Azure AD Connect Custom Settings vs Express Settings

Azure AD Connect

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAPv3-based identity platforms to Azure Active Directory.

During installation, Azure AD Connect offers a choice. This is the first choice and also the most fundamental choice for Azure AD Connect:

Microsoft Azure Active Directory Connect - Express Settings (click for original screenshot)

  • You can Use express settings
  • You may Customize the installation

Many customers have opted to install Azure AD Connect with Express Settings. This four-click setup has a couple of advantages to the more elaborate Custom Settings installation options.

The below table offers an overview of the differences between using express settings and customizing Azure AD Connect, based on Azure AD Connect version 1.1.654.0, released on December 12, 2017:

Azure AD Connect Express Settings vs. Custom Settings in terms of Sign-in methods (Password Hash Sync, Active Directory Federation Services, Pass-through Authentication and Seamless Single Sign-On), installation options (like choosing a SQL Server, service account and alternative groups), Multi-Factor Authentication, Privileged Identity Management, Filtering options (like Domain-, OU- and group-based filtering and Minsync), but also optional features like Hybrid Exchange, Public Folders, Self-Service Password Reset, Write-back for Office Groups and devices and Synchronization of your own Active Directory Schema Extensions.

The fourth column depicts whether you can change the setting after initial installation and subsequent configuration runs. Your mileage may vary on the outcome, though.

By default, Azure AD Connect configures Password Hash Sync (PHS) as the sign-in method. This option synchronizes hashes of on-premises hashes in Active Directory Domain Services (AD DS) to Azure AD for all user and inetorgperson objects in scope. When you migrate off this Same Sign-on (SSO) method to one of the Single Sign-On (SSO) options, like Active Directory Federation Services (AD FS) and Pass-through Authentication (PTA), these synchronized values won’t magically disappear.

As you can see, the Custom Settings installation option allows you to optionally (re)use a (group) managed service account (gMSA). This option was added to Azure AD Connect version 1.1.443.0, back in March 2017. It’s described here.

As shown, when you Use express settings,

  • You can’t later on change the installation path.
  • You can’t switch to using Microsoft SQL Server instead of the default SQL Server Express installation to host the database for Azure AD Connect.
  • You can’t switch the service account running the Azure AD Connect service and connecting to the SQL Server back-end through the Azure AD Connect Wizard. However, you can change the credentials used to communicate with Active Directory Domain Services (AD DS) and Azure AD in the Synchronization Manager.
  • You can’t change the names of the four local groups that will be created on the Windows Server installation running Azure AD Connect.

If you want to make these changes, you will need to uninstall Azure AD Connect and reinstall Azure AD Connect, or create a new Azure AD Connect installation in Staging Mode, and switch the active Azure AD Connect installation.

 

Concluding

Haste trips over its own heels.

Getting Office 365 and Azure Active Directory to work in a mere four clicks sounds fantastic, but when you want to change things later on, you might find yourself doing work twice.

Posted on March 23, 2018 by Sander Berkouwer in Active Directory, Azure Active Directory, Best Practices, Office 365

0  

Pro Tip! Use the claim rules from ADFSHelp for your ‘Office 365 Identity Platform’ Relying Party Trust

Whenever I talk about the claim rules in Active Directory Federation Services (AD FS) for the ‘Office 365 Identity Platform’ Relying Party Trust (RPT), between the on-premises AD FS implementation and Azure AD, I get the following question:

How do we manually set up the advanced claim rules that Azure AD Connect configures automatically?

Let’s look at the ways to set up the Relying Party Trust and how to do it in a way that benefits you and your organization the most.

 

About Relying Party Trusts

Active Directory Federation Services (AD FS) utilizes Relying Party Trusts (RPTs) to define trust relationships between applications (and sometimes identity hubs, towards their applications) and itself, as a security token service for its identity provider (IdP), which most of the times is Active Directory Domain Services (AD DS).

Whenever a person accesses an application that has a Relying Party Trust (RPT) in AD FS, and expresses to use his/her account in your Active Directory, the device is redirected to AD FS for authentication. AD FS will talk Kerberos to AD DS and then translate the information into claims, using the claims rules. The claims are sent from AD FS to the device. Then, the device sends them to the application to authenticate to the application (or the identity hub), based on the trust relationship.

The claim rules indicate the contents of the claims tokens that are being exchanged. As such, they play a vital role in authorization.

