What’s New in Entra ID in January 2025

Reading Time: 4 minutes

Microsoft Entra

Microsoft Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for January 2025:

 

What's Deprecated

Azure AD Graph February 1, 2025

Service category: Azure AD Graph
Product capability: Developer Experience

The Azure AD Graph API service was deprecated in 2020. Retirement of the Azure AD Graph API service began in September 2024, and the next phase of this retirement starts February 1, 2025. This phase will impact new and existing applications unless action is taken.

Starting from February 1, 2025, both new and existing applications will be prevented from calling Azure AD Graph APIs, unless they're configured for an extension. You might not see impact right away, as Microsoft is rolling out this change in stages across tenants. We anticipate full deployment of this change around the end of February, and by the end of March for national cloud deployments.

If you haven't already, it's now urgent to review the applications on your tenant to see which ones depend on Azure AD Graph API access, and mitigate or migrate these before the February 1, 2025, cutoff date. For applications that haven't migrated to Microsoft Graph APIs, an extension can be set to allow the application access to Azure AD Graph through June 30, 2025.

 

MSOnline PowerShell module April 2025

Service category: Legacy MSOnline and AzureAD PowerShell modules
Product capability: Developer Experience

As announced in Microsoft Entra change announcements and in the Microsoft Entra Blog, the MSOnline and AzureAD PowerShell modules retired on March 30, 2024.

The retirement for MSOnline PowerShell module starts in early April 2025, and ends in late May 2025. If you're using MSOnline PowerShell, you must take action by March 30, 2025 to avoid impact after the retirement by migrating any use of MSOnline to Microsoft Graph PowerShell SDK or Microsoft Entra PowerShell.

  • The MSOnline PowerShell will retire, and stop working, between early April 2025 and late May 2025
  • The AzureAD PowerShell will no longer be supported after March 30, 2025, but its retirement will happen in early July 2025. This postponement is to allow you time to finish the MSOnline PowerShell migration
  • To ensure customer readiness for MSOnline PowerShell retirement, a series of temporary outage tests will occur for all tenants between January 2025 and March 2025.

 

What's New

Microsoft Entra PowerShell Generally Available

Service category: MS Graph
Product capability: Developer Experience

Manage and automate Microsoft Entra resources programmatically with the scenario-focused Microsoft Entra PowerShell module.

 

Improving visibility into downstream tenant sign-ins Generally Available

Service category: Reporting
Product capability: Monitoring & Reporting

Microsoft Security wants to ensure that all organizations are aware of how to notice when a partner is accessing a downstream tenant's resources. Interactive sign-in logs currently provide a list of sign in events, but there's no clear indication of which logins are from partners accessing downstream tenant resources. For example, when reviewing the logs, admins might see a series of events, but without any additional context, it’s difficult to tell whether these logins are from a partner accessing another tenant’s data.

Here's a list of steps that one can take to clarify which logins are associated with partner tenants:

  1. Take note of the ServiceProvider value in the CrossTenantAccessType column. This filter can be applied to refine the log data. When activated, it immediately isolates events related to partner logins.
  2. Utilize the Home Tenant ID and Resource Tenant ID columns. These two columns identify logins coming from the partner’s tenant to a downstream tenant.

After seeing a partner logging into a downstream tenant’s resources, an important follow-up activity to perform is to validate the activities that might have occurred in the downstream environment. Some examples of logs to look at are Microsoft Entra Audit logs for Microsoft Entra ID events, Microsoft 365 Unified Audit Log (UAL) for Microsoft 365 and Microsoft Entra ID events, and/or the Azure Monitor activity log for Azure events. By following these steps, admins are able to clearly identify when a partner is logging into a downstream tenant’s resources and subsequent activity in the environment, enhancing their ability to manage and monitor cross-tenant access efficiently.

To increase visibility into the aforementioned columns, Microsoft Entra will begin enabling these columns to display by default when loading the sign-in logs UX starting on March 7, 2025.

 

Real-time Password Spray Detection in Microsoft Entra ID Protection Generally Available

Service category: Identity Protection
Product capability: Identity Security & Protection

Traditionally, password spray attacks are detected post breach or as part of hunting activity. Now, Microsoft has enhanced Microsoft Entra ID Protection to detect password spray attacks in real-time before the threat actor ever obtains a token. This reduces remediation from hours to seconds by interrupting attacks during the sign-in flow.

