Command-line switches for Azure AD Connect

Azure AD Connect Splash Screen

After you install Azure AD Connect, but before you configure the product through the Microsoft Azure Active Directory Connect wizard, you can fiddle with the Azure AD Connect installer.

Below is a list of command-line switches that you can use:

Note:
The below list is based on Azure AD Connect version 1.5.45.0.

 

AzureADConnect.exe /UseExistingDatabase

When you have an existing ADSync database, you can use the /UseExistingDatabase command-line switch to Install Azure AD Connect by using an existing ADSync database. The new Azure AD Connect installation that is set up using this command-line switch will completely overwrite the contents of the database that was previously in use with another Azure AD Connect installation, but will use the same database name, schema, logins and permissions.

 

AzureADConnect.exe /SkipLDAPSearch

The /SkipLDAPSearch command-line switch can be used to configure Azure AD Connect to use the mS-DS-ConsistencyGUID attribute as its source anchor. By default, Azure AD Connect checks the contents of this attribute for objects in scope for synchronization, but this command-line switch instructs Azure AD Connect to skip this check. This switch is useful when you want to install a Staging Mode Azure AD Connect installation using the mS-DS-ConsistencyGUID attribute as its source anchor.

 

AzureADConnect.exe /ForceExport

The /ForceExport command-line switch can be used to create a parallel deployment of Azure AD Connect side by side of an existing DirSync implementation. This switch exports the DirSync settings so you can then import them into Azure AD Connect using the /Migrate command-line switch below.

 

AzureADConnect.exe /Migrate

The /Migrate command-line switch can be used to create a parallel deployment of Azure AD Connect side by side of an existing DirSync implementation for migration purposes. This switch imports the DirSync settings into Azure AD Connect.

 

AzureADConnect.exe /EnableLDAP

The /EnableLDAP command-line switch switches Azure AD Connect’s setup mode from Active Directory to an LDAPv3-compatible identity store.

2  

Kerberos Security Feature Bypass Vulnerability (Important, CVE-2020-17049, CVSSv3 6.6)

Yesterday, for its November 2020 Patch Tuesday, Microsoft released an important security update for Active Directory Domain Services (AD DS).

 

About the vulnerability

A Kerberos Security Feature Bypass vulnerability exists in Microsoft’s implementation of the Kerberos network authentication protocol.

This vulnerability is described in detail in CVE-2020-17049.

A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).

To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.

The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD. For this reason, Microsoft is requiring Kerberos Ticket Signatures.

Note:
The October 2020 cumulative update for Windows Server enforces Kerberos Ticket Signatures, by default. The PerformTicketSignature registry value is available to transition complex Active Directory environments by controlling this behavior on a per-Domain Controller basis. The registry value kan have the following data:

  • 0 – disables Kerberos Ticket Signatures. Domains are not protected

Important:
Do not use this setting. There is a known issue that could cause the S4USelf feature of Kerberos to become non-functional.

  • 1 – enables the fix, but the Domain Controller does not require that Kerberos tickets conform to the fix
  • 2 – enables the fix in required mode, where all Active Directory domains must be patched and all Domain Controllers require Kerberos tickets with signatures

A later release will remove this registry key and make ticket signatures required.

AFFECTED OPERATING SYSTEMS

This security update is rated with a CVSS version 3 score of 6.6 for the following releases of Windows Server:

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server, version 1903
  • Windows Server, version 1909
  • Windows Server, version 2004
  • Windows Server, version 20H2

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

However, in complex domain environments requiring Kerberos Ticket Signatures may break functionality. A registry key is made available to allow for deployment across domains before fully enabling the fix. In a complex forest, where Kerberos tickets may travel across multiple domains, Microsoft recommends the following steps:

  1. Open the Registry Editor (RegEdit.exe)
  2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc
  3. Locate the PerformTicketSignature value.
  4. Set the registry key to 1.
  5. Complete the deployment to all Domain Controllers and Read-Only Domain Controllers in your Active Directory forest.
  6. When deployment is complete, set the registry key to 2.

