. Azure AD Connect offers synchronization of user objects (and, in some scenarios, password hashes) from Active Directory to Azure Active Directory. To allow both products to work optimally together, several changes have been made to MFA Server.

Support for TLS 1.2 for LDAP, User Portal to Web Service SDK, and SChannel replication

As MFA Server communicates to back-end systems and allows communication to its Web Service SDK, it’s imperative to allow the strongest available encryption for data in transit. MFA Server 8 now offers TLS 1.2 support for:

  • Communication from MFA Server to LDAP stores
  • Communication to MFA Server’s User Portal and Web Service SDK
  • Communication with Active Directory Domain Controllers

Compliance with General Data Protection Regulation

MFA Server is now in compliance with Europe’s General Data Protection Regulation (GDPR). The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union.

The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU. GDPR is implemented per EU country and has different names in some of them

Accessibility improvements to User Portal, MFA Server management, and installation

To allow people with disabilities, like impairments, activity limitations, and participation restrictions, to use MFA Server, Microsoft has made several improvements to the User Portal, Management Console and Installation Wizard.

As Microsoft believes 25% of people live with disabilities, not just limited to speech, hearing or eyesight, but also autism and ADHD. these improvements are welcome, even though they might break your current branding strategy.

Miscellaneous bug fixes and improvements

Several more bug fixes and improvements have been made to MFA Server 8.

 

Known Issues

Windows Authentication for Remote Desktop Services (RDS) is not supported for Windows Server 2012 R2.

 

Upgrade considerations

You must upgrade MFA Server and Web Service SDK before upgrading the User Portal, Mobile Portal or AD FS adapter.
Read the guidance in the How to Upgrade section in this blogpost for more information.

 

Download

You can download Azure Multi-Factor Authentication Server 8.0.0 here.
The download weighs 182.2 MB.

 

Version information

This is version 8.0.0 of Azure Multi-Factor Authentication Server.
It was signed off on April 10, 2018.

0  

I’m speaking at WAZUG.nl 47

Speaking at User Groups (picture by Rick van den Bosch)

On Thursday evening April 19, 2018 I’ll deliver a 55-minute presentation for the Dutch Windows Azure User Group (WAZUG) on Azure Active Directory device management.

About WAZUG.nl

WAZUG logo (cloud only)The Dutch Windows Azure User Group (WAZUG) was founded in 2010 by a group of enthusiasts to inform and inspire developers, architects and consultants for Microsoft’s cloud application platform: Azure.

WAZUG organizes events roughly every month. They invite speakers to talk about technology, but also about reference cases. It’s also an ideal way to meet like-minded people and network. Meetings, food and drinks are always free to attendees.

WAZUG, these days, is run by Iwan Bel, Erwyn van der Meer, Edward Bakker and Sjoerd van Roessel.

 

About WAZUG.nl 47

Meeting 47 is organized with the help of Centric, a Dutch IT services provider in terms of managed ICT services, IT solutions and software engineering. They invited us over at their headquarters in Gouda, the Netherlands.

In contrast to earlier WAZUG.nl meetings, WAZUG.nl 47 has an IT Pro focus.

The evening kicks off at 6PM with dinner. After a short welcoming ceremony, I’ll present for 55 minutes. After a short break, a second session is presented. After the second session, there’s room and time for drinks up until 9:15PM.

About my presentation

Between 6:35PM and 7:30PM, I’ll deliver a 55-minute session on Azure AD Devices:

Devices and Azure AD: who, what, where?

For a long time, device management within on-premises Active Directory was Microsoft’s strong point. Lately, Microsoft has been building out their possibilities in Azure Active Directory in terms of devices. Think about Single Sign-On (SSO), device join/registration and the ability to grant or deny access based on the device’s status and location.

In this session I’ll tell you everything there is to know about devices in Azure AD. I’ll discuss Azure AD Join, Conditional Access, Azure Multi-Factor Authentication, Azure Identity Protection and Windows Hello. Of course, I’ll share my recommended practices for all these technologies.

 

Join us!

Join us for free.
If you haven’t yet, sign up to the Dutch Windows Azure User Group using a Microsoft account, and then register for this WAZUG event.

0  

Pictures of the 2018 Amsterdam Microsoft Tech Summit last week

Last Wednesday and Thursday, Microsoft organized a Tech Summit event in the Amsterdam RAI. I was invited as a booth expert and a speaker.

As one of the last Tech Summit events in a long row of events, my experience with the organization for the Tech Summit was top notch. It started on Tuesday already.