Risk-based Conditional Access can automatically respond to this new signal by raising session risk, immediately challenging the sign-in attempt, and stopping password spray attempts in their tracks. This cutting-edge detection works alongside existing detections for advanced attacks such as Adversary-in-the-Middle (AitM) phishing and token theft, to ensure comprehensive coverage against modern attacks.

 

Protected actions for hard deletions Generally Available

Service category: Other
Product capability: Identity Security & Protection

Organizations can now configure Conditional Access policies to protect against early hard deletions. Protected action for hard deletion protects hard deletion of users, Microsoft 365 groups, and applications.

 

Flexible Federated Identity Credentials Public Preview

Service category: Authentications (Logins)
Product capability: Developer Experience

Flexible Federated Identity Credentials extend the existing Federated Identity Credential model by providing the ability to use wildcard matching against certain claims. Currently available for GitHub, GitLab, and Terraform Cloud scenarios, this functionality can be used to lower the total number of FICs required to managed similar scenarios.

 

Elevate Access events are now exportable via Microsoft Entra Audit Logs Public Preview

Service category: RBAC
Product capability: Monitoring & Reporting

This feature enables admins to export and stream Elevate Access events to both first-party and third-party SIEM solutions via Microsoft Entra Audit logs. It enhances detection and improves logging capabilities, allowing visibility into who in their tenant has utilized Elevate Access.

 

Manage Lifecycle Workflows with Microsoft Security CoPilot in Microsoft Entra Public Preview

Service category: Lifecycle Workflows
Product capability: Identity Governance

Organizations can now manage, and customize, Lifecycle Workflows using natural language with Microsoft Security CoPilot. The Lifecycle Workflows (LCW) Copilot solution provides step-by-step guidance to perform key workflow configuration and execution tasks using natural language. It allows organizations to quickly get rich insights to help monitor, and troubleshoot, workflows for compliance.

 

0  

Entra Connect Sync v2.4.27.0 introduces Administrator Auditing

Reading Time: 2 minutes

Microsoft Entra

Microsoft Entra Connect Sync version 2.4.27.0 introduces the Pubic Preview of Administrator Auditing in Connect Sync.

 

What's New

Entra Connect Sync v2.4.129.0 offers one update and four bug fixes:

Auditing administrator events Public Preview

Starting with Entra Connect Sync v2.4.129.0, Entra Connect Sync enables for logging any admin changes made on Entra Connect Sync. This includes changes made using the UI and the PowerShell scripts.

SSPR Configuration bug addressed

Microsoft addressed the removal of the Self-service Password Reset (SSPR) configuration, when changes are made on the Azure AD Connector and saved in the Sync Service manager UI.

Privileged Identity Management improvements

Microsoft addressed the validation for the Global Administrator/Hybrid Identity Administrator role done during Entra Connect Sync installation and users with Global Administrator/Hybrid Identity Administrator through Privileged Identity Management (PIM).

AD FS improvements (2)

Microsoft addressed two Active Directory Federation Services (AD FS) issues:

  1. Microsoft addressed the no registered protocol handlers error.
  2. Microsoft addressed the Relying party must be unique (conflict error) error.

 

Version information

Version 2.4.129.0 of Entra Connect Sync (previously known as Azure AD Connect Sync) was made available for download and automatic upgrades on January 15th, 2025.

Admins can download the latest version of Entra Connect Sync here.

Superseded versions

Past versions of Microsoft Entra Connect Sync 2.x are retired 12 months from the date they are superseded by a newer version. With Entra Connect Sync v2.4.129.0, Entra Connect Sync version 2.2.8.0 and versions before are retired (superseded by Entra Connect Sync v2.3.2.0 on November 12th, 2023).

If you run a retired version of Microsoft Entra Connect, it might unexpectedly stop working.

0  

What’s New in Entra ID in December 2024

Reading Time: 4 minutes

Microsoft Entra

Microsoft Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for December 2024:

 

What's New

What's new in Microsoft Entra Generally Available

Service category: Reporting
Product capability: Monitoring & Reporting

What's new in Microsoft Entra offers a comprehensive view of Microsoft Entra product updates including product roadmap (like Public Previews and recent GAs), and change announcements (like deprecations, breaking changes, feature changes and Microsoft-managed policies). It's a one stop shop for Microsoft Entra admins to discover the product updates.