Known Issues

When the registry key is set to 1, patched Domain Controllers will issue service tickets that are not renewable and will refuse to renew existing service tickets. Windows clients are not impacted by this since they never renew service tickets. Third-party Kerberos clients may fail to renew service tickets acquired from unpatched DCs. If all DCs are patched with the registry set to 1, third-party clients will no longer receive renewable tickets.

Acknowledgements

Jake Karnes at NetSPI responsibly disclosed the vulnerability to Microsoft.

 

Call to action

I urge you to install the necessary security updates  on Windows Server installations, acting as Domain Controllers and Read-only Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, acting as Domain Controllers and Read-only Domain Controllers, in the production environment.

Active Directory Admins who cannot require Kerberos Ticket Signatures, should update their Domain Controllers and Read-only Domain Controllers, but implement the registry key on Domain Controllers that service non-capable devices and/or interact with non-capable Domain Controllers.

Further reading

Kerberos Security Feature Bypass Vulnerability

2  

KnowledgeBase: LSASS on Windows 10 version 20H2 crashes and reboots unexpectedly on systems with renamed built-in administrator or guest accounts

Windows 10

On October 20th, 2020, Microsoft released Windows 10, version 20H2 build 19042 to Visual Studio Subscribers and organizations with access to the Software Download Center and the Volume Licensing Service Center. This version is also known as Windows 10 ‘October 2020 Update’.

Last week, Microsoft acknowledged an issue causing forced restarts on devices running Windows 10 20H2 due to the Local Security Authority Subsystem Service (LSASS) system process crashing.

 

The situation

You have in-place upgraded devices to Windows 10 version 20H2 from a previous version of Windows.

 

The issue

When you interact with any functionality that lists usersor their permissions, for example accessing the sign-in options page in the Settings app, or the users folder in the Local users and groups MMC snap-in (lusrmgr.msc), you receive the following error:

Your PC will automatically restart in one minute

In the application log in Event Viewer (eventvwr.exe), an event is logged with event ID 1015 reporting:

LSASS.EXE failed with status code C0000374

 

The cause

This issue appears because on the device either or both the built-in Administrator or Guest accounts have been renamed.

 

The solution

To remedy the situation, you can:

  • Roll back the Windows 10 upgrade to the previous version of Windows, or;
  • Remove the Group Policy setting that renames either or both the built-in Administrator or Guest accounts and reboot when the device is domain-joined, or manually rename either or both the built-in Administrator or Guest accounts and reboot when the device is not domain-joined.

 

Concluding

After my previous run-in with LSASS rebooting Domain Controllers, now it’s apparently time for freshly upgraded devices running Windows 10 version 20H2…

1  

The video of my talk at the European SharePoint Office 365 and Azure Conference is now available

ESPCHardeningSession

The European SharePoint, Office 365 & Azure Conference (ESPC) is Europe’s leading online community, providing educational resources and encouraging collaboration. Therefore, I was more than happy to announce that I was returning as a speaker for the European SharePoint, Office 365 and Azure Conference (ESPC) 2020.

On October 15th, while my pre-recorded presentation was playing, I signed in to answer any questions the attendees might have. Today, I’m making the video available to all who want to view it.

 

Hardening Hybrid Identity in the Real World

In the session, I’m discussing trailblazing from a security development point of view in an enterprise like Microsoft. Then, I’m covering hardening Active Directory by applying Active Directory’s tiered administration model, hardening the Windows Server installations that run your Domain Controller and leveraging Azure AD Connect Health and Azure AD Password Protection.

For Azure AD, I’m covering Identity Secure Score, securing privileged access, limiting the default privileged access every user and guest has through the default tenant settings, and auditing.

Most of these security measures don’t even require fancy licenses. Learn more:

 

Admittedly, I did present this session before at Microsoft Ignite 2018, but recent updates and experiences with the Cloud Security Assessment we conduct a couple of times per month with our customers have persuaded me to update the session with the latest product behavior, customer adoption rates and insights.

 

THANK YOU

Thank you to Qualtech Conferences for organizing the European SharePoint Office 365 and Azure Conference and inviting me as a speaker.

Enjoy! Thumbs up

0  

I’m speaking at the 2020 NT Konferenca

NT Remote 2020

The 2020 NT Konferenca, known as NT Remote 2020, the 25th edition of the NT Konferenca, kicks off in two weeks. I have been invited to deliver two sessions.