 

Ways to create the Relying Party Trust

When you want to take advantage of a Relying Party Trust towards Azure AD and onwards to Office 365, any of the 2900+ Azure AD-integrated applications, or your own apps, there are three ways to set it up:

  1. Configure the Relying Party Trust using PowerShell
  2. Configure the Relying Party Trust using Azure AD Connect
  3. Configure the Relying Party Trust manually

 

PowerShell

To setup the ‘Office 365 Identity Platform’ Relying Party Trust using Windows PowerShell, you can use the Convert-MSOLDomainToFederated Cmdlet from the MSOnline PowerShell Module.

If you haven’t installed the MSOnline PowerShell Module on your system, yet, run the following PowerShell one-liner, once:

Install-Module MSOnline -Force

Then, execute these lines, after you’ve changed the grayed-out DNS Domain Name with your information, on the (primary) AD FS Server in the AD FS Farm:

Import-Module MSOnline

Import-Module ADFS

Connect-MSOLService

Convert-MsolDomainToFederated -DomainName domain.tld -SupportMultipleDomain

 

Each of these three actions triggers the automatic creation of the ‘Office 365 Identity Platform’ Relying Party Trust with default rules:

  • When you convert the first DNS Domain Name in Azure AD to federated in the context of the AD FS Farm specified using Convert-MSOLDomainNameToFederated.
  • When you update the first DNS Domain Name in Azure AD to be federated to the AD FS Farm specified, after being federated to another AD FS Farm previously using Update-MSOLFederatedDomain.
  • When you create a new DNS Domain Name in Azure AD to be federated to the AD FS Farm specified using New-MSOLFederatedDomain.

The rules created by the MSOnline PowerShell module are basic.

 

Azure AD Connect

Microsoft’s Azure AD Connect tool also offers to manage Active Directory Federation Services (AD FS). You can:

  • Setup and configure AD FS Servers and Web Application Proxies from Azure AD Connect, specifying hosts and settings for the AD FS Farm.
  • Change or set the sign-in options to Federation and point to a previously configured AD FS Farm to start managing its Azure AD and Office 365 settings using Azure AD Connect.

Using Azure AD Connect results in more extensive claims rules for the ‘Office 365 Identity Platform’ Relying Party Trust, including claim rules to specify the mS-DS-ConsistencyGUID user attribute as source anchor with the ObjectGUID attribute as fall-back.

The claim rules created are subject to the version of Azure AD Connect used to configure the RPT. Currently, version 1.1.654.0 is the most recent version available for download, which is 3 months old. Hence, the claims rules logic is 3 months old.

 

Manually

Creating Relying Party Trusts (RPTs) manually is not something I can recommend. However, updating RPTs manually, is something I do nearly every day. This is also the situation where the question in the first paragraph stems from. However, there are a couple more questions to ask:

How do I gain access to the latest claim rules for the ‘Office 365 Identity Platform’ RPT?

Previously, we used a development instance of Azure AD Connect with a development Azure AD tenant to investigate the rules. However, Microsoft has created new functionality in the adfshelp.microsoft.com ADFSHelp Portal:

The ADFSHelp Portal in Microsoft Edge (click for larger screenshot)

ADFSHelp ToolsIn the Tools section, there is now a Claims Generator wizard labeled Azure AD RPT Claim Rules, that will help you get optimized claims rules for the ‘Office 365 Identity Platform’ RPT.

The wizard asks you for the source anchor (Immutable ID) you’d want to use, where your choices include ‘ObjectGUID’, ‘ms-Ds-consistencyGuid with fallback to ObjectGUID’ and ‘Other’. Then, you can specify the attribute that users will use to sign into Azure AD. ‘userPrincipalName’ is default, but you can specify ‘Alternate ID’. To offer multiple domain support, question 3 asks you if you have multiple domains. If you do, you can specify multiple DNS Domain Names in Azure AD, or upload a *.csv file with the information needed. The last button is aptly labeled ‘Generate claims’.

How do I implement these claim rules without the risk of mistyping the rules?

After you use the wizard, you have two options. You can copy a Windows PowerShell script that will target the ‘Office 365 Identity Platform’ RPT and will update the claims rules for it.

Alternatively, the rules themselves are also displayed. You can compare them to the output of  the Get-ADFSRelyingPartyTrust PowerShell Cmdlet to see if you actually have to update the claims rules. You might already run the latest rules, right?

ADFSHelp FeedbackHow do I provide feedback on the functionality of the claim rules?

The adfshelp.microsoft.com ADFSHelp Portal offers a Feedback option. You can leave behind any feedback you have, whether it is a problem, suggestion or something general.

 

Concluding

Microsoft now offers the adfshelp.microsoft.com ADFSHelp Portal with useful functionality.

