What’s New in Azure Active Directory for November 2018

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new and changed functionality for Azure Active Directory for November 2018:

    

What’s New

Azure AD Cloud Device Administrator role (Public preview)

Service category: Device Registration and Management
Product capability: Access control

Administrators can assign users to the new Cloud Device Administrator role to perform cloud device administrator tasks. Users assigned the Cloud Device Administrators role can enable, disable, and delete devices in Azure AD, along with being able to read Windows 10 BitLocker keys (if present) in the Azure portal.

     

Manage devices using the new activity timestamp in Azure AD (Public preview)

Service category: Device Registration and Management
Product capability: Device Lifecycle Management

The Azure AD team realizes that over time administrators must refresh and retire their organizations’ devices in Azure AD to avoid having stale devices hanging around in the environment. To help with this process, Azure AD now updates your devices with a new activity timestamp, the approximateLastLogonTimestamp, helping you to manage your device lifecycle.

     

New Azure AD Privileged Identity Management (PIM) emails for Azure Active Directory roles

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Organizations using Azure AD Privileged Identity Management (PIM) can now receive a weekly digest email, including the following information for the last seven days:

  • Overview of the top eligible and permanent role assignments
  • Number of users activating roles
  • Number of users assigned to roles in PIM
  • Number of users assigned to roles outside of PIM
  • Number of users made permanent in PIM

       

New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2018, the Azure AD team added these 26 new apps with Federation support to the app gallery:

  1. CoreStack
  2. HubSpot
  3. GetThere
  4. Gra-Pe
  5. eHour
  6. Consent2Go
  7. Appinux
  8. DriveDollar
  9. Useall
  10. Infinite Campus
  11. Alaya
  12. HeyBuddy
  13. Wrike SAML
  14. Drift
  15. Zenegy for Business Central 365
  16. Everbridge Member Portal
  17. IDEO
  18. Ivanti Service Manager (ISM)
  19. Peakon
  20. Allbound SSO
  21. Plex Apps – Classic Test
  22. Plex Apps – Classic
  23. Plex Apps – UX Test
  24. Plex Apps – UX
  25. Plex Apps – IAM
  26. CRAFTS – Childcare Records, Attendance, & Financial Tracking System

  

What’s Changed

Group-based licensing is now Generally Available (GA)

Service category: Other
Product capability: Directory

Group-based licensing left public preview and is now generally available (GA). As part of this general release, the team has made this feature more scalable and has added the ability to reprocess group-based licensing assignments for a single user and the ability to use group-based licensing with Office 365 E3/A3 licenses.

0  

Windows Server 2016’s November 2018 Quality Update brings several Active Directory fixes

Windows Server 2016

Windows Server 2016’s November 2018’s Cumulative Quality Update, bringing the OS version to 14393.2639, offers a fix for an issue with Group Policy and a fix for an issue you might be experiencing on your Windows Server 2016-based Domain Controllers.

      

About Windows Server 2016 Updates

Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016.  This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.

      

Group Policy

The November 2018 Quality Update  for Windows Server 2016 addresses an issue that prevents domain controllers from applying the Group Policy password policy when the minimum password length is configured to be greater than 14 characters.

     

Active Directory Domain Services

The November 2018 Quality Update  for Windows Server 2016 addresses an issue that causes promotions of non-root domains to fail with the error, “The replication operation encountered a database error.” The issue occurs in Active Directory forests that have optional features like Active Directory recycle enabled.

As you might recall, this issue was first discovered and described here.

      

Call to action

When you experience any one of these issues, you are invited to install Windows Server 2016’s November 2018’s Cumulative Quality Update (KB4467684) on your Active Directory Domain Controllers to resolve them.

Known Issues

After you install the August Preview of Quality Rollup or September 11, 2018 .NET Framework update, instantiation of SqlConnection can throw an exception.

After installing this update, users may not be able to use the Seek Bar in Windows Media Player when playing specific files. This issue does not affect normal playback.

When features related to end-user-defined characters (EUDC) are used, the entire system may become unresponsive.

System Center Virtual Machine Manager (SCVMM)-managed workloads are noticing infrastructure management issues after VMM refresh as the Windows Management Instrumentation (WMI) class around network port is being unregistered on Hyper-V hosts.