About NT Konferenca

NT Konferenca is the biggest Slovenian technological conference. Last year the event was visited by over two thousand attendees.

NT Konferenca is not just about IT trends and solutions. It is also about the ways how to include them in everyday business processes and how to effectively use them in business challenges in order to reach objectives in a more rapid, time-efficient and affordable way.

Previous NT Konferenca events took place in Grand Hotel Bernardin in Portorož, Slovenia. However, this 25th edition of the events is a remote event, featuring over 50 speakers.

About my sessions

I’ll be presenting two sessions:

Deep Dive into managing AD FS with Azure AD Connect

Azure AD Connect was meant as successor to DirSync with the added benefits of being the one-stop shop for admins to take care of hybrid cloud authentication. One of its main pillars is his ability to deploy, manage, monitor and even decommission an entire Active Directory Federation Services environment.

In this session,I share real-world tips, tricks, do's and don'ts around Azure AD Connect, specifically tailored to the thousands of admins still running and loving AD FS. The Hybrid Identity implementations I’ve deployed for multiple organizations have given me a clear overview of the strengths and weaknesses of Azure AD Connect.

In terms of management processes, Azure AD Connect’s ability to manage AD FS always surprised organizations in a positive way, because Azure AD Connect makes it so easy to implement an AD FS Farm, reset an Azure AD trust, federate an additional Azure AD domain, update the AD FS SSL certificate on all AD FS Servers and Web Application Proxies at once and verify federated login capabilities. It's so effective, that I’ll show you all of the above in just one session!

Hardening Hybrid Identity in the real world

As organizations rely heavily on Active Directory and embrace Azure Active Directory (AD), proper configurations of their setups becomes more important: as Azure AD is often built upon Active Directory, you need a solid base. As Azure AD offers more functionality, it too should be tuned.

To avoid the tyranny of the default settings, in some situations, we'll look at properly securing on-premises Active Directory Domain Services environments and hardening Azure AD tenants to match their levels of security.

Make sure to get the best tips and tricks in this session from an MVP whose team and peers have seen and done it all in Active Directory and Azure AD.

Join us! Thumbs up

Tickets are still available for NT Konferenca.
Register here and join me for these sessions.

0  

VMware updated the patch for CVE-2020-3992 to completely address the Remote Code Execution Vulnerability (Critical, CVSSv3 9.8)

Critical Updates

In October 2020, VMware published update VMSA-2020-0023 that claimed to fix the CVE-2020-3992 vulnerability in OpenSLP service in ESXi. OpenSLP is used for service location. This component has a use-after-free issue, that could allow a malicious person who has access to port 427 on an ESXi machine remote code execution. The vulnerability was rated with a Critical severity and a CVS score of 9.8 out of 10.

Yesterday, the description of VMSA-2020-0023 was updated with the following line of text for the CVE-2020-3992 vulnerability:

IMPORTANT: The ESXi patches released on October 20, 2020 did not address CVE-2020-3992 completely, see section (3a) Notes for an update.

 

Updated patches

VMware has released new patches for ESXi:

ESXi 7.0

For ESXi 7.0, VMware released version ESXi70U1a-17119627. This update completely addresses CVE-2020-3992. This version replaces version ESXi_7.0.1-0.0.16850804 that was previously described as the fix.

ESXi 6.7

For ESXi 6.7, VMware released version ESXi670-202011301-SG. This update completely addresses CVE-2020-3992. This version replaces version ESXi670-202010401-SG that was previously described as the fix.

ESXi 6.5

For ESXi 6.5, VMware released version ESXi650-202011401-SG. This update completely addresses CVE-2020-3992. This version replaces version ESXi650-202010401-SG that was previously described as the fix.

Note:
There are currently no updated patches for VMware Cloud Foundation (ESXi) version 3.x and 4.x.

 

Workaround

The workarounds described in KB76372 still apply. The impact of the vulnerability can be mitigated by stopping and disabling the SLP service, when it’s not in use. Use the following lines to do so:

/etc/init.d/slpd stop

esxcli network firewall ruleset set -r CIMSLP -e 0

chkconfig slpd off

 

Call to Action

Please install the updates for the version(s) of ESXi in use within your organization, as mentioned above and in the advisory for VMSA-2020-0023, even if you have deployed the October update already. These previous versions are also mentioned above.