 

Update Profile Photo in MyAccount Generally Available

Service category: My Profile/Account
Product capability: End User Experiences

People can now update their profile photo directly from their MyAccount portal. This change exposes a new edit button on the profile photo section of the persons account.

 

Temporary Access Pass (TAP) support for internal guest users Generally Available

Service category: MFA
Product capability: Identity Security & Protection

Microsoft Entra ID now supports issuing Temporary Access Passes (TAP) to internal guest users. TAPs can be issued to internal guests just like normal members, through the Microsoft Entra ID Admin Center, or natively through Microsoft Graph. With this enhancement, internal guests can now seamlessly onboard, and recover, their accounts with time-bound temporary credentials.

 

Expansion of SSPR Policy Audit Logging Generally Available

Service category: Self Service Password Reset
Product capability: Monitoring & Reporting

Starting Mid-January, Microsoft ise improving the audit logs for changes made to the SSPR Policy.

With this improvement, any change to the SSPR policy configuration, including enablement or disablement, will result in an audit log entry that includes details about the change made. Additionally, both the previous values and current values from the change will be recorded within the audit log. This additional information can be found by selecting an audit log entry and selecting the Modified Properties tab within the entry.

These changes are rolled out in phases:

  • Phase 1 includes logging for the Authentication Methods, Registration, Notifications, and Customization configuration settings.
  • Phase 2 includes logging for the On-premises integration configuration settings.

This change occurs automatically, so admins take no action.

 

Dedicated new 1st party resource application to enable Active Directory to Microsoft Entra ID sync using Microsoft Entra Connect Sync or Cloud Sync Generally Available

Service category: Provisioning
Product capability: Directory

As part of ongoing security hardening, Microsoft deployed Microsoft Entra AD Synchronization Service, a dedicated first-party application to enable the synchronization between Active Directory and Microsoft Entra ID. This new application, with Application Id 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016, was provisioned in customer tenants that use Microsoft Entra Connect Sync and/or the Microsoft Entra Cloud Sync service.

 

Privileged Identity Management integration in Azure Role Based Access Control Generally Available

Service category: RBAC
Product capability: Access Control

Privileged Identity Management (PIM) capabilities are now integrated into the Azure Role Based Access Control (Azure RBAC) UI. Before this integration, RBAC admins could only manage standing access (active permanent role assignments) from the Azure RBAC UI. With this integration, just-in-time access and timebound access, which are functionalities supported by PIM, are now brought into the Azure RBAC UI for customers with either a P2, or Identity Governance, license.

RBAC admins can create assignments of type eligible and timebound duration from the Azure RBAC add role assignment flow, see the list of different states of role assignment in a single view, as well as convert the type and duration of their role assignments from the Azure RBAC UI. In addition, end users now see all their role assignments of different state straight from the Azure RBAC UI landing page, from where they can also activate their eligible role assignments.

 

Microsoft Entra External ID Custom URL Domains Generally Available

Service category: Authentications (Logins)
Product capability: Identity Lifecycle Management

This feature allows organizations to customize their Microsoft default sign in authentication endpoint with their own brand names. Custom URL Domains help organizations to change Ext ID endpoint < tenant-name >.ciamlogin.com to login.contoso.com.

 

Sign in with Apple Public Preview

Service category: B2C – Consumer Identity Management
Product capability: Extensibility

This new feature adds Apple to Microsoft's list of preconfigured social identity providers. As the first social identity provider implemented on the eSTS platform, it introduces a Sign in with Apple button to the sign-in options, allowing people to access applications with their Apple accounts.

 

Provision custom security attributes from HR sources Public Preview

Service category: Provisioning
Product capability: Inbound to Entra ID

With this feature, organizations can automatically provision custom security attributes in Microsoft Entra ID from authoritative Human Resources (HR) sources. Supported authoritative sources include: Workday, SAP SuccessFactors, and any HR system integrated using API-driven provisioning.

 

Microsoft Entra ID Governance: access package request suggestions Public Preview Opt-In

Service category: Entitlement Management
Product capability: Entitlement Management

Microsoft is excited to introduce a new feature in My Access: a curated list of suggested access packages. This capability allows people to quickly view the most relevant access packages (based off their peers' access packages and previous requests) without scrolling through a long list. In December 2024, admins can enable the preview in the Opt-in Preview Features for Identity Governance. From January 2025, this setting is enabled by default.

