On-premises Identity-related updates and fixes for December 2021

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

For December 2021, Microsoft announced that the preview updates would be skipped, because of minimal operations during the holidays and the upcoming Western new year. These is the short list of Identity-related updates and fixes we saw for December 2021:

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5008207 December 14, 2021

The December 14, 2021 update for Windows Server 2016 (KB5008207), updating the OS build number to 14393.4825 is a monthly cumulative update.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5008218 December 14, 2021

The December 14, 2021 update for Windows Server 2019 (KB5008218), updating the OS build number to 17763.2366 is a monthly cumulative update.

This security update addresses four Active Directory Elevation of Privilege vulnerabilities and includes the following Identity-related quality improvements:

It includes the following Identity-related quality improvements:

    1. It enables credentials for Azure Active Directory (Azure AD) users that use Active Directory Federation Services (AD FS) as their authentication method in Quick Assist.
    2. It addresses an issue that prevents the applications that you use often from appearing on the Start menu and prevents you from configuring them to appear on the Start menu using a Group Policy.

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5008223 December 14, 2021

The December 14, 2021 update for Windows Server 2022 (KB5008223), updating the OS build number to 20348.405 is a monthly cumulative update.

It includes one Identity-related quality improvement: It addresses an issue that fails to apply machine Group Policy objects automatically at startup or in the background to devices on a domain that have certain processors.

0  

Azure AD Connect v2.0.89.0 addresses an issue with disappearing linked mailboxes

Azure AD Connect

Hot on the heels of Azure AD Connect v2.0.88.0, Microsoft released an update to Azure AD Connect v2.x. to address a pressing issue with linked mailboxes.

Note:
None of the Azure AD Connect v2.x releases are released for automatic upgrade. Manual upgrades are required to gain the new functionality and security levels once you're on the Azure AD Connect v2 path.

What’s Fixed

Microsoft addressed a bug in version 2.0.88.0 where, under certain conditions, linked mailboxes of disabled users were getting deleted.

About linked mailboxes

A linked mailbox is a mailbox that's associated with an external account.

The resource forest scenario is the prime example of a situation in which you would want to associate a mailbox with an external account. In a resource forest scenario, user objects in the Exchange forest have mailboxes, but the user objects are disabled for logon. You must associate these mailbox objects in the Exchange forest with enabled user objects in the external accounts forest(s).

While the resource forest scenario is one of the most obvious reasons for linked mailboxes, linked mailboxes can also be remnants of botched and/or incomplete Active Directory migrations using the Active Directory Migration Tool (ADMT) or any 3rd party migration solution(s).

A linked mailbox can also come to life when you orphan and then reattach an Exchange mailbox to another user, for instance a recreated user in case of an accidental deletion.

Version information

This is version 2.0.89.0 of Azure AD Connect.
This release in the 2.x branch for Azure AD Connect was made available for download as a 153 MB weighing AzureADConnect.msi on December 22, 2021.

You can download the latest version of Azure AD Connect here.

1  

Azure AD Connect v2.0.88.0 addresses a security issue in Microsoft.Data.OData and offers new functionality

Azure AD Connect

Roughly three months after the release of the last Azure AD Connect version, Microsoft released a security update to Azure AD Connect v2.x. to address a Denial of Service (DoS) vulnerability.

Microsoft recommends updating Azure AD Connect to v2.0.88.0 as soon as possible,

Note:
None of the Azure AD Connect v2.x releases are released for automatic upgrade. Manual upgrades are required to gain the new functionality and security levels once you're on the Azure AD Connect v2 path.

Note:
The upgrade to Azure AD Connect v2.0.88.0 triggers a full synchronization cycle, because synchronization rules have been modified.

 

What's New

Here's what's new in Azure AD Connect version v2.0.88.0:

Group writeback DN is now configurable

Microsoft added a configuration option to configure Group WriteBack with the display name of the synchronized group instead of the UUID.