A Remote Code Execution (RCE) vulnerability on the hypervisor layer may compromise the integrity of virtual Domain Controllers running on vulnerable hosts, affecting the Active Directory database and Group Policy settings, including replicating these changes as authorized changes to all other Domain Controllers, including physical ones.

When Active Directory’s integrity is gone, it’s Game Over for 9/10 organizations. Please update.

Further reading

NVD – CVE-2020-3992
VMware – Update On Critical Flaw CVE-2020-3992

0  

Some Microsoft 365 services are turning the page on Internet Explorer 11 this month

Internet Explorer 11

Microsoft has announced that its Microsoft 365 Services stop supporting Internet Explorer 11 on August 17th, 2021. However, this month, some Microsoft 365 services are already turning the page on Internet Explorer 11.

 

Services ending support this month

The following Microsoft 365 services are ending support for Internet Explorer 11:

My Apps, My Account, My Access, and My Groups Postponed

This change was postponed to August 17th, 2021

As part of MC223753, Microsoft announced the end of support for Internet Explorer 11 to access My Apps, My Account, My Access, and My Groups beginning November 13, 2020.

My Apps, My Groups and My Access in the My Account Portal

Microsoft recommends using Edge, Chrome, or Firefox to access these web portals.

Microsoft Teams

As part of MC225570, Microsoft announced that the Microsoft Teams web app will no longer support Internet Explorer 11 after November 30, 2020. After November 30, 2020, people will be unable to access the Teams web app from Internet Explorer 11 and be notified to use the desktop app or access the web app from Microsoft Edge.

 

Services ending support on August 17th, 2021

Beginning August 17, 2021, the remaining Microsoft 365 apps and services will no longer support Internet Explorer 11.

This means that after the above dates, organizations will have a degraded experience or will be unable to connect to Microsoft 365 apps and services using Internet Explorer 11:

  • New Microsoft 365 features will not be available
  • Certain features may cease to work when accessing the app or service

 

Is your organization impacted?

In the below scenarios, people in your organization may be impacted:

End-users accessing Microsoft 365 services on Windows Server 2016

For organizations sticking to the  ‘one browser for all’ mantra for their end-users on Windows Server 2016 Remote Desktop Services (RDS) hosts, this means that, for now, their users can continue to use the above Microsoft 365 services, when theses hosts are installed with the non-Chromium Microsoft Edge browser. This party ends on March 9th, 2021, after which these organizations will need to migrate to another browser like Chrome, Firefox or Brave.

To use the Chromium-based Microsoft Edge and the Microsoft 365 Apps for Enterprise (formerly known as Office 365 Professional Plus), Remote Desktop Services hosts need to run at least Windows Server 2019.

Office 2016 can be used with Microsoft 365 services until its end of support date of October 10th, 2023. (changing its announcement that connections to Office 365 services from Office 2016 would no longer be supported after October 13th, 2020).

End-users accessing Microsoft 365 services on Windows 8.1

For organizations sticking to the  ‘one browser for all’ mantra for their end-users on Windows 8.1, this means they need to install Edge Chromium. This is the better choice compared to the non-Chromium Edge, as Microsoft is already referring to the non-Chromium Edge as Edge Legacy. Edge Legacy will be end of life on March 9, 2021, while Window 8.1 end of support is currently scheduled for January 1st, 2023.

To use the Chromium-based Microsoft Edge and the Microsoft 365 Apps for Enterprise (formerly known as Office 365 Professional Plus), Remote Desktop Services hosts need to run at least Windows 10. Windows 10, version 20H2 is the first version of Windows to include the Chromium-based Microsoft Edge, by default.

Office 2016 can be used with Microsoft 365 services until its end of support date of October 10th, 2023. (changing its announcement that connections to Office 365 services from Office 2016 would no longer be supported after October 13th, 2020).

 

Concluding

When your organization uses Microsoft 365 services, now is a good time to start migrating from Internet Explorer 11 to (the Chromium-based) Microsoft Edge.