Throughout the past years, we’ve been discussing Active Directory Federation Services (AD FS), Azure Active Directory and Office 365. I’ve provided tips and you’ve provided feedback and additional questions. I’m very pleased with the interaction we’ve got going. Let’s keep that up!

Posted on March 21, 2018 by Sander Berkouwer in Active Directory Federation Services, Azure Active Directory, Best Practices, Tools I Use

2  

KnowledgeBase: You receive error 801c0003 when you try to Azure AD Join a device during the Out-of-the-Box Experience (OOBE)

Sometimes, error codes for Microsoft products and technologies are really straightforward. Especially in situations where you have limited to no troubleshooting options, like the Windows Out-of-the-Box Experience (OOBE), this might prove difficult to solve.

Today, let’s look at one of the most common errors you might encounter when you try to Azure AD Join a Windows 10-based device:

Something went wrong. This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code 801c0003 (click for original screenshot)

 

The situation

For any organization using an Azure Active Directory tenant, Azure AD Join is enabled by default. This functionality allows your users to designate the Windows installation on devices they trust, as trusted device for single sign-on (SSO). The only thing these users, by default, need is a user object in Azure Active Directory.

Windows 10 offers two built-in methods for users to join their devices to Azure AD:

  1. In the Out-of-the-Box Experience (OOBE)
  2. In the Settings app

In both situations, the user account used for the Azure AD Join gains local administrator privileges, as Azure AD Join is seen as a Bring Your Own Device (BYOD) scenario by Microsoft.

 

The error

When a person tries to register another Windows 10 device to Azure AD using their user account, he or she receives an error stating:

Something went wrong.

This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code 801c0003 (click for original screenshot)

 

The cause

The person receives the error, because he or she has reached the limit of maximum allowed devices to Azure AD Join.

By default, Azure Active Directory enforces a limit of 20 devices for any user object to join. It even enforces this limit on privileged users, like users with the Global Admin role.

This arbitrary value was chosen, because, by default, Azure AD-joined devices are not removed after an idle time-out. It closely resembles the default behavior of the 10-devices limit in Active Directory Domain Services (AD DS) for non-admins, but because Azure AD is at least twice as good as good ol’ AD DS, I guess the team settled on 20.

For organizations using Microsoft Intune and automatic device enrollment, the 20-device limit makes sense, because of the restrictions in licensed devices within Intune licenses assigned to users.

 

The solutions

As an admin, you can prevent the error from occurring in four separate ways:

Disable Azure AD Join

We encounter Azure AD usage like Azure AD Join in many organizations that have simply synchronized objects from Active Directory Domain Services to enable access to Office 365. Their admins would typically have chosen to use Express Settings with Azure AD Connect and go with Azure AD’s default settings, which results in the scenario where every user can use this functionality, but admin oversight.

To disable Azure AD Join, follow these steps:

  • Open your browser and navigate to https://portal.azure.com
  • Sign in with a user account in your Azure Active Directory tenant with at least Global Administrator privileges. Perform multi-factor authentication, when prompted.
  • In the left navigation pane, click Azure Active Directory.
  • In the new pane that emerges, click Devices.
  • In the Devices pane, click Device settings.
  • Select None for the switch labeled Users may join devices to Azure AD. This will apply to all Windows 10-based devices
  • Select None for the switch labeled Users may register their devices with Azure AD. This will also disable Azure-based Workplace Join for iOS and Android devices, as well as legacy Windows versions like Windows 7 and Windows 8.1.
  • Click Save.
  • Close the browser.

This way, as an admin, you don’t have to deal with these settings just yet. Note, however, that the above two switches do not apply to device synchronization in Azure AD Connect.

Make users join their own devices

In other organizations, admins may use their account to Azure AD join devices. This way, they circumvent the default BYOD behavior of local admin rights to the user account belonging to the person joining the device.

Indeed, the admin is the only person with local administrator rights on these devices, but it breaks the model in organizations that (later on decide to) implement Microsoft Intune.

Although every Microsoft feature, product and technology is used in ways that wasn’t envisioned by Microsoft, this is not a feature you want to abuse this way. When you want to leverage Azure AD Join, allow your users to join their devices using their user accounts.

Up the device limit

Of course, you can also up the Azure AD Join device limit. Follow these steps to do so:

  • Open your browser and navigate to https://portal.azure.com
  • Sign in with a user account in your Azure Active Directory tenant with
    at least Global Administrator privileges. Perform multi-factor authentication,
    when prompted.
  • In the left navigation pane, click Azure Active
    Directory    .
  • In the new pane that emerges, click Devices.
  • In the Devices pane, click Device
    settings    .
  • Select your favorite number for the value labeled Maximum number of devices per user. Values include 5, 10, 20 ,50, 100 and Unlimited.