0  

Pictures of the 2018 European SharePoint, Azure and Office 365 Conference

Bella Center (Picture by ESPC Organization)

Last week, I was scheduled for a 60-minute session on Europe’s General Data Protection Regulation (GDPR) at the 2018 European SharePoint, Azure and Office 365 Conference in Copenhagen, Denmark.

Unfortunately, I wasn’t able to attend the entire conference, but instead scheduled to fly in on Wednesday morning, attend the conference, attend the party and then fly back to the Netherlands on Thursday morning.

With only 65 minutes of flight time, the flight from Amsterdam (AMS) to Copenhagen (CPH) is a short flight, so I elongated my time with KLM in their lounge. After landing at Copenhagen Airport, I took a cab to Bella Center. I prepared my session and spent some time at the Ask the Experts booth for Azure AD with Peter Schmidt.

The KLM Crown Lounge at Amsterdam Schiphol Airport (click for larger picture)My ESPC 18 badge and party invitation (click for larger photo)The Expo at the European SharePoint Azure and Office 365 Conference (click for larger photo)Ask The Experts (click for larger photo)

At 2 PM, I started my break-out session on Europe’s General Data Protection Regulation (GDPR) in room 9. It was packed! The main points of this presentation were that the Compliance Manager can help assess GDPR compliancy, and that Azure AD Identity Protection, Conditional Access, Information Protection and Advanced Threat Protection can work together to create a more secure environment, towards GDPR-compliancy.

The audience at my GDPR session (no consent asked, so only a picture of the backs of heads, obviously) (click for larger photo)

After the presentation, I headed out with Peter Schmidt. We walked to the picturesque Nyhavn, Amalienborg, Maersk’s headquarters, den lille havfrue (the little mermaid) and Copenhagen’s kastellet. before heading towards Wallmans Cirkusbygningen for the ESPC Party.

Den Lille Havfrue (click for larger photo)
Nyhavn (click for larger photo)ESPC Party at Wallmans Cirkusbygningen (click for larger photo by the ESPC Organization)

At around 11 PM we headed back to the Bella Center hotel. At 4:30 AM, a cab picked me up at the front door to deliver me at Copenhagen’s airport (CPH), in time for my 6 AM flight.

I arrived at the office around 8:30 AM for a normal day of work.

    

Thank you! Thumbs up

Thank your for inviting me as a SharePoint, Azure and Office 365 Conference speaker, and to all the people attending, sitting in on my session and, of course, the people who stuck around after these sessions for the interesting discussions. And Peter, thank you for showing me around in the capitol of your beautiful country.

0  

Azure AD Connect v1.2.68.0 fixes an issue with the MSOnline PowerShell Module

Azure AD Connect

Late last week, Microsoft released a new version of Azure AD Connect, its free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

 

What’s Fixed

There is only one fix in version 1.2.68.0.

This hotfix build fixes a conflict where an authentication error might occur due to the independent presence of the MSOnline PowerShell Gallery module on the synchronization server.

This hotfix addresses this issue.

This release is only distributed to organizations using Azure AD Connect for manual download.

 

Version information

This is version 1.2.68.0 of Azure AD Connect.
It was signed off on on November 19th, 2018 and made available for download on November 30th, 2018

 

Download

You can download Azure AD Connect here.
The download weighs 83,4 MB.

0  

Pictures of Office 365 and SharePoint Connect 2018 in Haarlem last week

After last week’s Heliview People-centric IT event in Rotterdam, I drove to Haarlem for the next event on my list: NC Communications’ Office 365 and SharePoint Connect.

Unfortunately, I was too late to pick up Mustafa Toroman and Sasa Kranjac from Amsterdam Airport, but we did arrive at the Amrâth Grand Hotel Frans Hals at around the same time.

We headed out for dinner. After asking for directions at the hotel reception and taking the scenic route, we ended up at Steakhouse Wilma & Albèrt’s, where we enjoyed a nice dinner with truly great steaks. We had a great discussions on tech, our respective home countries and, of course, the events we presented at.

Drinks in the Lobby (click for larger photo)

After dinner we ended up in the hotel lobby where we shared drinks with the rest of the speakers and organization.

The St. Bavo Kerk in Haarlem, early morning light (click for larger photo)

The next morning, I put my stuff in my car at the car park and headed for the venue, the Stadsschouwburg and Philharmonie Haarlem. In the speaker room (coincidentally the actual artist room at the venue), I picked a shirt and prepared my slides and demos.