 

Microsoft Entra ID Governance: Approvers can revoke access in MyAccess Public Preview

Service category: Entitlement Management
Product capability: Entitlement Management

For Microsoft Entra ID Governance users, approvers of access package requests can now revoke their decision in MyAccess. Only the person who took the approve action is able to revoke access. To opt into this feature, admins can go to the Identity Governance settings page, and enable the feature.

 

Security Copilot embedded in Microsoft Entra Public Preview

Service category: Other
Product capability: Identity Security & Protection

Microsoft has announced the public preview of Microsoft Security Copilot embedded in the Microsoft Entra admin Center. This integration brings all identity skills previously made generally available for the Security Copilot standalone experience in April 2024, along with new identity capabilities for admins and security analysts to use directly within the Microsoft Entra admin center. Microsoft has also added brand new skills to help improve identity-related risk investigation. In December 2024, Microsoft broadens the scope even further to include a set of skills specifically for App Risk Management in both standalone and embedded experiences of Security Copilot and Microsoft Entra. These capabilities allow identity admins and security analysts to better identify, understand, and remediate the risks impacting applications and workload identities registered in Microsoft Entra.

With Security Copilot now embedded in Microsoft Entra, identity admins get AI-driven, natural-language summaries of identity context and insights tailored for handling security incidents, equipping them to better protect against identity compromise. The embedded experience also accelerates troubleshooting tasks like resolving identity-related risks and sign-in issues, without ever leaving the admin center.

0  

Entra Connect Sync v2.4.27.0 addresses a remote code execution vulnerability (CVE-2024-37334)

Reading Time: 2 minutes

Microsoft Entra

Microsoft Entra Connect Sync version 2.4.27.0 uses OLE DB version 18.7.4 that further hardens the service. Upgrade to this latest version of connect sync to improve your security.

 

What’s New

Entra Connect Sync v2.4.27.0 offers one update and two bug fixes:

SQL-related drivers updated to OLE DB v18.7.4

Starting with Entra Connect Sync v2.4.27.0, Entra Connect Sync's SQL-related drived have been updated to OLE DB version 18.7.4.

OLE DB v18.7.4 is a security update that addresses a remote code execution vulnerability (CVE-2024-37334) with a CVSS v3.1 score of 8.8/7.7 hat can be abused by a threat actor over the network.

Privileged Identity Management improvements

Microsoft addressed an issue with Privileged Identity Management (PIM), Microsoft Entra roles, and PIM for Groups to verify that PIM is enabled and that the user has the Hybrid Identity Administrator role enabled.

AD FS commands fixed

Microsoft fixed an issue where Active Directory Federation Services (AD FS) commands were failing when Connect Sync is installed on a non-ADFS server.

 

Version information

Version 2.4.27.0 of Entra Connect Sync (previously known as Azure AD Connect Sync) was made available for download only on November 14th, 2024.

Admins can download the latest version of Entra Connect Sync here.

Superseded versions

Past versions of Microsoft Entra Connect Sync 2.x are retired 12 months from the date they are superseded by a newer version. With Entra Connect Sync v2.4.27.0, Entra Connect Sync version 2.2.1.0 and versions before are retired (superseded by Entra Connect Sync v2.2.8.0 on October 11th, 2023).

If you run a retired version of Microsoft Entra Connect, it might unexpectedly stop working.

0  

What’s New in Entra ID in November 2024

Reading Time: 4 minutes

Microsoft Entra

Microsoft Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for November 2024:

 

What's Deprecated

MFA Fraud Alert will be retired on March 1st 2025

Service category: MFA
Product capability: Identity Security & Protection

Microsoft Entra multi-factor authentication (MFA) fraud alert allows people to report MFA voice calls, and Microsoft Authenticator push requests, they didn't initiate as fraudulent. Beginning March 1, 2025, MFA Fraud Alert will be retired in favor of the replacement Report Suspicious Activity feature which allows people to report fraudulent requests, and is also integrated with Identity Protection for more comprehensive coverage and remediation.

 

MIM hybrid reporting agent

Service category: Microsoft Identity Manager (MIM)
Product capability: Monitoring & Reporting

The hybrid reporting agent, used to send a Microsoft Identity Manager service event log to Microsoft Entra to surface in password reset and self-service group management reports, is deprecated. The recommended replacement is to use Azure ARC to send the event logs to Azure Monitor.