Change the Azure AD Join Device Limit (click for the original screenshot)

  • Click Save.
  • Close the browser.

Delete some devices

Another way is to delete some of the devices from Azure AD for the person encountering the error. As there is no way for users to self-manage their Azure AD-joined device, you can channel your inner BOFH and delete some of the devices the person no longer needs(and their associated BitLocker recovery information).

Perform these actions:

  • Open your browser and navigate to https://portal.azure.com
  • Sign in with a user account in your Azure Active Directory tenant with
    at least Global Administrator privileges. Perform multi-factor authentication,
    when prompted.
  • In the left navigation pane, click Azure Active
    Directory    .
  • In the new pane that emerges, click Devices.
  • Either Search by name from the top bar, or sort the information on devices using the Owner field.
  • Select a device at random of confer with the person on a suitable device. Click on the three little dots on the end of the line for your device of choice. Select Delete from the context-menu.
  • Close the browser.

 

Concluding

As an admin you can help colleagues encountering error 801c0003 when they try to Azure AD Join another device in the Out-of-the-Box Experience (OOBE) in several ways.

Further reading

Managing devices using the Azure portal
Error code 801c0003

Posted on March 20, 2018 by Sander Berkouwer in Azure Active Directory, KnowledgeBase Articles, Microsoft Windows 10

1  

Veeam Availability Suite 9.5 Update 3 offers great functionality

Veeam Availability Suite 9.5 Update 3

In many organizations, when a vendor releases an update to their product, no one bats an eye. However, when a new version is released, suddenly, everything must change.

On one hand we’re seeing massive breaches due to this budgeting, political or time game, because organizations simply don’t install minor security updates. On the other hand, we’re seeing organizations miss out on incredible functionality, delivered as part of these same updates. In some rare cases, like Exchange Server 2010’s Cumulative Update 7, we’re seeing huge barriers for adoption because of an (Active Directory Forest Functional Level) requirement.

I’ll admit I’m part of the problem, too.

Long ago, I’ve stopped installing updates in the same week they are released. I still feel I’m installing updates in a timely fashion, since I’m installing them in the same month they’re released or the same quarter for non-critical infrastructure. However, when everyone would follow that path, we would still have the problem of out of whack and pulled updates… just one week or two weeks later…

 

Our experiences with Update 3

Although Veeam Availability Suite 9.5 Update 3 has been released nearly two months ago, and Veeam’s update notification service has been alerting for it for the last month, I’ve only recently started rolling it out to our Veeam Backup and Replication implementation.

This has been an undivided joy and brought incredible functionality.
Below are our experiences:

Centralized management

As you may recall, Veeam’s starting point was backup for virtual machines on VMware-based virtualization platforms. With Veeam Availability Suite 9.5 Update 3, Veeam have centralized data protection for physical, virtual and multi-cloud workloads.

You can now deploy and manage Veeam Agent for Microsoft Windows installations, directly from the Veeam Backup and Replication console and deploy and manage Veeam Agent for Linux installations, directly from the Veeam Backup and Replication console, too.

This is a big change to the way the Veeam Agents operated before. Previously, you had to deploy the Veeam Agents manually (or by script), manage them individually, but you could have them create backups to the Veeam Backup Vault you’d use for your virtual infrastructure.

This approach of a single pane of glass adds profound productivity to our backup admin team.

Additional licenses

With the release of Update 3, Veeam has sent all Veeam customers a 6 months no-cost license key for Veeam Agents for Windows and Linux, as well as for Veeam Backup for Office 365. This is to help organizations run an extended evaluation to see if they can completely replace whatever legacy backup solutions they’re using for those remaining physical servers, cloud instances and Microsoft Office 365 with Veeam.

 

Concluding

Veeam Availability Suite 9.5 Update 3 contains many more features and fixes, but the ones above are the ones important to us. Needless to say,

I feel Update 3 is a major update, that I feel any mixed organization using Veeam should update to.

We encountered no issues in our setup.

Note:
We kept using our current SQL Server cluster, so the new support for SQL Server 2017 wasn’t something we’d use, but it’s good to know Veeam supports it when we upgrade the SQL Cluster later this year.

Note:
Direct Restore to Azure is currently not a part of our Veeam availability strategy.