On Tuesday, Microsoft arranged for a speaker check-in between 4 PM and 6 PM. We were all invited to the speaker room, check out our rooms, the booth, the theater, discuss slides and pick up our badges and T-shirts.

The Tech Summit Billboard at Entrance C of the Amsterdam RAI (picture by Microsoft Netlerlands)Tech Summit flags marking the way to Entrance C (photo by Microsoft Netherlands)

Wednesday morning I arrived at the Amsterdam RAI at around 7:30 AM. It was a cloudy day. The perfect weather for an indoor event…

Smile and wave boys. Smile and wave.

I joined the other experts at the booth around 8 AM, until the keynote started at around 9:30 AM. By then, we had answered a handful of questions on Exchange, Azure Active Directory, Teams and Skype for Business already! I met with one of this blog’s biggest fans and spent most of my day at the Experts booth on Wednesday, before heading home at 7 PM.

Thursday morning, I arrived at 7 AM. This was the day I was to present a 60-minute session on GDPR (AVG) in terms of Microsoft 365 from 10:45 and 11:45. I studied the slides and demos Microsoft provided me. It was a really nice slide deck that began with explaining the background for GDPR, then to introduce Microsoft Compliance Manager, followed by explaining some of the more difficult moving parts of Microsoft 365, including Conditional Access, Azure AD Identity Protection, Azure Information Protection and Office 365 Advanced Threat Protection. Alas, the slide deck didn’t include eDiscovery, for which I apologized to the audience beforehand.

Accerating your GDPR Compliance with Microsoft 365 (picture by Ralph Eckhard)An almost full room for GDPR (picture by Censom)
Introducing Compliance Manager (picture by Daan Verheij)
Presenting on GDPR (picture by Tony Thijs)

Room Elicium 2 was packed with people, mostly technical people I recognized, although the session was advertised as a session for decision makers.

After a short break for lunch, I was scheduled for a second presentation. This time I was in for even more fun with one of my own favorite presentations in a nice informal setting; Talking for 15 minutes on the silly stuff people do when it comes to AD FS and Hybrid Identity.

Title slide for the 'Four most common mistakes with AD FS and Hybrid Identity' theater session (shared by Anna Chu)Presenting my experiences with AD FS and Hybrid Identity (picture by Jeffrey Vermeulen)
Quite a crowd for the theater session (picture by Michel de Rooij)

The feedback I received from the people that were actually able to follow the presentation in the busy expo area was overwhelmingly positive:

Thank you, John van Zetten!

It’s always nice to hear when people enjoyed learning things I present on.

After the session I joined Jeff Woolsey again at the Experts Booth, where we discussed GDPR and baselines with one of the Netherlands’ largest healthcare insurers. Another interesting question came from an organization that would currently create user administrator accounts in Azure AD for partner admins, so they could create user objects for their partner users to access the app. They figured this saved them a lot of money on user administration. Apparently, no-one had introduced them to Azure AD B2B, yet.

 

Thank you!

A big ‘Thank You!’ to all Microsoft Tech Summit attendees, sponsors, speakers and staff for making the past week such an enjoyable experience!

I had a lot of fun and I hope you did, too!

1  

What’s New in Azure Active Directory for March 2018

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for March 2018:

 

What’s New

Twitter and GitHub identity providers in Azure AD B2C

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

You can now add Twitter or GitHub as an identity provider in Azure AD B2C. Twitter is moving from public preview to General Availability (GA). GitHub is being released in public preview.

 

Restrict browser access using Intune Managed Browser with Azure AD application-based conditional access for iOS and Android

Service category: Conditional Access
Product capability: Identity Security & Protection

The Intune Managed Browser SSO is now in preview. Employees can use single sign-on across native clients (like Microsoft Outlook) and the Intune Managed Browser for all Azure AD-connected apps.

Intune Managed Browser Conditional Access Support is now in preview. Admins can now require employees to use the Intune Managed browser using application-based conditional access policies.

 

App Proxy Cmdlets in Powershell GA Module

Service category: App Proxy
Product capability: Access Control

The Application Proxy PowerShell Cmdlets are now part of the generally available (GA) Azure Active Directory Powershell Module.

  

Office 365 native clients are supported by Seamless SSO using a non-interactive protocol

Service category: Authentications (Logins)
Product capability: User Authentication

People using Office 365 native clients get a silent sign-on experience using Seamless SSO. This support is provided by the addition of WS-Trust (a non-interactive protocol) to Azure Active Directory.

This applies to Office installation versions 16.0.8730.xxxx and above, so basically people in organizations using the targeted Semi-Annual Channel since January 17, 2018 or Monthly Channel releases of Office since March 13, 2018.

