Use your F5 BIG-IP Appliance as Full-Fledged AD FS Web Application Proxy

56b6582066d71

With the release of version 13.1 of its BIG-IP software, F5 Networks enables you to make your F5 BIG-IP series appliances and F5 Virtual Edition (VE) appliances to act as ful-fledged Web Application Proxies in combination with Windows Server 2012 R2 and/or Windows Server 2016-based Active Directory Federation Services (AD FS) Servers using MS-ADFSPIP.

About MS-ADFSPIP

The Microsoft Active Directory Federation Services and Proxy Integration Protocol (MS-ADFSPIP) integrates Active Directory Federation Services (AD FS) with an authentication and application proxy to enable access to services located inside the boundaries of the corporate network for clients that are located outside of that boundary.

Version 6.0 of MS-ADFSPIP’s documentation, as defined on December 1, 2017, details the protocol documentation in terms of transport, data types, messages, events, and the conceptual data organization. This way, it describes the intended functionality of the system and how the protocols in this system interact.

Using this documentation, any organization that would like to upgrade their appliances to full-fledged AD FS Web Application Proxies, can do so.

About F5 Networks’ BIG-IP

F5 Networks help connect organizations to their customers and/or apps in a secure, always-on way. While F5 Networks offers a portfolio of products, including its BIG-IQ and Herculon products, its BIG-IP appliances, are the best-known products, available both as on-premises physical and virtual appliances, as well as cloud appliances.

BIG-IP appliances are port-based, multilayer switches that supports virtual local area network (VLAN) technology. The BIG-IP appliances’ multilayer capabilities enable them to process traffic at other OSI layers. BIG-IPs can perform IP routing at Layer 3, as well as manage TCP, UDP, and other application traffic at Layers 4 through 7.

Version 13.1 of the BIG-IP software, released on December 19, 2017, adds support for MS-ADFSPIP to F5’s Access Policy Manager (APM), as announced by Microsoft and F5 Networks during Microsoft Ignite 2017 in Orlando, Florida.

Version 13.1 of the BIG-IP software can be used to transform the following F5 appliances to full-fledged Web Application Proxies:

  • BIG-IP 6900 FIPS, 6900-NEBS (D104)
  • BIG-IP 11000 (E101)
  • BIG-IP 11050, 11050 NEBS (E102)
  • BIG-IP 2000 Series (C112)
  • BIG-IP 4000 Series (C113)
  • BIG-IP 5000 Series (C109)
  • BIG-IP 7000 Series (D110)
  • BIG-IP 10050 Series (D112)
  • BIG-IP 10000 Series (D113)
  • BIG-IP 12000 Series (D111)
  • BIG-IP i2000 Series (C117)
  • BIG-IP i4000 Series (C115)
  • BIG-IP i5000 Series (C119)
  • BIG-IP i7000 Series (C118)
  • BIG-IP i10000 Series (C116)
  • VIPRION B2100 Blade (A109)
  • VIPRION B2150 Blade (A113)
  • VIPRION B2250 Blade (A112)
  • VIPRION B4300, B4340N Blade (A108, A110)
  • VIPRION B4450 Blade (A114)
  • VIPRION C2200 Chassis (D114)
  • VIPRION C2400 Chassis (F100)
  • VIPRION C4480, C4480N Chassis (J102, J103)
  • VIPRION C4800, C4800N Chassis (S100, S101)
  • Virtual Edition (VE) (Z100)
  • vCMP Guest (Z101)

Note:
Although F5 Networks’ Azure offerings still include version 13.0.x of the BIG-IP software, you may expect to see version 13.1.x-based offerings soon.

Concluding

If your organization utilizes F5 appliances on the network edge and also run or contemplate on implementing Windows Server-based Web Application Proxies, you might benefit from this new functionality. You might be able to do away with Windows Server installations on the perimeter network, with their cumbersome patching and backup procedures.

Since the MS-ADFSPIP documentation is open, any vendor is able to create and provide the software to transform their devices into full-fledged Web Application Proxies. I guess F5 Networks is merely the first in a line of many vendors that will do so.

Further reading

F5 BIG-IP Release Notes 13.1.0
[MS-ADFSPIP]: Active Directory Federation Services and Proxy Integration Protocol

3  

What’s New in Azure Active Directory for December 2017

AzureAD

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for December 2017:

 

What’s New

Review of Terms of use in the access panel

Service Category: Terms of Use
Product Capability: Governance/Compliance

End users now have the ability to go to access panel and view the terms of use that they have previously accepted.

 

Add configuration to require the TOU to be expanded prior to accepting.

Service Category: Terms of Use
Product Capability: Governance

Microsoft has now added an option for admins to require their end users to expand the terms of use prior to accepting the terms.

Select either on or off for Require users to expand the terms of use. If this is set to on, end users will be required to view the terms of use prior to accepting them.

 

New Azure AD sign-in experience

Service Category: Azure AD
Product Capability: User Authentication

As part of the journey to converge the Azure AD and Microsoft account identity systems, Microsoft has redesigned the UI on both systems so that they have a consistent look and feel. In addition, Microsoft has paginated the Azure AD sign-in page so that Microsoft collects the user name first, followed by the credential on a second screen.