Group WriteBack no longer requires the Exchange Schema

Microsoft removed the hard requirement for exchange schema when enabling Group WriteBack. This allows groups from Azure AD to be written back to Active Directory even when the Exchange Server schema extensions have not been added.

Azure AD Kerberos

For the recently announced Azure AD Kerberos functionality, the Azure AD Connect team extended the Windows PowerShell cmdlet to support custom top level names for trusted object creation and made a change to set the official brand name for the Azure AD Kerberos feature.

 

What's Fixed

Here's what's fixed in Azure AD Connect version v2.0.88.0:

  • Microsoft upgraded the version of the Microsoft.Data.OData package from v5.8.1 to v5.8.4 to address a Denial of Service (DoS) vulnerability
    in the OData protocol (CVE-2018-8269). This vulnerability is due to improperly handling web requests.
  • Microsoft made the Azure AD Connect wizard resizable to account for different zoom levels and screen resolutions and named elements to improve accessibility.
  • Microsoft addressed an issue where miisserver.exe was crashing due to a null reference.
  • Microsoft addressed an issue to ensure the seamless single sign-on (Desktop SSO)  value persists after upgrading Azure AD Connect to a newer version.
  • Microsoft modified the inetorgperson sync rules to fix an issue with account forests and resource forests.
  • Microsoft fixed radio button test to display a link more link.

 

Version information

This is version 2.0.88.0 of Azure AD Connect.
This release in the 2.x branch for Azure AD Connect was made available for download as a 153 MB weighing AzureADConnect.msi on December 15, 2021.

You can download the latest version of Azure AD Connect here.

0  

What's New in Azure Active Directory for November 2021

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for November 2021:

  

What’s planned

Tenant enablement of combined security information registration for Azure Active Directory

Service category: Multi-factor authentication (MFA)
Product capability: Identity Security & Protection

Microsoft previously announced in April 2020 a new combined registration experience enabling users to register authentication methods for self-service password reset (SSPR) and multi-factor authentication (MFA) at the same time was generally available for existing customer to opt-in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting 2022, Microsoft will be enabling the MFA/SSPR combined registration experience for organizations using existing tenants pre-dating August 2020.

  

What’s New

Conditional Access Overview Dashboard Public Preview

Service category: Conditional Access
Product capability: Monitoring & Reporting

The new Conditional Access overview dashboard enables all tenants to see insights about the impact of their Conditional Access policies without requiring an Azure Monitor subscription. This built-in dashboard provides tutorials to deploy policies, a summary of the policies in the tenant, a snapshot of policy coverage, and security recommendations.

  

SPR writeback is now available using Azure AD Connect cloud sync Public Preview

Type: New feature
Service category: Azure AD Connect Cloud Sync
Product capability: Identity Lifecycle Management

The Public Preview feature for Azure AD Connect Cloud Sync Password writeback provides organizations the capability to writeback a user’s password changes in the cloud to the on-premises directory in real time using the lightweight Azure AD cloud provisioning agent.

  

Conditional Access for workload identities Public Preview

Service category: Conditional Access for workload identities
Product capability: Identity Security & Protection

Previously, Conditional Access policies applied only to users when they access apps and services like SharePoint online or the Azure portal. This preview adds support for Conditional Access policies applied to service principals owned by the organization. Admins can block service principals from accessing resources from outside trusted named locations or Azure Virtual Networks.

  

"Session Lifetime Policies Applied" property in the sign-in logs Public Preview

Service category: Authentications (Logins)
Product capability: Identity Security & Protection

Microsoft has recently added other property to the sign-in logs called "Session Lifetime Policies Applied". This property will list all the session lifetime policies that applied to the sign-in for example, Sign-in frequency, Remember multi-factor authentication and Configurable token lifetime.