 

What’s New

Microsoft Entra Health Monitoring, Health Metrics Feature Generally Available

Service category: Reporting
Product capability: Monitoring & Reporting

Microsoft Entra health monitoring, available from the Health pane, includes a set of low-latency pre-computed health metrics that can be used to monitor the health of critical user scenarios in an Entra tenant. The first set of health scenarios includes MFA, CA-compliant devices, CA-managed devices, and SAML authentications. This set of monitor scenarios will grow over time. These health metrics are now released as general availability data streams, in conjunction with the public preview of an intelligent alerting capability.

 

Log analytics sign-in logs schema is in parity with MSGraph schema Generally Available

Service category: Authentications (Logins)
Product capability: Monitoring & Reporting

To maintain consistency in its core logging principles, Microsoft has addressed a legacy parity issue where the Azure Log Analytics sign-in logs schema did not align with the MS Graph sign-in logs schema. The updates include fields such as ClientCredentialType, CreatedDateTime, ManagedServiceIdentity, NetworkLocationDetails, tokenProtectionStatus, SessionID, among others. These changes will take effect in the first week of December 2024.

 

Updating profile photo in MyAccount Pubic Preview

Service category: My Profile/Account
Product capability: End User Experiences

On November 13, 2024, people received the ability to update their profile photo directly from their MyAccount portal. This change exposes a new edit button on the profile photo section of the persons account.

 

Microsoft Entra new store for certificate-based authentication Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft Entra ID has a new scalable PKI (Public Key Infrastructure) based CA (Certification Authority) store with higher limits for the number of CAs and the size of each CA file. The new PKI-based CA store allows CAs within each different PKI to be in its own container object allowing admins to move away from one flat list of CAs to more efficient PKI container-based CAs. The new PKI-based CA store now supports up to 250 CAs, 8KB size for each CA and also supports issuers hints attribute for each CA. Admins can also upload the entire PKI and all the CAs using the Upload CBA PKI feature or create a PKI container and upload CAs individually.

 

Universal Continuous Access Evaluation Pubic Preview

Service category: Provisioning
Product capability: Network Access

Continuous Access Evaluation (CAE) revokes, and revalidates, network access in near real-time whenever Microsoft Entra ID detects changes to the identity.

 

What's Changed

Microsoft Entra Health Monitoring, Alerts Feature

Service category: Other
Product capability: Monitoring & Reporting

Intelligent alerts in Microsoft Entra health monitoring notify tenant admins, and security engineers, whenever a monitored scenario breaks from its typical pattern. Microsoft Entra's alerting capability watches the low-latency health signals of each scenario, and fires a notification in the event of an anomaly. The set of alert-ready health signals and scenarios will grow over time. This alerts feature is now available in Microsoft Entra Health as an API-only public preview release (UX release is scheduled for February 2025).

 

Expansion of WhatsApp as an MFA one-time passcode delivery channel

Service category: MFA
Product capability: User Authentication

In late 2023, Entra ID started leveraging WhatsApp as an alternate channel to deliver multi-factor authentication (MFA) one-time passcodes to people in India and Indonesia. Microsoft saw improved deliverability, completion rates, and satisfaction when leveraging the channel in both countries. The channel was temporarily disabled in India in early 2024. Starting early December 2024, Microsoft will be re-enabling the channel in India, and expanding its use to additional countries.

Starting December 2024, people in India, and other countries can start receiving MFA text messages via WhatsApp. Only people that are enabled to receive MFA text messages as an authentication method, and already have WhatsApp on their phone, will get this experience. If a person with WhatsApp on their device is unreachable or doesn’t have internet connectivity, Microsoft will quickly fall back to the regular SMS channel. In addition, people receiving one-time passcodes (OTPs) via WhatsApp for the first time will be notified of the change in behavior via SMS text message.

If organizations don’t want their people to receive MFA text messages through WhatsApp, admins can disable text messages as an authentication method or scope it down to only be enabled for a subset of people. Please note that Microsoft highly encourages organizations move to using more modern, secure methods like Microsoft Authenticator and passkeys in favor of telecom and messaging app methods.