 

Fewer login prompts: A new “Keep me signed in” experience for Azure AD login

Service Category: Azure AD
Product Capability: User Authentication

Microsoft has replaced the Keep me signed in checkbox on the Azure AD login page with a new prompt that shows up after the user successfully authenticates.

If a user responds Yes to this prompt, the service gives them a persistent refresh token. This is the same behavior as when the user checks the Keep me signed in checkbox in the old experience. For federated tenants, this prompt will show after the user successfully authenticates with the federated service.

 

Scoped activation for eligible role assignments

Service Category: Privileged Identity Management
Product Capability: Privileged Identity Management

Scoped activation allows you to activate eligible Azure resource role assignments with less autonomy than the original assignment defaults. Scoping your activation may reduce the possibility of executing unwanted changes to critical Azure resources.

 

New federated apps in Azure AD app gallery

Service Category: Enterprise Apps
Product Capability: 3rd Party Integration

In December 2017, Microsoft has added the following new apps in the App gallery with Federation support:

  • EFI Digital Storefront
  • Vodeclic
  • Accredible
  • FactSet
  • MobileIron Azure AD Integration
  • IMAGE WORKS
  • SAML SSO for Bitbucket by resolution GmbH
  • SAML SSO for Bamboo by resolution GmbH
  • Communifire
  • MOBI
  • Reflektive
  • CybSafe
  • WebHR
  • Zenegy Azure AD Integration
  • Adobe Experience Manager

 

What’s Changed

Pass-through Authentication – Skype for Business support

Service Category: Authentications (Logins)
Product Capability: User Authentication

Pass-through Authentication (PTA) now supports user sign-ins to Skype for Business client applications that support modern authentication, including Online and Hybrid topologies.

 

Approval workflows for Azure AD directory roles

Service Category: Privileged Identity Management
Product Capability: Privileged Identity Management

Approval workflow for Azure AD directory roles is generally available (GA).

With approval workflow, privileged role administrators can require eligible role members to request role activation before they can use the privileged role. Multiple users and groups may be delegated approval responsibilities. Eligible role members receive notifications when the approval is complete and their role is active.

 

Updates to Azure Active Directory Privileged Identity Management (PIM) for Azure RBAC (preview)

Service Category: Privileged Identity Management
Product Capability: Privileged Identity Management

With the Public Preview Refresh of Azure Active Directory Privileged Identity Management (PIM) for Azure RBAC, you can now:

  • Use Just Enough Administration (JEA)
  • Require approval to activate resource roles
  • Schedule a future activation of a role that requires approval for both AAD and Azure RBAC Roles
0  

Using Azure AD Connect with a gMSA

Since version 1.1.443.0, you can use Azure AD Connect with a group Managed Service Account (gMSA) as its service account. I thought it was time to show you how to configure Azure AD Connect with a gMSA.

 

The problem with service accounts

We all use service accounts in our environments. These accounts allow us to run a service with the right amount of privileges. It also allows us to change the passwords for normal accounts, like built-in Administrator accounts since these are not abused to run services.

However, there is also a downside to service accounts, when you repurpose an Active Directory user object as a service account. Problems with this type of service accounts include:

  • Service account password changes are a nightmare and they tend to break stuff. Nonetheless, it is a best practice to change these passwords regularly.
  • Passwords for service accounts are stored in plain text in registry. Sure, the passwords are protected, but still accessible if you know how to work the DPAPI.
  • The Scope of service accounts is not easily set or monitored. Service accounts can often be used outside the intended scope, for instance to set up VPN connections or send mail through the (authenticated) SMTP gateway.
  • You can configure service accounts to not allow interactive logons and implement other information security measures, but in true Plan-Do-Check-Act fashion, you’ll also need to create reports of these settings still applying throughout the environment.

 

It’s a pain.

   

The problem with vSAs

Version 1.1.484.0, and above, of Azure AD Connect use a virtual Service Account (vSA), by default, instead of a service account, based on a user object in Active Directory Domain Services (AD DS), unless you install Azure AD Connect on a Domain Controller. While documentation is sparse on this feature, its aim is to automate regular password changes.

To this purpose, a virtual Service Account (vSA) is a local account to the Windows (Server) installation. It does not live in Active Directory Domain Services, but can best be seen as a subordinate to the Network Service on Windows 7 installations (and up) and Windows Server 2008 R2 installations (and up).

Problems with this type of service account include:

  • The scope of the virtual Service Account is limited to one Windows (Server) installation.
  • The name of the virtual Service Account needs to be identical to the name of the service. If your organization utilizes a strict naming convention, the virtual Service Account will not comply.
  • The virtual Service Account is part of the Windows (Server) installation and does not live in Active Directory Domain Services. When your organization requires you to centrally manage service accounts in Active Directory, the virtual Service Account will not comply.
  • The virtual Service Account inherits the same security context as the Network Service.

The benefit of using a virtual Service Account (vSA) instead of a  service account based on a user object then, typically, is limited to automatic password changes without breaking services. In a worst case scenario, a sniffed or intercepted (and decoded) password(hash) can only be used for a limited amount of time when you use a vSA.

 

The benefits of gMSAs

In Windows Server 2008 R2, Microsoft introduced the concept of a Managed Service Account (MSA), and improved on the concept by introducing the group Managed Service Account (gMSA) in Windows Server 2012.