Related blogposts

The Veeam Agent for Microsoft Windows Free is amazing. Let me tell you why.
Your Exchange Online Contingency Plan is here with Veeam Backup for Office 365

Further reading

Veeam Backup and Replication 9.5 Update 3 Released New Features
Veeam Backup & Replication 9.5 Update 3 New Features

Posted on March 19, 2018 by Sander Berkouwer in Veeam

0  

I’m speaking at the Amsterdam Microsoft Tech Summit

Microsoft Tech Summit

As part of a global series of events, on Wednesday March 28 and Thursday March 30, Microsoft hosts the Tech Summit in the Amsterdam RAI.

Since, from a global point of view, this event takes place in my backyard, I’ll be there as an Ask the Expert, together with many of my Dutch MVP peers. Additionally, I’ll pick up the tab for a GDPR-inspired session and redeliver my Microsoft Ignite theater session for all to enjoy.

 

About the Microsoft Tech Summit

Microsoft Tech Summit is a free, two-day technical training for IT professionals and developers with experts who build the cloud services across Microsoft Azure, Office 365, and Windows 10.

Whether you know your way around the cloud or just getting started, learn from over 50 technical training sessions and hands-on labs to help you build your cloud skills. Deep dive into the latest innovations covering a range of topics across Microsoft Azure and the hybrid platform including security, networking, data, storage, identity, mobile, cloud infrastructure, management, DevOps, app platform, productivity, collaboration and more.

Connect with Microsoft engineering experts from Redmond, technology partners and your industry peers who can help you get the most out of the cloud.

 

Ask us questions at the Enterprise Mobility Booth

At the Amsterdam Microsoft Tech Summit, several booths will be available for you to ask questions on your favorite technologies and products. There’s booths for Business Solutions, Office Services, Data Platform, Windows Development, Cloud & Datacenter Management, Azure and Enterprise Mobility.

Ronny de Jong and I are your booth babes for the Enterprise Mobility booth. Sarcastic smile
You can ask us your enterprise mobility questions on Azure Active Directory, Hybrid Identity, Azure Information Protection, Cloud App Security, Advanced Threat Analytics, Advanced Threat Protection and Intune.

We’ll both be around both days, but alternating our presence at the booth.

 

About my presentations

I’ll deliver a GDPR-inspired session and redeliver my 20-minute theater session from Microsoft Ignite:

Accelerate your GDPR compliance with Microsoft 365

Elicium 2, Thursday March 29 10:45 – 11:45AM

Learn how the General Data Protection Regulation (GDPR) law imposes new rules on companies, government agencies, and other organizations that offer goods and services to people in the EU or that collect and analyze data died to EU residents. This session discusses those requirements, and how certain Office products map to these capabilities in the service.

Four most common mistakes with AD FS and Hybrid Identity

Theater, Thursday March 29, 1:30PM

Many organizations have deployed Active Directory Federation Services. Working with them, revealed a pattern of common misconfigurations and misconceptions on deployment and management of AD FS, resulting in serious problems. Here’s our top four from the field, so you won’t have to experience them.

Did you miss one of the best-rated theater sessions at Microsoft Ignite 2017? No worries, here’s your redelivery.

 

Join us!

Registration for the Amsterdam Microsoft Tech Summit is free, and there’s still (a couple of) tickets available.

I hope to see you in Amsterdam!

Posted on March 14, 2018 by Sander Berkouwer in Community, Microsoft MVP, Personal

0  

I am a 2018 Veeam Vanguard

Veeam Vanguard

This morning, I received an e-mail from Rick Vanover from Veeam congratulating me with being selected for the 2018 Veeam Vanguard Program by the Veeam Vanguard team.

For me, it means I successfully renewed my previous 2 Veeam Vanguard Awards, dating back to 2016. I still remain one of the three Dutch Veeam Vanguards, together with Joep Piscaer and Arne Fokkema.

I feel honored.

 

About Veeam Vanguards

The Vanguard program is led by the Veeam Technical Product Marketing & Evangelism team and supported by the entire company. It’s a program around the community of Veeam experts that truly get Veeam’s message, understand Veeam’s products and are Veeam’s closest peers in IT.

Veeam Vanguard represent Veeam’s brand to the highest level in many of the different technology communities. These individuals are chosen for their acumen, engagement and style in their activities on and offline.

There’s a full list of Veeam Vanguards here.

Posted on March 6, 2018 by Sander Berkouwer in Community, Personal, Veeam Vanguard

0  

Azure AD Connect v1.1.749.0 adds Privacy and Security Controls

Azure AD Connect

Last week, Microsoft released version 1.1.749.0 of Azure AD Connect, its free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments to Azure Active Directory.