Further reading

Identity-related new features in Windows 10, version 20H2 build 19042
Microsoft 365 apps say farewell to Internet Explorer 11 and Windows 10 sunsets Microsoft Edge Legacy

0  

On-premises Identity-related updates and fixes for October 2020

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

These are the Identity-related updates and fixes we saw for October 2020:

 

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4580346 October 13, 2020

The October 13 update for Windows Server 2016 (B4580346), updating the OS build number to 14393.3986 is a security update that includes quality improvements.

By far, the biggest vulnerability addressed this month is CVE-2020-16898. Described as a remote code execution (RCE) vulnerability in the Windows TCP/IP stack, this vulnerability allows attackers to take over Windows systems by sending malicious ICMPv6 Router Advertisement packets to an unpatched computer via a network connection.

To address the Group Policy Elevation of Privilege Vulnerability marked as CVE-2020-16939, this update should be rolled out to all domain-joined Windows Server and Windows installations.

It includes the following identity-related quality improvements:

  • It addresses an issue with the Group Policy service that might recursively delete critical files in alphabetic order from %systemroot%\system32. This issue occurs when a policy has been configured to delete cached profiles. These file deletions might cause stop error boot failues with the following error:

0x5A (CRITICAL_SERVICE_FAILED)

  • It addresses an issue that might cause Windows 10 devices that enable Credential Guard to fail authentication requests when they use the machine certificate.
  • It addresses an issue that might prevent you from accessing the Security Options data view in the Group Policy Management Editor (gpedit.msc) or Local Security Policy Editor (secpol.msc). The error is:

MMC has detected an error in a snap-in

 

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4577668 October 13, 2020

The October 13 update for Windows Server 2019 (KB4577668), updating the OS build number to 17763.1518 is a security update that includes quality improvements.

By far, the biggest vulnerability addressed this month is CVE-2020-16898. Described as a remote code execution (RCE) vulnerability in the Windows TCP/IP stack, this vulnerability allows attackers to take over Windows systems by sending malicious ICMPv6 Router Advertisement packets to an unpatched computer via a network connection.

To address the Group Policy Elevation of Privilege Vulnerability marked as CVE-2020-16939, this update should be rolled out to all domain-joined Windows Server and Windows installations.

It includes one identity-related quality improvement that addresses an issue with the Group Policy service that might recursively delete critical files in alphabetic order from %systemroot%\system32. This issue occurs when a policy has been configured to delete cached profiles. These file deletions might cause stop error boot failues with the following error:

0x5A (CRITICAL_SERVICE_FAILED)

KB4580390 October 20, 2020

The October 13 update for Windows Server 2019 (KB4580390), updating the OS build number to 17763.1554 is a quality improvement update. It includes the following identity-related quality improvements:

  • It allows administrators to use a Group Policy to enable Save Target As for users in Microsoft Edge IE Mode.
  • It addresses an issue with the CleanupProfiles Group Policy object (GPO). After you upgrade the operating system, when you configure the CleanupProfiles GPO, it fails to remove unused user profiles.
  • It addresses an issue that fails to set the desktop wallpaper as configured by a GPO when you specify the local background as a solid color.
  • It addresses an issue that prevents you from signing in on certain servers. This occurs when you enable a Group Policy that forces the start of a computer session to be interactive.
  • It addresses an issue that occurs when you first sign in to an account or unlock an existing user session using Remote Desktop Services (RDS). If you enter an incorrect password, the current keyboard layout changes unexpectedly to the system default keyboard layout. This keyboard layout change might cause additional attempts to sign in to fail or lead to account lockouts in domains with low account lockout thresholds.
  • It addresses an issue that prevents the Smart Cards for Windows service from starting, which prevents the use of a smart card for authentication. The event log shows the error:

Server Control failed to access start event: 621

  • It addresses an issue with support for On-Behalf-Of flows (OBO) when using the Microsoft Authentication Library (MSAL).
0  

Experiences with Being Published, Part 7: A book on shelves for the last 18 months

This entry is part 7 of 7 in the series Experiences with Being Published

PregnantWomen

As a published technical writer, I’m sharing my experiences working with a publisher and its editors in this series of blogposts on Experiences with Being Published.

The Active Directory Administration Cookbook was published on May 3rd, 2019.