When used in an Active Directory environment that runs the Windows Server 2008 R2 Domain Functional Level (DFL), or up, and using the Active Directory Domain Services Remote Server Administration Tools (AD DS RSAT) on at least Windows Server 2012 or Windows 8, gMSAs offer these benefits:

  • The gMSA object type (msDS-ManagedServiceAccount) is derived from the computer account object and lives in the Managed Service Accounts container under the domain root. Therefore;
  • It cannot be used to logon interactively
  • It cannot be (easily) delegated permissions to, or on
  • Additionally, because it acts like a computer object, it’ll automatically try to change its password every 30 days. In a worst case scenario, a sniffed or intercepted (and decoded) password(hash) can only be used for a limited amount of time.
  • By default, gMSAs don’t apply to any hosts. You’ll have to explicitly grant a gMSA access to a (group of) host(s), before you can configure it as a service account for a service on the host.
  • gMSAs use Kerberos Constrained Delegation (KCD). This means that when you rename the host on which you installed the gMSA, the service configured with the gMSA will remain operable without problems.

 

gMSAs with Azure AD Connect

Azure AD Connect’s Service Accounts

Azure AD Connect uses three service accounts:

  1. A local account on the Windows Server installation running Azure AD Connect, used to run the he Microsoft Azure AD Sync service
  2. An account in the Azure Active Directory tenant
  3. One account per Active Directory Domain Services environment in scope for Azure AD Connect.

You can use a group Managed Service Account (gMSA) for the first account to run the service on the Windows Server(s) where you’ve installed and configured Azure AD Connect to synchronize objects and attributes between your on-premises Active Directory Domain Services (AD DS) environment(s) and your Azure Active Directory tenant.

This service account is not used to authenticate or communicate to Azure AD (2), and it is also not used to authenticate and communicate to the Active Directory Domain Services environment (3). Therefore, using Azure AD Connect with a gMSA is not the solution to the recent vulnerability that as fixed in Azure AD Connect version 1.1.654.0, and up.

Staging Mode

Azure AD Connect offers Staging Mode functionality, so its high-availability weaknesses are addressed somewhat. While the High Availability aspect of any Azure AD Connect implementation should be considered, Staging Mode is best suited for lifecycle management of Azure AD Connect to cope with other downsides in the way Microsoft releases and supports Azure AD Connect.

When you’re implementing an additional Azure AD Connect installation in Staging Mode, you could reuse the group Managed Service Account (gMSA) you created for the active Azure AD Connect installation, but be sure to create an additional service account, too. Following the recommended practice in this blogpost, this would mean an additional gMSA per additional Azure AD Connect installation.

 

(Optional) Migration steps

You can’t reconfigure an existing Azure AD Connect installation to use a gMSA. So, if you’re using Azure AD Connect currently with a repurposed user object as its service account, the proper way to change this is by:

  1. Implementing an additional Azure AD Connect installation in Staging Mode with the group Managed Service Account (gMSA) as its service account.
  2. Recreate any changes you’ve made to the rules and other configuration items. If you haven’t documented these, I recommend to use the Azure AD Connect Configuration Documenter Free to search for differences in the configuration between the two installations.
  3. Test to make sure that both Azure AD Connect installations perform the same operations in the metaverse when you make changes to objects in scope.
  4. Configure the active Azure AD Connect installation as an additional Staging Mode server and then configure the Staging Mode Azure AD Connect installation as the active Azure AD Connect server .

Optionally, you can check the Relying Party Trust (RPT) between your Active Directory Domain Services environment(s) and your Azure Active Directory tenant, using the Reset Azure AD and AD FS Trust option, and then the Verify AD FS Login option in the Azure AD Connect wizard. I recommend this step when there is a three month gap (or more) between the two Azure AD Connect installations used in the migration.

 

Implementation steps

To configure Azure AD Connect with a group Managed Service Account (gMSA) as its service account, perform these steps, right before you install and configure Azure AD Connect:

Note:
For this step, the Windows Server installation on which you want to install and configure Azure AD Connect needs to be setup and joined to the domain.

In Active Directory Domain Services

Using the Active Directory Domain Services Remote Server Administration Tools (AD DS RSAT) on at least Windows Server 2012 or Windows 8, create the service account for the Windows Server that will run Azure AD Connect, using the following PowerShell one-liners:

Import-module ActiveDirectory

Add-KdsRootKey -EffectiveImmediately

New-ADServiceAccount -Name gMSA1 -Description “Service account for Azure AD Connect installation 2” –DNSHostName aadc2.domain.tld -PrincipalsAllowedToRetrieveManagedPassword AADC2$ -Passthru

The above lines of code are an example. Substitute gMSA1, domain.tld and AADC2 and the description with values that are appropriate to your environment and comply with any naming conventions for objects your organization might have.

On the Azure AD Connect server

On the Azure AD Connect Server, run the following PowerShell one-liner in an elevated PowerShell window:

Install-ADServiceAccount -Identity gMSA1

Then, start the installation of Azure AD Connect, by double-clicking the Azure AD Connect installer.

Welcome to Azure AD Connect

In the Welcome to Azure AD Connect screen, select the I agree to the license terms and privacy notice option and, then, click Continue.

Azure AD Connect - Express Settings

In the Express Settings screen, click Customize.

Azure AD Connect - Install required components - Use an existing service account

In the Install required components screen, select the Use an existing service account option. Then, select the Managed Service Account option.