This version adds privacy controls, additional security controls, a wizard page for device write-back and other miscellaneous fixes.

 

What’s New

Privacy settings and notifications

The team added Privacy Settings for the General Data Protection Regulation (GDPR). For GDPR compliance, Microsoft is required to indicate the kinds of customer data that are shared with Microsoft (telemetry, health, etc.),, have links to detailed online documentation, and provide a way to our customers to change their preferences. This version of Azure AD Connect adds the following:

  • A data sharing and privacy notification on the End-user License Agreement (EULA) page of the Azure AD Connect Wizard when you perform a clean install.
  • A data sharing and privacy notification on the upgrade page when you perform an upgrade.
  • A new additional task, labeled “Privacy Settings”, where admins can change their preferences.

Toggle for application telemetry

Azure AD Connect admins can now switch off the exchange of application telemetry between Azure AD Connect and Azure Active Directory.

Azure AD Health data review

An Azure AD Connect Health admin are required to visit the health portal to control their health settings. Once the service policy has been changed, the agents will read and enforce it.

Device write-back configuration

The Azure AD Connect Configuration Wizard now allows admins to perform Device Write-back configuration actions. A progress bar for page initialization is also added.

Improved General Diagnostics

Microsoft improved the general diagnostics with HTML report and full data collection in a ZIP-Text / HTML Report.

Improved reliability of auto-upgrades

Microsoft improved the reliability of the Automatic Upgrade functionality and added additional telemetry to ensure the health of the server can be determined.

Restricted permissions on the AD Connector account

Azure AD Connect restrict permissions available to privileged accounts on the AD Connector account. For new installations, the wizard will restrict the permissions that privileged accounts have on the AD Connector account after creating it.

Note:
This change only applies to Express installations of Azure AD Connect and Custom Azure AD Connect installations with an automatically created service account in Active Directory

No SA privileges required for clean installations

The Azure AD Connect team changed the installer so it no longer requires SA privilege on clean install of Azure AD Connect.

Troubleshoot synchronization for a specific object

Microsoft added a new utility to troubleshoot synchronization issues for a specific object. It is available as part of the “Troubleshoot Object Synchronization” option of Azure AD Connect’s Troubleshoot Additional Task. Currently, the utility checks for the following:

  • UserPrincipalName mismatch between synchronized user object in the Active Directory Domain Services (AD DS) environment and the user account in the Azure AD Tenant.
  • If the object is filtered from synchronization due to domain filtering
  • If the object is filtered from synchronization due to organizational unit (OU) filtering

Synchronize the current password hash for a specific user

Microsoft added a new utility to synchronize the current password hash stored in the on-premises Active Directory Domain Services (AD DS) environment for a specific user account.

 

What’s Fixed

Microsoft fixed the timing window on background tasks for Partition Filtering page when  switching to next page.

Microsoft fixed a bug that caused an Access violation during the ConfigDB custom action.

Microsoft fixed a bug to recover from SQL connection time-outs.

Microsoft fixed a bug where certificates with SAN wildcards failed a prerequisite check.

Microsoft fixed a bug which caused miiserver.exe to crash during an Azure AD connector export.

Microsoft fixed a bug which bad password attempt logged on a Domain Controller when running the Azure AD Connect wizard to change the configuration.

 

Version information

This is version 1.1.749.0 of Azure AD Connect.
It was signed off on on February 17, 2018.

 

Will you get it?

This release is currently distributed to a small and random section of Azure AD Connect tenants that have enabled auto-upgrade. Microsoft intends to expand this group of tenants in the coming weeks until 100% of our auto-upgrade customers have received this release. Microsoft expects to achieve full coverage of auto-upgrade tenants mid March 2018.

When all auto-upgrade tenants have upgraded, Microsoft will release Azure AD Connect version 1.1.749.0 for general download here.

Posted on March 1, 2018 by Sander Berkouwer in Active Directory, Azure Active Directory, Best Practices, Tools I Use, What's New

0  

What’s New in Azure Active Directory for February 2018

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for February 2018:

What’s New

Availability of sign-ins and audit reports in Azure in China

Service category: Sovereign Clouds
Product capability: Monitoring & Reporting

Azure AD Activity log reports are now available in the Azure in China sovereign instance (codename “Mooncake”). The following logs are included:

  • Sign-ins activity logs – Includes all the sign-ins logs associated with your tenant.
  • Self service Password Audit Logs – Includes all the SSPR audit logs.
  • Directory Management Audit logs – Includes all the directory management related audit logs like User management, App Management, and others.