This means it hit the (virtual) shelves of your favorite local resellers eighteen months ago. In this period, the following has happened:

  1. A thousand copies have been sold.
  2. Nine people worldwide have written reviews. All verified reviews are 5-star reviews.
  3. The paperback has peaked at position 46,466 of over 800,000 books on Amazon
  4. The Kindle edition has peaked at position 74,887 of over one million books in the Amazon Kindle Store.
  5. The book currently ranks position 38 in the Windows Administration (Kindle Store) category, among gems like Lee Holmes’ Windows PowerShell Cookbook, Brian Desmond’s Active Directory: Designing, Deploying, and Running Active Directory 5th Edition and Mark Minasi’s Mastering Windows Server 2012 R2.

 

Picture by eso2 of Two pregnant women(1134) by Charles Leplae at the Museum Middelheim in Antwerp, Belgium, under CC BY-NC-ND 2.0 license. Edited in size.


Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

0  

What's New in Azure Active Directory for October 2020

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for October 2020:

What’s Planned

Azure AD On-Premises Hybrid Agents Impacted by Azure TLS Certificate Changes

Product capability: Platform

Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). There will be an update because of the current CA certificates not following one of the CA/Browser Forum Baseline requirements. This change will impact Azure AD hybrid agents installed on-premises that have hardened environments with a fixed list of root certificates. These agents will need to be updated to trust the new certificate issuers.

This change will result in disruption of service in hardened environments if you don't take action immediately. These agents include:

If your organization runs an environment with firewall rules set to allow outbound calls to only specific Certificate Revocation List (CRL) download locations, you'll need to allow the following CRL and OCSP URLs:

Provisioning events will be removed from audit logs and published solely to provisioning logs

Service category: Reporting
Product capability: Monitoring & Reporting

Activity by the SCIM provisioning service is logged in both the audit logs and provisioning logs. This includes activity such as the creation of a user in ServiceNow, group in GSuite, or import of a role from AWS. In the future, these events will only be published in the provisioning logs. This change is being implemented to avoid duplicate events across logs, and additional costs incurred by customers consuming the logs in log analytics.

Note:
This does not impact any events in the audit logs outside of the synchronization events emitted by the provisioning service. Events such as the creation of an application, conditional access policy, a user in the directory, etc. will continue to be emitted in the audit logs.

TLS 1.0, TLS 1.1, and 3DES Deprecation in US Gov Cloud

Product capability: Standards

Azure Active Directory will deprecate the following protocols by March 31, 2021:

  • TLS 1.0
  • TLS 1.1
  • 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)

All client-server and browser-server combinations should use TLS 1.2 and modern cipher suites to maintain a secure connection to Azure Active Directory for Azure, Office 365, and Microsoft 365 services.

Affected environments are:

What’s New

Assign applications to roles on AU and object scope Generally Available

Service category: RBAC
Product capability: Access Control

This feature enables the ability to assign an application (SPN) to an administrator role on the Administrative Unit (AU) scope. As shared as part of the Ten things you should know about Azure AD Administrative Units blogpost, previously, only users and groups could be assigned to roles on an Administrative Unit (AU), now applications in the form of Service Principal Names (SPNs) can be added, too.

disable and delete guest users when they're denied access to a resource Generally Available

Service category: Access Reviews
Product capability: Identity Governance

Disable and delete is an advanced control in Azure AD Access Reviews to help organizations better manage external guests in Groups and Apps. If guests are denied in an access review, disable and delete will automatically block them from signing in for 30 days. After 30 days, then they'll be removed from the tenant altogether.

Access Review creators can add custom messages in emails to reviewers Generally Available

Service category: Access Reviews
Product capability: Identity Governance

In Azure AD access reviews, administrators creating reviews can now write a custom message to the reviewers. Reviewers will see the message in the email they receive that prompts them to complete the review.

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps and services:

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In October 2020, Microsoft has added following new applications in our App gallery with Federation support:

Integration assistant for Azure AD B2C Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

The Integration Assistant (preview) experience is now available for Azure AD B2C App registrations. This experience helps guide you in configuring your application for common scenarios.