For the SERVICE ACCOUNT NAME enter DOMAIN\gMSA1$ where you’d replace DOMAIN with the NetBIOS name of the Active Directory domain and replace gMSA1 with any other name you might have given your gMSA using the above PowerShell one-liners). You don’t have to enter a password, because this is a gMSA.

Now, configure the Azure AD Connect installation as you would normally. If you don’t want to configure a custom installation location, use an existing SQL Server or want to specify custom sync groups, press Install in the Install required components screen.

 

Concluding

Since version 1.1.443.0, you can use Azure AD Connect with a group Managed Service Account (gMSA) as its service account. With the recent vulnerability in the way Azure AD Connect creates its service account, it’s the best thing to do. We’ve been designing and implementing Azure AD Connect with gMSAs since version 1.1.443.0 to meet requirements to change the passwords for service accounts regularly.

gMSAs are the way forward for service accounts. Implement yours today.

Further reading

New features in AD DS in Windows Server 2012, Part 8: Group MSAs (gMSAs) Applicability of Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs)
Azure AD Connect v1.1.443.0 is here
Azure AD Connect version 1.1.654.0 addresses a critical security vulnerability

0  

Azure AD Connect version 1.1.654.0 addresses a critical security vulnerability

It feels like only a couple of months ago, but actually only half a year ago, Microsoft released a version of Azure AD Connect that fixed a critical security vulnerability related to password resets. Yesterday, Microsoft released a new version of Azure AD Connect that does the same thing, but actually in a different feature.

The vulnerability was reported to Microsoft by Preempt, who also disclosed information on the vulnerability on their own blog. Their information details stealthy privileged accounts, the adminCount attribute and how the way Microsoft setup the sync account in Active Directory Domain Services (AD DS) when you use Express Settings in Azure AD Connect.

Microsoft responded in three complementing ways:

  1. Microsoft issued a security advisory.
  2. Microsoft released a script to set the right attributes for the sync account.
  3. Microsoft released a new version of Azure AD Connect.

This way, organizations can secure their Hybrid Identity setup, and check if any damage has been done.

 

Escalation of Privilege vulnerability

The vulnerability in the way Azure AD Connect provisions a service account in Active Directory Domain Services (AD DS) finds its source in the fact that the adminCount property isn’t set on the account, and, subsequently, the account is not protected by the AdminSDHolder process. This specific process makes sure that sensitive accounts cannot be configured to have their password reset right delegated, among other sensitive operations.

Typically, the adminCount attribute is set to accounts that become a member of the Domain Administrators and Enterprise Administrators groups, but also to other well-known groups like Account Operators and Print Operators.

 

Is your Hybrid Identity setup vulnerable?

Of course, the first question you might ask yourself is if your Hybrid Identity setup is vulnerable or not. To answer this question, we first have to look at the two different ways Azure AD Connect can be installed.

 

Express Settings and Custom Settings

Many customers have opted to install Azure AD Connect with Express Settings. This four-click setup has a couple of advantages to the more elaborate Custom Settings installation options:

Azure AD Connect Express Settings vs. Custom Settings in terms of Sign-in methods (Password Hash Sync, Active Directory Federation Services, Pass-through Authentication and Seamless Single Sign-On), installation options (like choosing a SQL Server, service account and alternative groups), Multi-Factor Authentication, Privileged Identity Management, Filtering options (like Domain-, OU- and group-based filtering and Minsync), but also optional features like Hybrid Exchange, Public Folders, Self-Service Password Reset, Write-back for Office Groups and devices and Synchronization of your own Active Directory Schema Extensions.

The fourth column depicts whether you can change the setting after initial installation and subsequent configuration runs. Your mileage may vary on the outcome, though.

As you can see, the Custom Settings installation option allows you to optionally reuse a (managed) service account. This option was added to Azure AD Connect version 1.1.443.0, back in March 2017.

In two scenarios, the vulnerability may exist in your organization’s Hybrid Identity setup:

  1. You’ve setup Azure AD Connect using the Express Settings installation option.
  2. You’ve setup Azure AD Connect using the Custom Settings installation option, but you have not opted to reuse a pre-created service account, managed service account (MSA) or group managed service account (gMSA).

 

How do I fix it?

In my experience, many setups are vulnerable. That’s OK, because there are two easy ways to fix it:

  • Install Azure AD Connect new, using version 1.1.654.0, or up.
    This scenario is particularly useful for organizations that have not yet gone to production with their Hybrid Identity setup, are still using DirSync, still using Azure AD Sync or are using a deprecated version of Azure AD Connect. Additionally, organizations that may want to benefit from the use of a (g)MSA for Azure AD Connect should choose this scenario, when they want to get rid of the service account, based on a normal user object.
  • Run the PowerShell script that Microsoft has made available.
    This scenario is useful for organizations that run Azure AD Connect, and are happy with their configuration and want nothing else to change, except for the vulnerability to disappear.

 

What does the PowerShell script do?

The PowerShell script tightens the settings on the service account to remove the vulnerability to the below values:

  • Disable inheritance on the specified object
  • Remove all ACEs on the specific object, except ACEs specific to SELF. We want to keep the default permissions intact when it comes to SELF.
  • Assign specific permissions.

 

How do I run the script?