With these logs, you can gain insights into how your environment is doing. The provided data enables you to:

  • Determine how your apps and services are utilized by your users.
  • Troubleshoot issues preventing your users from getting their work done.

Use the “Report Reader” role to view Azure AD Activity Reports

Service category: Reporting
Product capability: Monitoring & Reporting

As part of customers feedback to enable non-admin roles to have access to Azure AD activity logs, we have enabled the ability for users who are in the “Report Reader” role to access Sign-ins and Audit activity within the Azure Portal as well as using our Graph APIs to this purpose.

EmployeeID claim available as user attribute and user identifier

Service category: Enterprise Apps
Product capability: SSO

You can configure EmployeeID as the User identifier and User attribute for member users and B2B guests in SAML-based sign-on applications from the Enterprise application UI.

 

Simplified Application Management using Wildcards in Azure AD Application Proxy

Service category: App Proxy
Product capability: User Authentication

To make application deployment easier and reduce your administrative overhead, we now support the ability to publish applications using wildcards. To publish a wildcard application, you can follow the standard application publishing flow, but use a wildcard in the internal and external URLs.

 

New Windows PowerShell Cmdlets to support configuration of Application Proxy

Service category: App Proxy
Product capability: Platform

The latest release of the AzureAD PowerShell Preview module contains new cmdlets that allows customers to configure Application Proxy Applications using PowerShell.

The new cmdlets are:

  • Get-AzureADApplicationProxyApplication

  • Get-AzureADApplicationProxyApplicationConnectorGroup

  • Get-AzureADApplicationProxyConnector

  • Get-AzureADApplicationProxyConnectorGroup

  • Get-AzureADApplicationProxyConnectorGroupMembers

  • Get-AzureADApplicationProxyConnectorMemberOf

  • New-AzureADApplicationProxyApplication

  • New-AzureADApplicationProxyConnectorGroup

  • Remove-AzureADApplicationProxyApplication

  • Remove-AzureADApplicationProxyApplicationConnectorGroup

  • Remove-AzureADApplicationProxyConnectorGroup

  • Set-AzureADApplicationProxyApplication

  • Set-AzureADApplicationProxyApplicationConnectorGroup

  • Set-AzureADApplicationProxyApplicationCustomDomainCertificate

  • Set-AzureADApplicationProxyApplicationSingleSignOn

  • Set-AzureADApplicationProxyConnector

  • Set-AzureADApplicationProxyConnectorGroup

 

What’s Changed

Applications supporting Intune App

Protection policies added for use with Azure AD application-based conditional access

Service category: Conditional Access
Product capability: Identity Security & Protection

We have added more applications that support application-based conditional access. Now, you can get access to Office 365 and other Azure AD-connected cloud apps using these approved client apps.

The following applications will be added by the end of February

  • Microsoft PowerBI
  • Microsoft Launcher
  • Microsoft Invoicing

Terms of Use update to mobile experience

Service category: Terms of Use
Product capability: Governance

When the terms of use are displayed, you can now click Having trouble viewing? Click here. Clicking this link opens the terms of use natively on your device. Regardless of the font size in the document or the screen size of device, you can zoom and read the document as needed.

What’s Planned

Improved navigation for managing users and groups

Service category: Directory Management
Product capability: Directory

The navigation experience for managing users and groups will be streamlined.
You can navigate from the directory overview directly to the list of all users, with easier access to the list of deleted users. You can also navigate from the directory overview directly to the list of all groups, with easier access to group management settings. And also from the directory overview page, you can search for a user, group, enterprise application, or app registration.

Posted on February 27, 2018 by Sander Berkouwer in Azure Active Directory, What's New

0  

Windows Server 2016’s February 2018 Quality Update comes highly recommended for AD FS Servers and Web Application Proxies

Windows Server 2016

Windows Server 2016’s February 2018’s Cumulative Quality Update, bringing the OS version to 14393.2097, offers several fixes for Secure Token Servers (STSs) running Active Directory Federation Services (AD FS) and Web Application Proxies.

About Windows Server 2016 Updates

Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016.  This update, too, is cumulative and includes all quality and security fixes shipped prior to this release. 

Active Directory Federation Services Fixes

Windows Server 2016’s February 2018’s Cumulative Quality Update addresses four issues with Active Directory Federation Services (AD FS).