The calm before the storm ;-) (click for larger photo)
mS-DS-ConcistencyGUID to the rescue! (click for larger photo by Ralph Eckhard)Azure AD Connect under the Hood (click for larger photo by Ralph Eckhard)

After the keynote, I presented a 60-minute session on Azure AD Connect. We discussed the way Azure AD Connect works, and how the attendees could leverage Hybrid Azure AD Join and carry out Active Directory restructuring and/or consolidation projects with the help of the mS-DS-ConsistencyGUID.

After the session, several people came up to me with questions, but as Waldek Mastykarz was about to start his session, we headed out to the lobby area to further discuss the challenges some organizations face with Azure AD Connect.

I stuck around for the SharePint drinks at the end of the day, but decided the speaker dinner was too much on my agenda. I wanted to go home again, so I started my journey home at around 7PM.

  

Thank you! Thumbs up

Thank your NC Communications, for inviting me as an Office 365 and SharePoint Connect speaker, and to all the people attending, sitting in on my session and, of course, the people who stuck around after these sessions for the interesting discussions.

0  

Creating a clean MyApps and Office Portal Experience

As we help organizations embrace Hybrid Identity, we often encounter politics or standards that dictate that we take baby steps.

I fully agree with taking the smallest steps possible, for it keeps roll-back steps small and useful, too. However, Azure Active Directory, currently, is not a cloud service you can enable without some default functionality.

When you synchronize an on-premises Active Directory Domain Services environment with Azure AD, you’re getting quite a lot of functionality, that you might not want people in the organization to see:

The default portal experience (click for original screenshot, taken from FireFox)

Most prominently, by default, the Office 365 Portal shows links to:

  • The Store App through the Add-In tile, underneath Apps and the Add-In tile in the Office 365 Waffle menu.
  • Download and install Office Professional Plus, through the Install Office button.

When we demo Hybrid Identity, we often create the cleanest possible MyApps and Office 365 Portal experience, showing that while we’ve created the identity bridge, no functionality is enabled on the other side:

 An empty portal experience (click for original screenshot, taken from FireFox)

Note:
One of the other tricks we pull is to customize the branding of the MyApps portal and the Office portal through Azure Active Directory. Although the portals are empty, at least people will feel right at home!

Let me show you how to do that:

 

Download your apps

Get rid of the Download your apps link:

  • Sign into the Admin Portal using an account with global admin / company admin privileges in the Azure Active Directory tenant. Perform multi-factor authentication and/or the steps to attain your privileges through Azure AD Privileged Identity Management (PIM) when this is required.
  • In the right pane, expand Settings.
  • Underneath Settings, click Services & add-ins.
  • In the main pane, from the list of services and add-ins, click on Office software download settings.
  • In the settings pane that appears on the right, make these two changes:

Switch off 'Software for PC and mobile devices' and 'Software for Mac' in the Office software download settings pane (click for larger screenshot)

  • Underneath Software for PC and mobile devices, select Off for All PC and mobile devices.
  • Underneath Software for Mac, select Off for All apps for Mac.
  • Click Save.
  • Sign out, when done.

 

Store

Get rid of the Store link:

  • Sign into the Admin Portal using an account with global admin / company admin privileges in the Azure Active Directory tenant. Perform multi-factor authentication and/or the steps to attain your privileges through Azure AD Privileged Identity Management (PIM) when this is required.
  • In the right pane, expand Settings.
  • Underneath Settings, click Services &
    add-ins
    .
  • In the main pane, from the list of services and add-ins, click on User owned Apps and Services.

Switch off 'Let people in your organization go to the Office Store' in the User owned Apps and Services pane (click for larger screenshot)

  • In the settings pane that appears on the right, select
    Off for Let people in your organization go to the Office Store.
  • Click Save.
  • Sign out, when done.

     

Concluding

In large organizations and multinationals, every change is often a journey. Start your Hybrid Identity cloud journey with a plan. When you demo Hybrid Identity, make sure the MyApps and Office Portal experience is as clean as a whistle. Then, later on, add the functionality the organization asks for.

0  

Azure AD Connect v1.2.67.0 fixes an issue with Password Writeback

Azure AD Connect

Earlier this week, Microsoft released a new version of Azure AD Connect, its free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

 

What’s Fixed

There is only one fix in version 1.2.67.0.

This hotfix build fixes a regression in the previous build where Password Writeback fails when using Azure AD Connect in an environment with Active Directory Domain Controllers running Windows Server 2008 or Windows Server 2008 R2.