Since the script is on the Microsoft PowerShell Gallery, it can be easily run, by using the following two lines of PowerShell:

 

New-Item “C:\Program Files\WindowsPowerShell\Modules\ADSyncConfig” -Type Directory


Copy-Item
“C:\Users\administrator\downloads\adsyncconfig.psm1″ -Destination “C:\Program Files\WindowsPowerShell\Modules\ADSyncConfig\ADSyncConfig.psm1” -Force


New-ModuleManifest
-Path  “C:\Program Files\WindowsPowerShell\Modules\ADSyncConfig\ADSyncConfig.psd1” -RootModule ADSyncConfig.psm1


Import-module
ADSyncConfig


Set-ADSyncRestrictedPermissions
-ObjectDN “CN=AAD_eabcdefg123,CN=Users,DC=dirteam,DC=com-Credential $credential

 

Assuming you’d download the PowerShell Module and storing the download in the Downloads folder, you’d change the grey fields, to make $ObjectDN (the Active Directory account whose permissions need to be tightened) and $Credential (the credential used to authenticate the client when talking to Active Directory. This is generally the Enterprise Admin credentials used to create the account whose permissions needs tightening) appropriate for your environment.

 

How do I check if the vulnerability has been misused?

Since the escalation of privilege vulnerability lies in the ability for an attacker to reset the password of the Azure AD Connect service account, checking if the vulnerability has been misused, is easy as checking the pwdLastSet attribute of the account.

Additionally, the Active Directory event log contains information for the password reset event in case you find an unexpected timestamp.

 

Call to Action

If you haven’t configured your Azure AD Connect installation(s) with group Managed Service Accounts (gMSAs), yet, this is a good time to install Azure AD Connect as a Staging Mode server, and then, after due diligence, making it the actively synchronizing Azure AD Connect server.

Managed Service Accounts (MSAs) and group Managed Service Accounts  (gMSAs) are the way forward for service accounts in Microsoft-based environments.

0  

What’s New in Azure Active Directory for November 2017

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for November 2017:

 

What’s Planned

Retiring ACS

Service Category: ACS
Product Capability: Access Control Service

Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) will be retired in late 2018. Further information, including a detailed schedule & high-level migration guidance, will be provided in the next few weeks. In the meantime, leave comments on this page with any questions regarding ACS, and a member of our team will help to answer.

 

Restrict browser access to the Intune managed browser

Service Category: Conditional Access
Product Capability: Identity Security & Protection

With this behavior, you will be able to restrict browser access to Office 365 and other Azure AD-connected cloud apps using the Intune Managed Browser as an approved app. Today, access is blocked when using this condition. When the preview of this behavior is available, all access will require the use of the managed browser application.

 

New approved client apps for Azure AD app-based conditional access

Service Category: Conditional Access
Product Capability: Identity Security & Protection

The following apps are planned to be added to the list of approved client apps:

 

What’s New

Terms of Use support for multiple languages

Service Category: Terms of Use (ToU)
Product Capability: Governance/Compliance

Administrators can now create new terms of use (ToU) that contains multiple Portable Document Format (PDF) documents. You can tag these documents with a corresponding language. Users that fall in scope are shown the PDF with the matching language based on their preferences. If there is no match, the default language is shown.

 

Real-time password write-back client status

Service Category: Self-service Password Reset (SSPR)
Product Capability: User Authentication

You can now review the status of your on-premises password write-back client. This option is available in the On-premises integration section of the Password reset blade in the Azure Portal.

 

Azure AD app-based conditional access

Service Category: Azure AD
Product Capability: Identity Security & Protection

You can now restrict access to Office 365 and other Azure AD-connected cloud apps to approved client apps that support Intune App Protection policies using Azure AD app-based conditional access. Intune app protection policies are used to configure and protect company data on these client applications.

By combining app-based with device-based conditional access policies, you have the flexibility to protect data for personal and company devices.

 

Managing Azure AD devices in the Azure portal

Service Category: Device Registration and Management
Product Capability: Identity Security & Protection

You can now find all your devices connected to Azure AD and the device-related activities in one place. There is a new administration experience to manage all your device identities and settings in the Azure portal.

 

Support for macOS as device platform for Azure AD conditional access

Service Category: Conditional Access
Product Capability: Identity Security & Protection

You can now include (or exclude) macOS as device platform condition in your Azure AD conditional access policy. With the addition of macOS to the supported device platforms, you can:

  • Enroll and manage MacOS devices using Intune
  • Ensure MacOS devices adhere to your organization’s compliance policies defined in Intune
  • Restrict access to applications in Azure AD to only compliance MacOS devices

 

NPS Extension for Azure MFA

Service Category: MFA
Product Capability: User Authentication

The Network Policy Server (NPS) extension for Azure MFA adds cloud-based MFA capabilities to your authentication infrastructure using your existing servers. With the NPS extension, you can add phone call, text message, or phone app verification to your existing authentication flow without having to install, configure, and maintain new servers.

 

Restore or permanently remove deleted users

Service Category: User Management
Product Capability: Directory

In the Azure AD admin center, you can now:

  • Restore a deleted user
  • Permanently delete a user

You are no longer required to use PowerShell to this purpose.