   

Users get a silent sign-on experience, with Seamless SSO, if an application sends sign-in requests to Azure AD’s tenanted endpoints

Service category: Authentications (Logins)
Product capability: User Authentication

People get a silent sign-on experience, with Seamless SSO, if an application (for example, https://contoso.sharepoint.com) sends sign-in requests to Azure AD’s tenanted endpoints – that is, https://login.microsoftonline.com/contoso.com/ or https://login.microsoftonline.com/<tenant_ID>/ – instead of Azure AD’s common endpoint (https://login.microsoftonline.com/common/).

 

Adding Optional Claims to your apps tokens (public preview)

Service category: Authentications (Logins)
Product capability: User Authentication

Your Azure AD app can now request custom or optional claims in JWTs or SAML tokens. These are claims about the user or tenant that are not included by default in the token, due to size or applicability constraints. This is currently in public preview for Azure AD apps on the v1.0 and v2.0 endpoints. See the documentation for information on what claims can be added and how to edit your application manifest to request them.

 

Azure AD supports PKCE for more secure OAuth flow

Service category: Authentications (Logins)
Product capability: User Authentication

Azure AD docs have been updated to note support for Proof Key for Code Exchange (PKCE) as described in RFC7636, which allows for more secure communication during the OAuth 2.0 Authorization Code grant flow. Both S256 and plaintext code_challenges are supported on the v1.0 and v2.0 endpoints.

 

New Federated Apps available in Azure AD App gallery

In March 2018, the Active Directory team has added following 15 new apps in the Azure Active Directory App gallery with Federation support:

 

PIM for Azure Resources is generally available (GA)

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

If you are using Azure AD Privileged Identity Management (PIM) for directory roles, you can now use PIM’s time-bound access and assignment capabilities for Azure Resource roles such as Subscriptions, Resource Groups, Virtual Machines, and any other resource supported by Azure Resource Manager. Enforce Multi-Factor Authentication when activating roles Just-In-Time, and schedule activations in coordination with approved change windows.

In addition, this release adds enhancements not available during public preview including an updated UI, approval workflows, and the ability to extend roles expiring soon and renew expired roles.

 

Support for provisioning all user attribute values available in the Workday Get_Workers API

Service category: App Provisioning
Product capability: 3rd Party Integration

The public preview of inbound provisioning from Workday to Active Directory and Azure AD now supports the ability to extract and provisioning of all attribute values available in the Workday Get_Workers API. This adds supports for hundreds of additional standard and custom attributes beyond the ones shipped with the initial version of the Workday inbound provisioning connector.

  

Changing group membership from dynamic to static, and vice versa

Service category: Group Management
Product capability: Collaboration

It is now possible to change how membership is managed in a group. This is useful when you want to keep the same group name and ID in the system, so any existing references to the group are still valid; creating a new group would require updating those references. We’ve updated the Azure AD Admin center to add support for this functionality. Now, customers can convert existing groups from dynamic membership to assigned membership and vice-versa. The existing PowerShell Cmdlets are also still available.

What’s Changed

Improved sign-out behavior with Seamless SSO

Service category: Authentications (Logins)
Product capability: User Authentication

Previously, even if users explicitly signed out of an application secured by Azure AD, they would be automatically signed back in using Seamless SSO if they were trying to access an Azure AD application again within their corpnet from their domain joined devices. With this change, sign out is supported. This allows users to choose the same or different Azure AD account to sign back in with, instead of being automatically signed in using Seamless SSO.

   

Application Proxy Connector Version 1.5.402.0

Service category: App Proxy
Product capability: Identity Security & Protection

Application Proxy Connector Version 1.5.402.0 is gradually being rolled out. This new connector version includes the following changes:

  • The connector now sets domain level cookies instead of cookies on the sub-domain level. This ensures a smoother SSO experience and avoids redundant authentication prompts.
  • Support for chunked encoding requests
  • Improved connector health monitoring
  • Several bug fixes and stability improvements

   

What’s Fixed

Certificate expire notification

Service category: Enterprise Apps
Product capability: SSO

Azure Active Directory sends a notification when a certificate for a gallery or non-gallery application is about to expire.

Some organizations did not receive notifications for enterprise applications, configured for SAML-based single sign-on. This issue was resolved. Azure Active Directory sends notification for certificates expiring in 7, 30 and 60 days. You are able to see this event in the audit logs.