This hotfix addresses this issue.

This release is only distributed to organizations using Azure AD Connect for manual download.

 

Version information

This is version 1.2.67.0 of Azure AD Connect.
It was signed off on on November 19th, 2018 and made available for download on November 20th, 2018

 

Download

You can download Azure AD Connect here.
The download weighs 83,6 MB

0  

Pictures of Heliview’s 2018 People-centric IT event

A week ago, we were present at Heliview’s 2018 People-centric IT event at Soccer club Feyenoord’s “De Kuip” Stadium in Rotterdam, the Netherlands.

As this was somewhat of a home game for us, we decided to make our mark at this event with our new corporate banner and new corporate clothing style.

SCCT Banner

We arrived at 7:30AM at the venue and starting setting up our new corporate banner. After 20 minutes, Carlo and I were done, wo we lit up “De Kuip” with our booth. As the stadium experienced an embarrassing light issue just two weeks ago during one of the soccer games, this got us a lot of attention from the attendees throughout the day.

Possible Solutions to the password problem (none truly apply)Possible Solutions to the password problem (none truly apply)

Just before lunch, I presented a 25-minute session, titled “Our three biggest challenges solved in under 25 minutes? Because cloud.” I showed Windows Hello for Business Security Keys, Azure Active Directory Identity Protection, Windows Defender Conditional Folder Access, Windows AutoPilot and Intune. As these are all cloud services and easily configurable settings in the base Operating System, we flew through the presentation and demos.

26 minutes after the start we were done, and configured with new up-to-date settings for password management, anti-ransomware and location-independent imaging.

After the session, we enjoyed some more conversations with customers and potential customers, to better understand their needs, their worries about GDPR and the legacy stuff that’s keeping them back. Our team has a lot of answers and offers help in many of these areas, so it was fun to talk about it.

  

I enjoyed Heliview’s People-centric IT event. Open-mouthed smile

Thanks to all the people attending, sitting in on my session and, of course, the people that took the time out of their busy schedule to talk to us. We felt we brought unique value to the event.

Hat tip

Carlo Shaeffer has made SCCT’s presence possible at Heliview’s 2018 People-centric IT event this year.

0  

Important issues in Windows Server 2019 build 10.0.17763.1 (Release Notes)

Windows Server

Today, Microsoft rereleased Windows Server 2019 build 10.0.17763.1 to Volume License customers and MSDN subscribers. Downloads from its Evaluation Center and Azure IaaS-based virtual machines running Windows Server 2019 are on the horizon.

The following four downloads of Windows Server 2019 are now available:

  1. Windows Server 2019 Essentials
  2. Windows Server 2019
  3. Windows Server 2019 Language Pack
  4. Windows Server 2019 Features on Demand

On this page you can view the critical issues, that have currently been identified, that might require avoidance or workaround to get Windows Server 2019 installed and running.

Below is the list with the current important issues for Windows Server 2019 version 10.0.17763.1, also known as the re-released General Availability (GA) version:

 

Localization issues

When running setup from German server media, on the operating system selection window titled, “Select the operating system you want to install,” the description for Desktop Experience installation options will have missing and incorrect characters at the very end of the sentence.

Customers using the Desktop Experience on Windows Server 2019 are currently unable to install language packs using the Settings app’s Language page. In order to add a new Windows display language, follow the procedure in KB4466511.

Language Packs for Windows Server 2019 and Windows Server, version 1809 are not currently available on Windows Update. Language Pack (LP) installation need to be performed from the Language Pack ISO and should only be installed against an image mounted offline using DISM command. If adding Language Packs to a running Windows Server with Desktop Experience, please refer to KB4466511.

 

Features on Demand

Features on Demand (FoD) for Windows Server 2019 and Windows Server, version 1809 are not currently available on Windows Update. Feature on Demand (FoD) installation should be performed from either a FoD ISO or the Windows Server installation ISO, and should only be installed against an image mounted offline using DISM command.

 

Drive Mapping

Mapped drives may fail to reconnect after starting and logging on. Symptoms include:

  • In File Explorer, a red “X” appears on the mapped network drives.
  • Mapped network drives show as “Unavailable when you run the net use command from a command prompt.
  • In the notification area, a notification displays, “Could not reconnect all network drives.”

See KB4471218 for workaround scripts to automatically reconnect a mapped network drive when you log on to the device.