0  

Join the IT Bro’s at Microsoft Ignite in Chicago

Reading Time: 2 minutes

Microsoft Ignite 2024

Microsoft’s annual IT Pro event is right around the corner. As Microsoft MVPs and MCTs, Raymond Comvalius and Sander Berkouwer are invited as speakers for this event. They’ll be co-hosting two Windows labs throughout the week.

 

About Microsoft Ignite

Ignite is Microsoft’s yearly event for IT Professionals and developers. At Microsoft Ignite they connect with IT leaders from around the world. They hear from industry thought-leaders on the changing landscape of IT, they find new technology partners and they see how others are transforming businesses. Ignite is a one-of-a-kind experience designed to fuel business, connections, and the future forward.

For 2024, Ignite takes place in McCormick Place Convention Center in Chicago from November 19th, 2024, to November 22nd, 2024. The event has sold out.

 

About the Labs

Raymond and Sander co-host the following labs:

LAB447 Build AI into your apps with Microsoft Surface, Part 1

Wednesday November 20th, 2024, 8:30 AM – 9:45 AM

Infuse AI into your business with Microsoft Surface. In Part 1 of this lab, learn how to integrate AI-backed APIs from the Windows Copilot Library and target NPUs for enhanced performance and privacy. Gain hands-on knowledge by integrating AI directly on a Surface Copilot+ PC.

 

LAB448 Build AI into your apps with Microsoft Surface, Part 2

Wednesday November 20th, 2024, 6:30 PM – 7:45 PM

Infuse AI into your business with Microsoft Surface. In Part 1 of this lab, learn how to integrate AI-backed APIs from the Windows Copilot Library and target NPUs for enhanced performance and privacy. Gain hands-on knowledge by integrating AI directly on a Surface Copilot+ PC.

 

LAB443 Hands on with Windows 11 & cloud-native management

Wednesday November 20th , 2024, 10:15 AM – 11:30 AM
Thursday November 21st, 2024, 10:15 AM – 11:30 AM

With Windows 10 EOS just a year away, we want to help you jump-start Windows 11 upgrades and cloud-native management projects as a joint effort. This technical skilling lab will help you quickly assess upgrade readiness and contingency planning. Walk away with tangible steps to keep you moving forward in a tightly integrated way with security and productivity at the forefront of your efforts.

 

Join us!

You can RSVP to attend the labs, when you’ve been able to grab a Microsoft Ignite ticket before they sold out and are attending Microsoft Ignite in-person in Chicago. These labs will not be recorded.

When you have RSVP’ed, ensure to arrive at least 5 minutes before the start time, at which point remaining spaces are open to those in standby.

0  

I’m co-presenting at NIC Empower

Reading Time: 2 minutes

For its twelfth edition, the annual Nordic Infrastructure Conference (NICConf) has invited Raymond Comvalius and me to deliver a session again. It’s our eighth edition of this fantastic event and we’re looking forward to it!

 

About the Nordic Infrastructure Conference

The Nordic Infrastructure Conference (NICConf) provides IT and business professionals with unmissable networking and learning experiences from the leading Global IT experts.

NIC is the premier event for IT professionals seeking to dive deep into practical, real-world implementations and cutting-edge solutions. From Cloud technology to automation, security to collaboration, and beyond, our lineup of top-tier technical speakers will guide you through the latest advancements and real-world implementations that shape the future of IT.

Whether you're a seasoned technologist or an aspiring IT professional, NIC Empower is your platform to learn, collaborate, and explore. Expect less slides and more demos as we empower you with actionable insights and practical solutions that drive IT excellence.

NICConf is hosted for the twelfth time from November 13th to November 15th, 2024. Its location will be the Oslo Spektrum in the heart of Oslo, Norway, again.

 

About our sessions

Raymond and I will present two sessions:

You can't do Zero Trust with AD FS, learn how to leave it behind

Friday, November 15th, 2024 9:50 AM – 10:50 AM

Active Directory Federation Services (AD FS) has been the corner stone to many Hybrid Identity implementations, but increasingly it is becoming a burden for organizations that still depend on it. Often, it is insecurely implemented, incorrectly managed and improperly monitored, glaringly exposing the organization to information security risks.

In this session, we explain in which scenarios AD FS is still required and under what circumstances you can say ‘Goodbye’ to your AD FS farm. we cover the pros and cons of other Microsoft Cloud authentication methods, show how to migrate, and we show how to correctly remove everything AD FS-related so your organization can embrace Zero Trust with confidence.