  

Enriched reviews on access packages in entitlement management Public Preview

Service category: User Access Management
Product capability: Entitlement Management

Entitlement Management’s enriched review experience allows even more flexibility on access packages reviews. Admins can now choose what happens to access if the reviewers don't respond, provide helper information to reviewers, or decide whether a justification is necessary.

  

randomString and redact provisioning functions General availability

Service category: Provisioning
Product capability: Outbound to SaaS Applications

The Azure AD Provisioning service now supports two new functions, randomString() and Redact():

  • randomString – generate a string based on the length and characters an admin would like to include or exclude in the string.
  • redact – remove the value of the attribute from the audit and provisioning logs.

  

Now access review creators can select users and groups to receive notification on completion of reviews General availability

Service category: Access Reviews
Product capability: Identity Governance

Now access review creators can select users and groups to receive notification on completion of reviews.

  

Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator General availability

Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. Users can also report any suspicious or unfamiliar activity, change their Azure AD account passwords, and update the account's security information.

  

New Microsoft Authenticator app icon General availability

Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

New updates have been made to the Microsoft Authenticator app icon.

  

Azure AD single Sign on and device-based Conditional Access support in Firefox on Windows 10/11 General availability

Service category: Authentications (Logins)
Product capability: SSO

Microsoft now supports native single sign-on (SSO) support and device-based Conditional Access to Firefox browser on Windows 10 and Windows Server 2019 starting in Firefox version 91.

  

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

  

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2021, Microsoft has added following 32 new applications in the Azure AD App gallery with Federation support:

  

What’s Changed

Additional attributes available as claims Public Preview

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Several user attributes have been added to the list of attributes available to map to claims to bring attributes available in claims more in line with what is available on the user object in Microsoft Graph. New attributes include mobilePhone and ProxyAddresses.

  

Updated "switch organizations" user experience in My Account

Service category: My Profile/Account
Product capability: End User Experiences

This change for the My Account Portal visually improves the user interface (UI) and provides the end-user with clear instructions. Microsoft also added a manage organizations link to the Organizations blade.

  

What’s Fixed

Federated users will see prompts more often when switching user accounts

Service category: Authentications (Logins)
Product capability: User Authentication

A problematic interaction between Windows and a local Active Directory Federation Services (ADFS) instance can result in users attempting to sign into another account, but be silently signed into their existing account instead, with no warning. For federated Identity Providers (IdPs) such as AD FS, that support the prompt=login pattern, Azure AD will now trigger a fresh sign-in at AD FS when a user is directed to AD FS with a login hint. This ensures that the user is signed into the account they requested, rather than being silently signed into the account they're already signed in with.

0  

KnowledgeBase: Windows Hello for Business satisfies Smartcard is required for interactive logon requirements

One of the main strategies for securing privileged accounts in Active Directory Domain Services seems to enable the Smartcard is required for interactive logon option on members of the Domain Admins security group. Typically, that required deploying (virtual) smartcards, but there is a far easier way that is currently being wildly adopted: Windows Hello for Business (WHfB).

About Requiring smartcard for interactive logon

Mere password authentication is insufficient. It doesn’t suffice for people when they access organizational data from outside the organization’s perimeter and it doesn’t suffice for privileged accounts.

The Smartcard is required for interactive logon option has been a part of Active Directory Domain Services since its inception. This option on a user accounts Properties window, requires the use of (virtual) smartcards to be able to sign in interactively. This option is sometimes referred to as SCRIL.

For accounts that have the option enabled, the object’s useraccountcontrol attribute is increased by 262144.

The option can also be set using the Interactive logon: Require smart card Group Policy setting underneath the Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options node. This way, the option requires the use of smartcards for all people accessing devices in scope.

When signing in, a person using facing this requirement needs to present the smartcard certificate on the (virtual) smartcard to sign in. The smartcard is unlocked using a PIN. Effectively this makes sign-ins with smartcards multi-factor authenticated sign-ins, as the person proves they know something (the PIN) and proves they have physical possession of something (the smartcard or the device where the virtual smartcard is tied to).