Web Application Proxy failed to authenticate the user

The first fix addresses an issue where an HTTP 500 error occurs when an ADFS farm has at least two servers using Windows Internal Database (WID). In this scenario, HTTP basic pre-authentication on the Web Application Proxy (WAP) server fails to authenticate some users. When the error occurs, you might also see the Microsoft Windows Web Application Proxy warning Event ID 13039 in the WAP event log. The description reads:

Web Application Proxy failed to authenticate the user. Pre-authentication is ‘ADFS For Rich Clients’. The given user is not authorized to access the given relying party. The authorization rules of either the target relying party or the WAP relying party are needed to be modified.

AD FS ignores the ‘prompt=login’ parameter

The second fix addresses issue in which AD FS can no longer ignore prompt=login during authentication. A Disabled option was added to support scenarios in which password authentication is not used. For more information, see AD FS ignores the “prompt=login” parameter during an authentication in Windows Server 2016.

‘Prompt=login’ with WIA fails

The third fix addresses an issue in AD FS where Authorized Customers (and relying parties) who select Certificate as an authentication option will fail to connect. The failure occurs when using prompt=login if Windows Integrated Authentication (WIA) is enabled and the request can do WIA.

Error code 0x03000008 occurs when using Remote Desktop

The fourth fix addresses an issue where some Remote Desktop Protocol (RDP) clients that used an absolute URI (instead of a relative URI) were blocked by the Web Application Proxy (WAP) server from connecting to the Remote Desktop Gateway. This affected RDP clients on iOS, Mac, Android, and the Windows modern RDP client app. The error is:

We couldn’t connect to the gateway because of an error. If this keeps happening, ask your admin or tech support for help. Error code: 0x03000008.

Call to action

When you experience any one of these issues, you are invited to install Windows Server 2016’s February 2018’s Cumulative Quality Update (KB4077525) on your AD FS Servers and Web Application Proxies to resolve them.

Known Issues

After installing this update, servers where Credential Guard is enabled may restart unexpectedly. The error is “The system process lsass.exe terminated unexpectedly with status code -1073740791. The system will now shut down and restart.” In this case, disable Windows Defender Credential Guard. Microsoft is working on a resolution and will provide an update in an upcoming release.

Posted on February 24, 2018 by Sander Berkouwer in Active Directory Federation Services, Security Updates

0  

Windows Server 2016’s February 2018 Quality Update fixes empty Attribute value in EventID 5136 for Directory Services Changes

Windows Server 2016

Windows Server 2016’s February 2018’s Cumulative Quality Update, bringing the OS version to 14393.2097, offers a fix you might be experiencing with empty values for Attribute in EventID 5136 for Directory Services Changes on Windows Server 2016-based Active Directory Domain Controllers.

 

About Windows Server 2016 Updates

Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016.  This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.

 

The situation

You enable auditing policies to monitor changes to a directory service object on Windows Servers running the Active Directory Domain Services (AD DS) role and configured as Active Directory Domain Controllers.

An EventID 5136 is added to the security event log after a change to the directory service object occurs.

EventID 5136 should contain the following values:

  • When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged.
  • If a new object is created, values of the attributes that are populated at the time of creation are logged. If the user adds attributes during the create operation, those new attribute values are logged. In most cases, AD DS assigns default values to attributes (such as samAccountName). The values of such system attributes are not logged.
  • If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain.
  • If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds, modifies, or deletes attributes while performing an undelete operation, the values of those attributes are logged.

 

The issue

When you inspect EventID 5136, the Value field under the Attribute item is empty. This means you cannot monitor the details of the directory service change.

 

The cause

This occurs when you modify an attribute of an object on Windows Server 2016 Domain Controllers. This problem may occur if you use PowerShell commands (Add-ADGroupMember or Set-ADGroup) to add a user account to a group using the user account’s security identifier (SID) instead of the Distinguished Name.

 

The solution

When you experience this issue, you are invited to install Windows Server 2016’s February 2018 Cumulative Quality Update (KB4077525) on the Active Directory Domain Controllers running Windows Server 2016 to resolve it.

Known issues

Because of an issue that affects some versions of antivirus software, this fix applies only to computers on which the antivirus ISV updated the ALLOW REGKEY. Contact your antivirus manufacturer to verify that their software is compatible and that they have set the REGKEY.

Further reading

February 22, 2018—KB4077525 (OS Build 14393.2097)
The Value field under the Attribute item for event ID 5136 is empty in Windows Server
AD DS Auditing Step-by-Step Guide

Posted on February 23, 2018 by Sander Berkouwer in Active Directory, Microsoft Windows Server 2016, Security Updates

0