 

What’s Changed

New approved client apps for Azure AD app-based conditional access

Service Category: Conditional Access
Product Capability: Identity Security & Protection

The following apps have been added to the list of approved client apps:

  • Microsoft Planner
  • Microsoft Azure Information Protection

 

Ability to ‘OR’ between controls in a conditional access policy

Service Category: Conditional Access
Product Capability: Identity Security & Protection

The ability to ‘OR’ (Require one of the selected controls) conditional access controls has been released. This feature enables you to create policies with an OR between access controls. For example, you can use this feature to create a policy that requires a user to sign in using multi-factor authentication OR to be on a compliant device.

 

Aggregation of real-time risk events

Service Category: Identity Protection
Product Capability: Identity Security & Protection

To improve your administration experience, in Azure AD Identity Protection, all real-time risk events that were originated from the same IP address on a given day are now aggregated for each risk event type. This change limits the volume of risk events shown without any change in the user security.

The underlying real-time detection works each time the user logs in. If you have a sign-in risk security policy setup to MFA or block access, it is still triggered during each risky sign-in.

0  

I’m co-presenting a webinar on tracking changes in Hybrid Identity environments

Next week, on Wednesday November 29, 2017 I’m co-presenting a webinar on tracking changes in Hybrid Identity environments, based on Active Directory Domain Services (AD DS) and Azure AD. The session is sponsored by Netwrix, who I think have a stellar solution for tackling this challenge.

This expert webinar is scheduled for a convenient time for my American friends, at 2PM. A webinar for Europe and Africa is slated for early next year.

 

About Netwrix

NetwrixNetwrix is a private IT security software company, which offers IT auditing solutions for systems and applications across your IT infrastructure. Netwrix  specializes in change, configuration and access auditing software with its Netwrix Auditor solution. Netwrix is a partner of Microsoft, VMware, EMC, NetApp and HP ArcSight.

If you’ve worked in highly-secure highly-regulated IT environments, you’re probably familiar with the Netwrix brand, because their Active Directory auditing solution is one of the best out there.

 

About the webinar

For many organizations, Active Directory is the cornerstone of their network infrastructure. However, as cloud adoption among businesses increases IT teams are posed with more and more security challenges by these hybrid environments. It’s a daunting struggle to manage both Active Directory and Azure AD, let alone ensure the security of such deployments. How can you monitor critical changes? Or comply with the certifications your organizations need?

In this webinar, you’ll learn how you can monitor privileged account activity, stay on top of critical changes and a slew of security threats in hybrid environments with Netwrix Auditor. You will get an abundance of ready-to-go recommended practices, so you’ll be able to start with Netwrix Auditor 9.5 the right way, immediately.

I’m co-presenting the webinar with Jeff Melnick, systems engineer at Netwrix. This way, you get the best practices from the field and expert analysis tips, directly from the guys whol build the Netwrix Auditor product.

 

Join me! Glimlach

The webinar is offered free of charge.
You only need to register in advance to become part of the fun!

Of course, if you can’t make November 29, 2PM EDT, you can also register for viewing the webinar on-demand , after we’ve finished up.

0  

Pictures of the Hybrid Identity Protection Conference 2017 in New York

Last week, I spent a long weekend in New York, NY for the inaugural Hybrid Identity Protection Conference.

Welkcome to Paris

I flew in on Saturday November 4 via Paris, where I boarded an Air France Boeing 777, that had its seats, at best, filled for 30%. There was ample space and I enjoyed working on a couple of designs and other documents during the 8-hour flight in. Unfortunately, I landed late and, therefore, had some trouble getting from JFK to Manhattan. By the time I arrived at the Holiday Inn, it was around midnight (6AM European time).

The next day, Roelf Zomerman and I went on a tour of the Statue of Liberty and Ellis Island. We went for a quick breakfast and then off to Battery Park, where we met our guide.

The Statue of Liberty (click for larger photo)Ellis Island, where between 1890 and 1924 5000 people per day passed to become US citizens (click for larger photo)Manhattan (click for larger photo)With Roelf at the Statue tour (click for larger photo)The Oculus, old buildings and sky scrapers. Just another day in New York (click for larger photo)

Afterwards, we met up with Tomasz Onyszko, strolled through the city to Greenwich Village and had pizza at Johns  Bleecker Street.

One World Trade Center (click for larger photo)With Tomasz and Roelf at Johns of Bleecker (click for larger photo)

On Monday, the inaugural Hybrid Identity Protection Conference kicked off at 7 World Trade Center.

Breakfast at the WTC (click for larger photo)A Bit of Kerberos (click for larger photo by Roelf Zomerman)

On Monday night, we all had drinks at the Roaring Twenties-inspired Wooley at Woolsworth Building, where we snapped a picture of all the speakers, much at the amusement of the attendees present. 

Speakers at the Wooley (click for larger photo, from social media)

Tuesday marked Day 2 and Roelf and I had a lot of fun, explaining Azure AD Connect and its many facets during the 135 minutes we ended up with by combining our two sessions into a back to back two-fold exposé of our favourite tool.

Roelf Pointing out the rules (click for larger photo)Roelf being Recorded (click for larger photo)

After our sessions, I had to go check out and leave New York, to get back to the Netherlands in time to deliver yet another presentation, but not before I said goodbye to all my good DSMVP friends.

I owe a big bag of gratitude to Mickey, Guy, Sean, Darren, Gil, Brian, Christoffer, Henrik, John, Tomasz, Michael, Joe and especially Roelf and the Hybrid Identity Protection Conference attendees for making this my favourite conference next to the MVP Summit.