About Windows Hello for Business

Windows Hello for Business (WHfB) also offers multi-factor authenticated sign-ins. It is available since Windows 10 and allows people to sign in using biometrics, like face recognition or using a finger print reader.

Under the hood, Windows Hello for Business uses certificates too.  Just like a smartcard deployment, a WHfB requires Certification Authority (CA), the root CAs certificate to be trusted and a specific certificate enrolled to Domain Controllers. However, WHfB also requires device registration, either by Azure AD (and then written back to the on-premises Active Directory with Azure AD Connect) or by AD FS.

Whether a user certificate is needed within WHfB deployments depends on the trust model chosen; WHFB offers a key trust model and a certificate trust model. You’d have guessed right if you suspected the latter method to require a user certificate with, coincidently, the Smart Card Logon (1.3.6.1.4.1.311.20.2.2) enhanced Key usage enabled.

Satisfying the requirement using WHfB

The good news is that using Windows Hello for Business (WHfB) satisfies the Smartcard is required for interactive logon option for user objects and satisfies the Interactive logon: Require smart card Group Policy setting on devices to sign in interactively.

There is a gotcha: WHfB satisfies the requirement even on devices that aren’t equipped with TPM chips. Enable and deploy the Use a hardware security device Group Policy setting to force Windows WHfB to only work with hardware protected credentials.

Concluding

Checking the useraccountcontrol attribute on user accounts that are members of the Domain Admins security group is a popular activity by security firms. If it’s missing, it leads to a flag stating that privileged account sign-ins are insufficiently secured.

While Windows Hello for Business shares much of the same requirements as smart cards, it can be rolled out to all people in your organization to facilitate secure sign-ins. Unlike smart cards…

Further reading

Enabling smart card logon 
Interactive logon Require smart card – security policy setting (Windows 10)  
UserAccountControl property flags  
Configure Windows Hello for Business Policy settings  
Choosing the right Passwordless sign-in method for your colleagues  
Requirements per Windows Hello for Business Deployment Type  
HOWTO: Delete your Windows Hello for Business Registrations

0  

What's New in Microsoft Defender for Identity in November 2021

Microsoft Defender for Identity

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

What's New

In November 2021, three new versions of Microsoft Defender for Identity were released:

  1. Version 2.162, released on November 1st, 2021
  2. Version 2.163, released on November 8th, 2021
  3. Version 2.164, released on November 17th, 2021

These versions do not enable new detections or features, but they do include improvements and bug fixes for the internal sensor infrastructure.

0  

On-premises Identity-related updates and fixes for November 2021

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

These are the Identity-related updates and fixes we saw for November 2021:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB5007192 November 9, 2021

The November 9, 2021 update for Windows Server 2016 (KB5007192), updating the OS build number to 14393.4770 is a monthly cumulative update.

This security update addresses four Active Directory Elevation of Privilege vulnerabilities.

KB5008601 November 14, 2021 OUT Of Band

The November 14, 2021 update for Windows Server 2016 (KB5008601), updating the OS build number to 14393.4771 is an out of band update, addressing an issue that was introduced with KB5007192 that might cause authentication failures related to Kerberos tickets you acquired from Service for User to Self (S4U2self).

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5007206 November 9, 2021

The November 9, 2021 update for Windows Server 2019 (KB5007206), updating the OS build number to 17763.2300 is a monthly cumulative update.

This security update addresses four Active Directory Elevation of Privilege vulnerabilities and includes the following Identity-related quality improvements:

  • It addresses an issue that causes the DnsPsProvider.dll module to
    leak memory within a WmiPrvSE.exe process.

  • It addresses a memory leak issue in lsass.exe on domain controllers
    in the forest root domain that occurs when you have multiple forests and
    multiple domains in each forest. The SID-Name mapping functions leak memory when
    a request comes from another domain in the forest and crosses forest
    boundaries.