API connectors for Azure AD B2C sign-up user flows public preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

API connectors are now available for use with Azure Active Directory B2C. API connectors enable organizations to use web APIs to customize sign-up user flows and integrate with external cloud systems. Admins can you can use API connectors to:

  • Integrate with custom approval workflows
  • Validate user input data
  • Overwrite user attributes
  • Run custom business logic

Azure Active Directory External Identities now has premium advanced security settings for B2C Generally Available

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Risk-based Conditional Access and risk detection features of Identity Protection are now available in Azure AD B2C. With these advanced security features, organizations can now:

  • Leverage intelligent insights to assess risk with B2C apps and end user accounts.
    Detections include atypical travel, anonymous IP addresses, malware-linked IP addresses, and Azure AD threat intelligence. Portal and API-based reports are also available.
  • Automatically address risks by configuring adaptive authentication policies for B2C users.
    App developers and administrators can mitigate real-time risk by requiring multi-factor authentication (MFA) or blocking access depending on the user risk level detected, with additional controls available based on location, group, and app.
  • Integrate with Azure AD B2C user flows and custom policies.
    Conditions can be triggered from built-in user flows in Azure AD B2C or can be incorporated into B2C custom policies. As with other aspects of the B2C user flow, end user experience messaging can be customized. Customization is according to the organization’s voice, brand, and mitigation alternatives.

State property for connected organizations in entitlement management Generally Available

Service category: Directory Management
Product capability: Entitlement Management

All connected organizations will now have an additional property called State. The state will control how the connected organization will be used in policies that refer to "all configured connected organizations". The value will be either:

  1. configured
    The organization is in the scope of policies that use the all clause
  2. proposed
    The organization is not in scope.

Manually created connected organizations will have a default setting of configured. Meanwhile, automatically created ones (created via policies that allow any user from the internet to request access) will default to proposed. Any connected organizations created before September 9 2020 will be set to configured. Admins can update this property as needed.

View role template ID in Azure portal UI Generally Available

Service category: Azure roles
Product capability: Access Control

You can now view the template ID of each Azure AD role in the Azure portal. In Azure AD, select description of the selected role.

It's recommended that customers use role template IDs in their PowerShell script and code, instead of the display name. Role template ID is supported for use to directoryRoles and roleDefinition objects.

Provisioning logs can now be streamed to log analytics

Service category: Reporting
Product capability: Monitoring & Reporting

Provisioning logs are now available to be streamed to a Log Analytics workspace. This way organizations can:

  • Store provisioning logs for more than 30 days
  • Define custom alerts and notifications
  • Build dashboards to visualize the logs
  • Execute complex queries to analyze the logs

What’s Changed

Provisioning logs can now be viewed by application owners

Service category: Reporting
Product capability: Monitoring & Reporting

Organizations can now allow application owners to monitor activity by the provisioning service and troubleshoot issues without providing them a privileged role or making IT a bottleneck.

Renaming 10 Azure Active Directory roles

Service category: Azure roles
Product capability: Access Control

Some Azure Active Directory (AD) built-in roles have names that differ from those that appear in the Microsoft 365 admin center, the Azure AD portal, and Microsoft Graph. This inconsistency can cause problems in automated processes. Microsoft has renamed 10 role names to make them consistent:

Changes to built-in roles (click for larger table)

Updates to Remember Multi-Factor Authentication (MFA) on a trusted device setting

Service category: Multi-factor Authentication (MFA)
Product capability: Identity Security & Protection

Microsoft has recently updated the remember Multi-Factor Authentication (MFA) on a trusted device feature to extend authentication for up to 365 days from 60 days.

Azure Active Directory (Azure AD) Premium licenses, can also use the Conditional Access – Sign-in Frequency policy that provides more flexibility for reauthentication settings. For the optimal user experience, Microsoft recommends using Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to the remember MFA on a trusted device setting.

Azure AD B2C support for auth code flow for SPAs using MSAL JS 2.x

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

MSAL.js version 2.x now includes support for the authorization code flow for single-page web apps (SPAs). Azure AD B2C will now support the use of the SPA app type on the Azure portal and the use of MSAL.js authorization code flow with PKCE for single-page apps. This will allow SPAs using Azure AD B2C to maintain SSO with newer browsers and abide by newer authentication protocol recommendations.

0