Let’s do this again sometime soon! Smile

0  

I’m co-presenting at the KNVI Congress

The Dutch Professional Association of Information and IT Professionals (KNVI) organizes its yearly congress next week. I’m honored to be invited to co-present two sessions, together with my buddy Raymond Comvalius.

  

About KNVI

knvi_logoThe Dutch Professional Association of Information and IT Professionals (KNVI) is an independent platform for sharing professional knowledge and expanding the personal networks of ICT Pros, information professionals, students and employers who want to keep their employees up to date.

KNVI organizes multiple meetings per month, publishes AG Connect both online and in print,and offers discounts to its members.

KNVI is a merged organization of several professional associations, including the Dutch Networking User Group (Ngi-NGN) and the Dutch Association for Documentary Information and Organization Administration (SOD).

About KNVI Congress

WebThe KNVI Congress is KNVI’s largest event, organized yearly. The 2017 KNVI Congress is organized on November 9th, 2017 at the NBC Congrescentrum in Nieuwegein, Netherlands. This year’s theme is Information is Power.

This year’s event features keynotes by René ten Bos, appointed Dutch Thinker, Professor Rik Maes and Marietje Schaake, member of the European Parlement.

 

Our sessions

Raymond and I will present two 40-minute sessions:

Automatic D, T and A environments and Continuous Integration with Veeam and Microsoft

11:30AM – 12:10PM, Track 5: The New Datacenter, will it empower us?

Microsoft Azure changes daily. We can expect a new version of Windows Server every six months. Although Microsoft offers a wide bandwidth of supported versions, organizations expect their admins to keep up and stay within the bandwidth.

The only way we see admins keep up is by testing changes and formally accept these changed in representative test and acceptance environments. Raymond and I show the attendees how to achieve this, costeffectively and safe. We’ll also share our best practices, based on our experiences with Veeam and Microsoft technologies and products. We’ll enable their organizations to take a couple of steps forward.

How to Migrate off your on-premises environments

2:15PM – 2:55PM, Track 8: The Power of Cloud

The continuing waves in the sea of IT push us towards the cloud, today. Yesterday’s wave of virtualization and last decade’s waves of VDI and centralization might have left you wary of any new projects. But today’s news is really something and we’d like you to pay attention, because it’s easily digestible with last decade’s experience under your belt.

Raymond and I show you how to embrace the new possibilities of the cloud and potentially get rid of the square footage, cooling needs, firewalls and even your Domain Controllers. Dive into the full stack of Microsoft cloud possibilities and impossibilities with us.

  

Join KNVI!

It’s not too late to join KNVI Dutch.
This is a prerequisite to being able to attend the KNVI Congress.

Subscriptions to KNVI for students are free. Subscriptions for individuals start at EUR 97,50 per year for members aged 27 and below and EUR 99,99 for retirees. Other individual subscriptions set you back EUR 165 per year. Organizational subscriptions are available upon request.

0  

What’s New in Azure Active Directory for October 2017

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for October 2017:

 

What’s Planned

Deprecating Azure AD reports

Service Category: Reporting
Product Capability: Identity Lifecycle Management

The Azure portal provides you with:

  • A new Azure Active Directory administration console
  • New APIs for activity and security reports

Due to these new capabilities, the report APIs under the /reports endpoint will be retired on December 10, 2017.

  

What’s New

New Multi-Factor Authentication features

Service Category: Multi-Factor Authentication (MFA)
Product Capability: Identity Security & Protection

Multi-Factor authentication (MFA) is an essential part of protecting your organization. To make credentials more adaptive and the experience more seamless, the following features have been added:

  • Integration of multi-factor challenge results directly into the Azure AD sign-in report, including programmatic access to MFA results
  • Deeper integration of the MFA configuration into the Azure AD configuration experience in the Azure portal

With this public preview, MFA management and reporting are an integrated part of the core Azure AD configuration experience. Aggregating both features enables you to manage the MFA management portal functionality within the Azure AD experience.

terms of use

Type: New feature
Service Category: Terms of Use (ToU)
Product Capability: Governance

Azure AD terms of use provide you with a simple method to present information to end users. This ensures that users see relevant disclaimers for legal or compliance requirements.

You can use Azure AD terms of use in the following scenarios:

  • General terms of use for all users in your organization.
  • Specific terms of use based on a user’s attributes (ex. doctors vs nurses or domestic vs international employees, done by dynamic groups).
  • Specific terms of use for accessing high business impact apps, like Salesforce.

 

Enhancements to privileged identity management

Service Category: PIM
Product Capability: Privileged Identity Management

With Azure Active Directory Privileged Identity Management (PIM), you can now manage, control, and monitor access to Azure Resources (Preview) within your organization to:

  • Subscriptions
  • Resource groups
  • Virtual machines.

All resources within the Azure portal that leverage the Azure Role Based Access Control (RBAC) functionality can take advantage of all the security and lifecycle management capabilities Azure AD PIM has to offer.

access reviews

Type: New feature
Service Category: Access Reviews
Product Capability: Governance

Access reviews (preview) enable organizations to efficiently manage group memberships and access to enterprise applications:

  • You can recertify guest user access using access reviews of their access to applications and memberships of groups. The insights provided by the access reviews enable reviewers to efficiently decide whether guests should have continued access.
  • You can recertify employees access to applications and group memberships with access reviews.