KB5008601 November 14, 2021 OUT Of Band

The November 14, 2021 update for Windows Server 2019 (KB5008602), updating the OS build number to 17763.2305 is an out of band update, addressing an issue that was introduced with KB5007206 that might cause authentication failures related to Kerberos tickets you acquired from Service for User to Self (S4U2self).

KB5007266 November 22, 2021 PREVIEW

The November 22, 2021 update for Windows Server 2019 (KB5007266), updating the OS build number to 17763.2330 is a preview update.

It includes the following Identity-related quality improvements:

  • It enables credentials for Azure Active Directory (Azure AD) users that use Active Directory Federation Services (AD FS) as their authentication method in Quick Assist.
  • It addresses an issue that prevents the applications that you use often from appearing on the Start menu and prevents you from configuring them to appear on the Start menu using a Group Policy.

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5007205 November 9, 2021

The November 9, 2021 update for Windows Server 2022 (KB5007205), updating the OS build number to 20348.350 is a monthly cumulative update.

This security update addresses four Active Directory Elevation of Privilege vulnerabilities and includes the following Identity-related quality improvements:

  • It addresses an issue that sometimes causes the lock screen to appear black
    if you set up slideshow.

  • It addresses an issue in Safe Mode that prevents users from signing in if
    Web Sign-in is enabled.

  • It addresses a reliability issue with LogonUI.exe, which affects the
    rendering of the network status text on the credentials screen.

  • It addresses a memory leak issue in lsass.exe on domain controllers
    in the forest root domain that occurs when you have multiple forests and
    multiple domains in each forest. The SID-Name mapping functions leak memory when
    a request comes from another domain in the forest and crosses forest boundaries.

  • It reduces the Lightweight Directory Access Protocol (LDAP) bind for CPU
    utilization.

  • It addresses an issue that causes Server Message Block (SMB) Query Directory
    Requests to fail when the buffer size is large.

KB5007254 November 22, 2021 PREVIEW

The November 22, 2021 update for Windows Server 2022 (KB5007254), updating the OS build number to 20348.380 is a preview update.

It includes one Identity-related quality improvement: It addresses an issue that fails to apply machine Group Policy objects automatically at startup or in the background to devices on a domain that have certain processors.

0  

VMSA-2021-0027 updates for VMware vCenter Server 6.5 and 6.7 address two vSphere Web Client vulnerabilities (CVE-2021-21980 and CVE-2021-22049)

VMSA-2021-0014

Earlier this week, VMware released an update that addresses an arbitrary file read vulnerability in the vSphere Web Client (CVE-2021-21980) and an SSRF vulnerability in the vSphere Web Client (CVE-2021-22049). These two vulnerabilities can be used to compromise virtual Domain Controllers running on VMware vSphere ESXi 6.5 and vSphere ESXi 6.7.

About the vulnerabilities

arbitrary file read vulnerability in the vSphere Web Client (CVE-2021-21980)

The first vulnerability is an unauthorized arbitrary file read vulnerability in the vSphere Web Client.

Note:
vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore vCenter Server 7.x is not affected.

This is an important update with a maximum CVSSv3 base score of 7.5. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.

The vulnerability was responsibly disclosed to VMware by ch0wn of Orz lab.

vulnerability in the vSphere Web Client (CVE-2021-22049)

The second vulnerability is a Server Side Request Forgery (SSRF) vulnerability in the vSAN Web Client (vSAN UI) plug-in in the vSphere Web Client.

Note:
vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore vCenter Server 7.x is not affected.

This is an important update with a maximum CVSSv3 base score of 6.5. A malicious actor with network access to port 443 on vCenter Server may exploit this vulnerability by accessing a URL request outside of vCenter Server or accessing an internal service.

The vulnerability was responsibly disclosed to VMware by magiczero from SGLAB of Legendsec at Qi'anxin Group.