 

Entra ID tokens: script authentication with the MS Graph

Friday, November 15th, 2024 12:40 AM – 1:40 PM

 

As the AzureAD and MSOnline PowerShell modules phased out, we're adapting to accessing Entra ID using the Microsoft Graph.

This session clarifies how to authenticate in new ways, focusing on app registrations, mg-* modules, tokens, and app permissions. We'll debate the need for app registrations, the advantages and drawbacks of secrets versus certificates versus federated authentication, and the practicalities of these methods. Attendees learn about federated authentication's applicability, Mg-* modules' authentication compatibility, and the functionalities of access tokens.

We share their first-hand experiences in developing scripts for this new authentication framework. Join us to gain insights and practical skills for a smooth transition to scripting with the Microsoft Graph for Entra ID.

 

Join us!

Join us at NIC Empower 2024 to connect with industry experts, gain insights from top technical speakers, and discover actionable solutions that drive IT excellence. Together, let's redefine the future of IT and unleash the power within us all.

0  

What’s New In Entra ID for October 2024

Reading Time: 2 minutes

Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for October 2024:

 

What’s New

SMS as an MFA method in Microsoft Entra External ID Generally Available

Service category: Consumer Identity Management (B2C)
Product capability: B2B/B2C

Microsoft announces general availability of SMS as an MFA method in Entra External ID with built-in telecom fraud protection through integrations with the Phone Reputation Platform.

What's new?

  • SMS sign-in experience that maintains the look and feel of the application people are accessing.
  • SMS is an add-on feature. Microsoft applies an additional charge per SMS sent to people which will include the built-in fraud protection services.
  • Built-in fraud protection against telephony fraud through Microsoft’s integration with the Phone Reputation platform. This platform processes telephony activity in real-time and returns an Allow, Block or Challenge based on risk and a series of heuristics.

 

Passkeys in Microsoft Authenticator Public Preview Refresh

Service category: Microsoft Authenticator App
Product capability: User Authentication

The public preview refresh of passkeys in the Microsoft Authenticator now supports additional features:

  • Admins can now require attestation during registration of a passkey.
  • Android native apps now support signing in with passkeys in the Authenticator.
  • Users are now prompted to sign in to the Authenticator app to register a passkey when initiating the flow from MySignIns.
  • The Authenticator app passkey registration wizard walks the user through meeting all the prerequisites within the context of the app before attempting registration.

 

Passkey authentication in brokered Microsoft apps on Android Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Entra ID users can now use a passkey to sign into Microsoft apps on Android devices where an authentication broker like Microsoft Authenticator, or Microsoft Intune Company Portal, is installed.

 

Authentication methods migration wizard Public Preview

Service category: MFA
Product capability: User Authentication

The authentication methods migration guide (preview) in the Microsoft Entra admin center lets admins automatically migrate method management from the legacy MFA and SSPR policies to the converged authentication methods policy.

In 2023, Microsoft announced that the ability to manage authentication methods in the legacy MFA and SSPR policies would be retired in September 2025. Until now, organizations had to manually migrate methods themselves by leveraging the migration toggle in the converged policy. Now, admins can migrate in just a few selections by using the migration guide. The guide evaluates what the organization currently has enabled in both legacy policies, and generates a recommended converged policy configuration for admins to review and edit as needed. From there, simply confirm the configuration and Microsoft sets it up and mark the migration as complete.

0  

On-premises Identity-related updates and fixes for October 2024

Reading Time: 3 minutes

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses. Additionally, as Windows serves as the unified endpoint in most organizations to access cloud functionality, identity-related improvements in these client operating systems also positively affect the experiences and security.

This is the list of Identity-related updates and fixes we saw for October 2024:

 

Windows Server

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5044293 October 8, 2024

The October 8, 2024, update for Windows Server 2016 (KB5044293), updating the OS build number to 14393.7428, is a monthly cumulative update. It does not include Identity-related improvements.

Windows Server 2019

We observed the following update for Windows Server 2019:

KB50444277 October 8, 2024

The October 8, 2024, update for Windows Server 2019 (KB5044277), updating the OS build number to 17763.6414, is a monthly cumulative update. It does not include Identity-related improvements.