You can collect the access review controls into programs relevant for your organization to track reviews for compliance or risk-sensitive applications.

Hiding third-party applications from My Apps and the Office 365 launcher

Service Category: My Apps
Product Capability: Single Sign-On

You can now better manage apps that show up on your user portals through a new hide app property. Hiding apps helps with cases where app tiles are showing up for backend services or duplicate tiles and end up cluttering user’s app launchers. The toggle is located on the properties section of the third-party app and is labeled Visible to user? You can also hide an app programmatically through PowerShell.

What’s Changed

Automatic sign-in field detection

Service Category: My Apps
Product Capability: Single Sign-On (SSO)

Azure Active Directory supports automatic sign-in field detection for applications that render an HTML username and password field. These steps are documented in How to automatically capture sign-in fields for an application. You can find this capability by adding a Non-Gallery application on the Enterprise Applications page in the Azure portal. Additionally, you can configure the Single Sign-on mode on this new application to Password-based Single Sign-on, entering a web URL, and then saving the page.

Due to a service issue, this functionality was temporarily disabled for a period of time. The issue has been resolved and the automatic sign-in field detection is available again.

0  

I’m speaking at the Hybrid Identity Protection Conference in New York

Next week, I’m joining many of my technical friends at the Hybrid Identity Protection Conference in New York, NY.

For those who attended The Experts Conference (TEC) and NetPro’s Directory Experts Conference (DEC) events previously, the Hybrid Identity Protection Conference promises to be at least as much fun as these events, where you’ve seen the likes of Gil Kirkpatrick, Sean Deuby, Darren Mar-Elia, Brian Desmond, Joe Kaplan and Jorge de Almeida Pinto.

 

HIPConf 

About the Hybrid Identity Protection Conference

The Hybrid Identity Protection Conference is Semperis Inc.’s event in the spirit of The Expert Conference (TEC) to bring together the leading experts in the field of Identity and Access Management. The event offers a unique opportunity to spend two days on-site in New York with peers, whose day-to-day job is to architect, manage, and protect identity management in the hybrid enterprise.

Attendees are able to meet face-to-face with the leading experts of their field, acquire in-depth technical knowledge, and be exposed to the latest innovation.

The 2017 Hybrid Identity Protection Conference takes place on November 6th and November 7th at the famous 7 World Trade Center in New York City’s Tribeca neighborhood. Just minutes’ walk from famous landmarks, attractions, museums, and famous restaurants in Manhattan, and with astounding views of the New York skyline.

 

About my presentations

I’m delivering three presentations at the inaugural Hybrid Identity Protection Conference. With pride, I’m co-presenting two of my presentations with Roelf Zomerman, the only Dutch Active Directory Microsoft Certified Master (MCM):

Virtualizing Domain Controllers in Hyper-V and Azure

Monday November 6th 2017 3:40PM – 4:40PM

Active Directory Domain Controllers hold the keys to your kingdom. So how do you virtualize these castles of identity, without compromising on the requirements of your organization?

In this session I share my best practices for hardening, backing up, restoring and managing virtualized Domain Controllers on both Hyper-V, Azure Stack and in Azure Infrastructure-as-a-Service VMs, from the field, The information is based on the latest version of Azure and Windows Server 2016, like Shielded VMs, but will also show how the functionality of Windows Server 2012 and Windows Server 2012 R2 already allow for risk mitigation and availability, too, so you don’t have to upgrade everything immediately, if you can’t.

Azure AD Connect, The Dutch Connection

Tuesday November 7th 10AM – 11AM

With businesses adopting more cloud, how do you cope with the new identity challenges? How do you properly design and implement Hybrid Identity in real-world scenarios?

In this first of two demo-packed sessions, two Dutchmen, Sander Berkouwer (Microsoft MVP) and Roelf Zomerman (Microsoft Cloud Solution Architect), explain the ins and outs of Azure AD Connect, the Microsoft’s free Hybrid Identity “bridge” product.

Learn about the history of Azure AD Connect and why and what it does. See authentication scenarios supported by Azure AD Connect and how Azure AD Connect brings your colleagues and their devices to the cloud. You’ll receive useful tips and tricks to apply in your organization.

Azure AD Connect, The World is not Enough

Tuesday November 7th 11:30AM – 12:45AM

Join Roelf Zomerman (Microsoft Cloud Solution Architect) and Sander Berkouwer (Microsoft MVP) for the second session in their Azure AD Connect series, where they open the door to the world behind complex Hybrid Identity architectures. (And to people who didn’t attend the first session, of course.)

Like the Dutch explored the world, they explore the world of complex identity scenarios in multi-forest environments and alternate ImmutableID situations. Find out where errors come from and how to resolve them while we sail through the inner workings of the Azure AD Connect tool.

We’ll share the things you didn’t think were possible with Azure AD Connect, and dive deep into the tools. Are you looking to handle multi-forest scenarios, change the immutable ID or juggle with Azure AD Connects synchronization rules to cope with increasing business requirements, without losing your Microsoft support? This is your go-to session!

 

Join us!

There is still time to register.

For me, with the Global MVP Summit moved from the November timeframe to March, this is the opportunity to hang out with these guys and I’m looking forward to it!

0