How to address these vulnerabilities

VMware has released new versions of its vCenter Server 6.5 and vCenter Server 6.7 products. These versions address the vulnerabilities:

Concluding

Please install the updates for the version(s) of vCenter Server in use within your organization, as mentioned above and in the advisory for VMSA-2021-0027.

0  

VMware has recalled all released versions of vSphere 7.0 Update 3

VMware’s vSphere ESXi 7.0 U3, U3a, and U3b and VMware vCenter 7.0 U3b are no longer available for download due to several critical issues identified in them.

Issues experienced in the field

Organizations running vSphere 7.0 Update 3 have reported the following critical issues:

Recalled and available versions

The following vSphere 7.0 Update 3 releases have been removed:

  • vSphere ESXi 7.0 Update 3    (build 18644231)
  • vSphere ESXi 7.0 Update 3a  (build 18825058)
  • vSphere ESXi 7.0 Update 3b  (build 18905247)
  • vSphere vCenter 7.0 Update 3b (build 18901211)

There had already been two updates to try to remedy the above issues, but the issues ended up being too serious to keep trying to patch in-situ.

What to do with this information

if your organization utilizes a previous version of VMware vSphere, hold off on planning the upgrade to vSphere 7.0 Update 3, for now. Eventually, a build that remedies the above issues will be made available and will be safe to upgrade to. There is hope that this update will arrive in time to escape the end of support for vSphere 6.5 and vSphere 6.7.

If you are already on 7.0 Update 3 and aren’t experiencing issues, you can ignore this blogpost and will likely be among the first organizations to upgrade to new builds anyway.

If you are already on 7.0 Update 3 and experiencing issues, you will receive support from VMware.

Further reading

VMware 7.0 ESXi Update 3 Pulled for Bugs  
Important Information on ESXi 7 Update 3  
VMware withdraws major vSphere release due to bugs
vSphere 7.0 Update 3 Known Issues and Workarounds

0  

TODO: Mitigate the Information Disclosure vulnerability caused by improperly configured Azure Migrate applications

Azure Active Directory

Last week, Microsoft issued security guidance on a security issue within Azure Active Directory. In this guidance, Microsoft instructs Azure AD admins to rotate the password for Azure Migrate applications, when these applications have been created prior to November 2, 2021.

About the vulnerability

CVE-2021-42306 is a vulnerability in the way Azure AD stores the keyCredentials attribute for application and/or service principals for some Azure services.

The keyCredentials attribute stores the public key data for use in authentication, but certificates with private key data could have also been incorrectly stored in the attribute. Access to private key data can lead to an elevation of privilege attack by allowing a user to impersonate the impacted application and/or service principal.

Some Microsoft services incorrectly stored private key data in the keyCredentials  attribute while creating applications. Azure Migrate service creates Azure AD applications to enable Azure Migrate appliances to communicate with the service’s endpoints.

What Microsoft has done to mitigate

Azure Migrate deployed an update to the service to prevent private key data in clear text from being uploaded to the keyCredentials attributes of Azure AD applications.

Azure AD has mitigated the information disclosure issue by preventing reading of clear text private key data that was previously added by any user or service through the UI or through APIs.

As a result, clear text private key material in the keyCredentials attribute is inaccessible, mitigating the risks associated with storage of this material in the attribute.

Call to action

As a precautionary measure, Microsoft recommends using the assessment script in this GitHub Repository. After assessing the impacted Azure AD applications, you need to execute the mitigation script on each Azure Migrate appliance in your organization's environment.

Typically, Under the App registration section in the Azure AD portal, the applications associated with Azure Migrate contain one of the following suffixes:

  • resourceaccessaadapp
  • agentauthaadapp
  • authandaccessaadapp

Azure Migrate appliances that were registered after November 2, 2021 and had Appliance configuration manager version 6.1.220.1 and above are not impacted and do not require further action.

2