Windows Server 2022

We observed the following update for Windows Server 2022:

KB5044281 October 8, 2024

The October 8, 2024, update for Windows Server 2022 (KB5044281), updating the OS build number to 20348.2762, is a monthly cumulative update. It does not include Identity-related improvements.

 

Windows

Windows 10, version 21H2 and 22H2

We observed the following update for Windows 10, version 21H2 and 22H2:

KB5044273 October 8, 2024

The October 8, 2024, update for Windows 10, version 22H2 (KB5044273), updating the OS build number to 19044.5011 (Windows 10 21H2) and 19045.5011 (Windows 10 22H2), is a monthly cumulative update. It does not include Identity-related improvements.

KB5045594 October 22, 2024 Preview

The October 22, 2024, update for Windows 10, version 22H2 (KB5045594), updating the OS build number to 19045.5073, is an optional preview update. It does not include Identity-related improvements.

Windows 11, version 22H2 and 23H2

We observed the following update for Windows 11, version 22H2 and 23H2:

KB5044285 October 8, 2024

The October 8, 2024, update for Windows 11, version 23H2 (KB5044285), updating the OS build number to 22621.4317 (version 22H2) and 22631.4317 (version 23H2), is a monthly cumulative update. It does not include Identity-related improvements.

KB5044380 October 22, 2024 Preview

The October 22, 2024, update for Windows 11, version 23H2 (KB5044380), updating the OS build number to 22621.4391 (version 22H2) and 22631.4391 (version 23H2), is an optional preview update.

In Windows 11, version 23H2, the issue where PIN reset does not work when you select the “I forgot my PIN’ link on the credentials screen is addressed. This fix will be automatically deployed with the November 12, 2024, update for Windows 11, version 23H2.

Windows 11, version 24H2

We observed the following update for Windows 11, version 24H2:

KB5044284 October 8, 2024

The October 8, 2024, update for Windows 11, version 24H2 (KB5044284), updating the OS build number to 26100.2033, is a monthly cumulative update. It does not include Identity-related improvements.

KB5044384 October 24, 2024 Preview

The October 24, 2024, update for Windows 11, version 24H2 (KB5044384), updating the OS build number to 26100.2161, is an optional preview update.

In Windows 11, version 24H2, the following issues are addressed:

  • The issue where you cannot sign in to your account from the web using Web Sign-in, because the screen stops responding.
  • The issue where the Windows device might have issues using S4U2self to authenticate. This occurs if Credential Guard is off, and the device joins an Active Directory domain that does not allow the RC4 cipher.

This fix will be automatically deployed with the November 12, 2024, update for Windows 11, version 24H2.

0  

I’m speaking at Shuberg Philis’ Azure Heroes Meetup

Reading Time: 2 minutes

Azure Heroes Netherlands

I’m proud to announce that I’ll be presenting at the November 5th 2024 Azure Heroes Netherlands Meetup at Shuberg Philis’ Schiphol-Rijk office.

 

About Azure Heroes Netherlands

The Azure Heroes Netherlands Meetup is a community by the community for the community.

Whether you're a beginner or an expert, Azure Heroes Netherlands provides a platform for sharing knowledge and experience. Connect with fellow enthusiasts and explore the world of cloud computing. Discover the (limitless) possibilities of Microsoft Azure and stay updated on the latest trends and developments.

After its inaugural event at Shuberg Philis’ Rotterdam office, Azure Heroes Netherlands now descends on its Schiphol-Rijk office near Amsterdam with evening sessions by Niek van Raaij and me.

 

About my session

I’ll present a 60-minute session:

You can't do Zero Trust with AD FS, learn how to leave it behind

Active Directory Federation Services (AD FS) has been the corner stone to many Hybrid Identity implementations, but increasingly it is becoming a burden for organizations that still depend on it. Often, it is insecurely implemented, incorrectly managed and improperly monitored, glaringly exposing the organization to information security risks.

In this session, I’ll explain in which scenarios AD FS is still required and under what circumstances you can say ‘Goodbye’ to your AD FS farm. I’ll cover the pros and cons of other Microsoft Cloud authentication methods, show how to migrate, and show how to correctly remove everything AD FS-related so your organization can embrace Zero Trust with confidence.

 

Join us!

Join us for the Azure Heroes NL Meetup on November 5th, 2024 at Shuberg Philis in Schiphol-Rijk, between 6 PM and 9 PM.

This is a free event.

0