1  

Active Directory Domain Controllers may not be in-place upgraded to Windows Server Insider Preview 17623

Last week, Microsoft introduced Windows Server Insider Preview version 17623, providing admins a preview on its upcoming Windows Server 2019 Long-term Servicing Channel (LTSC) release, scheduled for the second half of calendar year 2018.

While Microsoft strongly urges to validate the in-place upgrade functionality of Windows Server 2019 from Windows Server 2012 R2 and Windows Server 2016, one issue has already arisen in this area.

  

The issue

To paraphrase the Windows Server Insider Preview version 17623 release notes:

In‑place OS upgrade: Domain Controllers. During an in-place OS upgrade, Active Directory (AD) Domain Controllers (DC) might not be upgraded correctly. So, back up any AD DCs before performing an in-place OS upgrade.


I feel running a Windows Server Insider Preview build in a production environment to power your Active Directory Domain Controllers is only for a select few admins with a strong desire to feel alive again…. and have left Microsoft support far behind them.

However, in test and acceptance environments, this issue is something that might prove a challenge. It’s nothing new, however, since In-place upgrading an Active Directory Domain Controller to Windows Server build 17093 might also fail.

0  

Windows Server 2016’s March 2018 Quality Update brings two Active Directory Domain Services fixes

Windows Server 2016

Windows Server 2016’s March 2018’s Cumulative Quality Update, bringing the OS version to 14393.2155, offers two fixes for issues you might be experiencing on Windows Server 2016-based Active Directory Domain Controllers.

 

About Windows Server 2016 Updates

Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016.  This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.

 

Active Directory Domain Services fixes

LSASS faults with exception code 0xc0000005, status code 255

The first fix addresses an issue where a Windows Server 2016 Domain Controller may periodically restart after a Local Security Authority Subsystem Service (LSASS) module faults with exception code 0xc0000005. This interrupts applications and services bound to the Domain Controller at that time.

The following events may be logged:

Application Error event ID 1000

The faulty module mentioned is NTDSATQ.dll with exception code 0xc0000005.

User32 event ID 1074

Microsoft-Windows-Wininit event ID 1015

Both these error events indicate that lsass.exe failed with status code 255.

 

AdminSDHolder trips over deleted members in protected groups

The second fix addresses an issue where the AdminSDHolder task fails to run when a protected group contains a member attribute that points to a deleted object.

Additionally, Event 1126 is logged that contains the following text:

Active Directory Domain Services was unable to establish a connection with the global catalog. Error value: 8430. The directory service encountered an internal failure. Internal ID: 320130e.

 

Call to action

When you experience any one of these issues, you are invited to install Windows Server 2016’s March 2018’s Cumulative Quality Update (KB4088889) on your Active Directory Domain Controllers to resolve them.

Known Issues

There are no known issues with this update, to date.

0  

Azure AD Connect version 1.1.750.0 is now available for download

Azure AD Connect

While Microsoft was steadily rolling out Azure AD Connect throughout the first half of March to organizations with automatically upgrading Azure AD Connect installations, an issue was discovered.

The issue was fixed in Azure AD Connect version 1.1.750.0 and put through the same rollout pace as version 1.1.749.0 to land at automatically upgrading organizations.

As promised, Microsoft has released Azure AD Connect version 1.1.750.0 for download, now that, apparently, all automatically upgrading Azure AD Connect installations at organizations have actually been upgraded.

 

What’s fixed

AutoUpgrade

The AutoUpgrade functionality was incorrectly disabled for some Azure AD tenants who deployed Azure AD Connect version 1.1.524.0, or up.

To ensure that your Azure AD Connect instance is still eligible for AutoUpgrade, run the following Windows PowerShell Cmdlet:

Set-ADSyncAutoUpgrade -AutoUpgradeState AutoUpgradeConfigurationState.Enabled

 

The Set-ADSyncAutoUpgrade Windows PowerShell Cmdlet would previously block Autoupgrade if auto-upgrade state is set to Suspended. This is now changed so it does not block AutoUpgrade of future builds.

Taxonomy

The team changed the User Sign-in page option “Password Synchronization” to “Password Hash Synchronization”. Azure AD Connect synchronizes password hashes, not passwords, so this aligns with what is actually occurring.

 

Version information

This is version 1.1.750.0 of Azure AD Connect.
It was signed off on on March 22, 2018.

 

Download information

You can download Azure AD Connect here.
The download weighs 80,7 MB.

 

Note

After the upgrade to Azure AD Connect version 1.1.750.0 completes, a Full Synchronization cycle is automatically triggered, followed by a full import for the Azure AD connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Azure AD Connect environment, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

1