 

Edge on systems with AMD Radeon HD2000 or HD4000 series video cards

Microsoft Edge tabs may stop working when a device is configured with AMD Radeon HD2000 or HD4000 series video cards. Customers may get the following error code:  “INVALID_POINTER_READ_c0000005_atidxx64.dll”.

Some users may also experience performance issues with the lock screen or the ShellExperienceHost. (The lock screen hosts widgets, and the ShellExperienceHost is responsible for assorted shell functionality).

Note:
AMD no longer supports Radeon HD2000 and HD4000 series graphic processor units (GPUs).

 

App Compatibility

iCloud for Windows

Apple has identified an incompatibility with iCloud for Windows (version 7.7.0.27) that may cause users to have issues updating or synching Shared Albums. To ensure a seamless experience, Microsoft is blocking devices with iCloud for Windows (version 7.7.0.27) software installed from being offered Window 10, version 1809, Windows Server 2019 and Windows Server, version 1809, until this issue has been resolved.

F5 VPN Client

F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.

To mitigate this issue, you can manually configure your systems to force all traffic through the VPN tunnel. For details on how to do this, see the F5 customer support guidance page.

Trend Micro OfficeScan and Worry-Free

Microsoft and Trend Micro have identified a compatibility issue with Trend Micro’s OfficeScan and Worry-Free Business Security software.

To ensure a seamless update experience, Microsoft blocks installations running the affected business endpoint security products from being offered Windows 10, version 1809, Windows Server 2019 or Windows Server, version 1809, until a specific Trend Micro Critical Patch (CP) is applied.

 

Removed Features

The following features were present in previous versions of Windows Server, but are no longer available in Windows Server 2019:

  • Business Scanning, also known as Distributed Scan Management (DSM)
  • Internet Storage Name Service (iSNS)

 

Deprecated Features

Microsoft is no longer actively developing the features below and may remove them from a future update:

  • Key Storage Drive in Hyper-V
  • Trusted Platform Module (TPM) management console
  • Host Guardian Service Active Directory attestation mode
  • OneSync service
  • Remote Differential Compression API support
  • WFP lightweight filter switch extension
0  

I’m speaking at the European SharePoint Conference next week

Bella Center in Copenhagen, Denmark

Next week, I’ll present a 60-minute break-out session on the General Data Protection Regulation (GDPR) at the European SharePoint, Office 365 & Azure Conference at the Bella Center in Copenhagen, Denmark.

After I presented this session with a standard slide deck from Microsoft at the Amsterdam Tech Summit, Donald Hessing invited me to present an updated version of that deck at the European SharePoint, Office 365 & Azure Conference. He liked the way I presented the session and wanted the same approach, but with slightly more room for adjustments, humor and horror stories.

      

About the European SharePoint, Office 365 & Azure Conference

European SharePoint Office 365 & Azure ConferenceThe European SharePoint, Office 365 & Azure Conference (ESPC) is Europe’s leading online community, providing educational resources and encouraging collaboration.

Each year, the European SharePoint, Office 365 & Azure Conference gathers SharePoint, Office 365 and Azure experts from around the world in one European location for the largest conference of its kind.

The European SharePoint, Office 365 and Azure Conference is part of QualTech Conferences and is based in Galway, Ireland. QualTech has 18 years of experience in organising leading European IT conferences.

This year’s European SharePoint, Office 365 & Azure Conference will be hosted at the Bella Center in Copenhagen, Denmark from November 26th 2018 till November 29th 2018.

    

About my session

I’m scheduled to present a 60-minute breakout session on:

GDPR: Where the Rules Meet Microsoft 365 Technologies

Wednesday November 28th 2018, 2PM – 3PM, Session Code W25, Level 200

Learn how the General Data Protection Regulation (GDPR) law imposes new rules on companies, government agencies, and other organizations that offer goods and services to people in the EU or that collect and analyze data tied to EU residents.

This session discusses those requirements, and how certain Microsoft 365 products map to these capabilities, what licenses organizations need and where to find more information and guidance.

         

GDPR is the ultimate boring stuff to present on, but I’m having fun laying down the need for it by going through our industry’s worst practices. I feel we need to grow up, as an industry. I feel the GDPR is our means to do so.

  

Join us!

Join Chris Petit, me and over 2000 attendees at the European SharePoint, Office 365 & Azure Conference. Learn, connect and be inspired at Europe’s largest Independent Conference on Microsoft Technologies.

Register here!

0