Asked questions at VeeamON Virtual 2019

VeeamOn Virtual 2019

Last week, I had the pleasure of being one of the experts in the VeeamON Virtual Expert Lounge for both the APAC and Americas events. I also attended the Europe event.

In this blogpost, I’m sharing some of the questions we received and answered, so we can all benefit.


The following questions were asked regarding to Veeam licensing:

How does licensing work for workstation backup? We currently use the free version for workstations, and the enterprise edition for our VMWare virtual machines.

Workstations are protected with Veeam Universal licenses, which are sold in bundles of 10. 1 license will protect 3 workstations, 1 Server, 1 VM, 1 Enterprise app, or 250GB of NAS. Take a look at the editions comparison to determine which edition will work best for you.

We are running per socket perpetual licensing now. We need 10 additional socket licenses. Can we still buy these licenses or are these converted in Universal Licenses?

Perpetual licensing with Veeam is still possible. You can still license sockets. No licenses are automatically converted to the Veeam Universal Licensing (VUL) scheme. License administrator can convert licenses at will in the customer portal.


Tiers and protection

The following questions were asked regarding to scale-out backup repositories, the cloud tier and Cloud Connect:

Is there a Veeam CSP target option for capacity/cloud tier?

If you are running a public S3 Compatible platform that can be a target for the Object Storage Repo. Otherwise you would be looking at offering Cloud Connect Backup as an offsite Cloud Repository.

Can the Cloud Connect Repo act as object storage for the cloud tier?

Cloud Connect is a separate technology outside of the Scale Out Backup Repository (SOBR) functionality.

Regarding avoiding Ransomware issues, what is the recommended way to setup my environment? Should the backup server be added to the domain or not? What other things do you recommend?

Anton Gostev’s blogpost here sheds some more light and provides links to the smart choices you can make. Remember that these choices may also negatively impact the backup, management and restore processes.

Does Veeam plan to integrate the Kaspersky solution with Secure Backup?

As far as Kaspersky is manageable with a CLI you can use it with Secure Restore, right now.

It was being talked about that you could now restore a backed up physical server straight to a VM on vSphere. Is that same ability available for Hyper-V?

Yes, when you create agent-based backups you can restore wherever you need.


The following questions were asked regarding backing up and restoring cloud services, like Office 365 and Azure Stack:

Are we able to backup the office 365 to on premises disk storage?

Veeam Backup for Microsoft Office 365 (VBO) is Veeam’s standalone product to create backups of data in Office 365 to on-premises storage. It creates backups of data in Exchange Online, SharePoint Online, OneDrive for Business and Teams. Here’s more information.

Are there any performance increases with VBO v4?

Yes, there are significant performance improvements for both SharePoint and OneDrive. It uses multiple accounts to overcome per account throttling.

Will Veeam Backup For Office 365 v4 be able to restore Teams better than Veeam Backup For Office 365 v3

There is no change in the way VBO v4 restores Teams data compared to VBO v3.
Veeam is aware of certain limitations, like restoring a file attachment in a teams chat (restoring the chat including attachments). This functionality is currently missing in the Office 365 APIs.

How about Azure AD backup, are we able to backup to on-premises storage and restore it in the on premises host?

Not at the moment. Take care of different attributes that reside only in Azure AD.

Is Veeam B&R able to communicate with the old Azure Stack or the new Azure Stack HCI?

Yes. Azure Stack HCI leverages Storage Spaces Direct (S2D). This is supported with VBR and not a problem at all – just like any other Hyper-V cluster deployment. The product formerly known as Azure Stack is now called Azure Stack Hub and requires agent-based backups in Veeam. There are now three products from Microsoft with the Azure Stack moniker:

  1. Azure Stack Edge, a cloud-managed appliance with use cases like Machine Learning on-premises, IoT solutions and network data transfer
  2. Azure Stack HCI, a Hyper-converged Infrastructure (HCI) solution to run virtual machines and use Windows Admin Center to connect to Azure for cloud services
  3. Azure Stack Hub, a cloud-native integrative system for disconnected scenarios, data sovereignty and application modernization, leveraging consistent Azure services and APIs.

When will immutable backup repositories be available for Azure like it will be for AWS?

Microsoft recently announced write-once, read-many (WORM) Azure storage. However, the feature in Azure offers container-level lock functionality, whereas the AWS feature offers object level locks. Azure’s current functionality would not be very cost-effective for incremental backups.



The following miscellaneous questions were asked and answered:

For a backup repository, what is the maximum size?

There isn’t a max disk size for a backup repository as such. It’s dictated by your storage and the filesystem type. If you are having disk and storage constraints you can extend Object Storage via Veeam’s Cloud Tier built into the Scale Out Backup Repository (SOBR) functionality.

How do we know that Veeam Backup is backing up valid data, not corrupted data?

Veeam Backup and Replication (VBR) creates backups. In the backup process there is no true check if the right data and sufficient data is backed up. However, VBR offers the SureBackup functionality, that allows you to restore a backup for a test scenario. You can run automated tests to this restore and test if the VM is indeed restorable (sufficient data) and restores as intended (the right data).

Can we backup VMs configured for Near Sync via the Nutanix API?

No. It seems to be a limitation in Nutanix, not Veeam, so it might be better to ask if Nutanix will support it soon. Nutanix version 5.10 still shows as lightweight snapshots which do not support change block tracking which is what Veeam and other backup solutions use to tell what needs to be backed up and what has already been.

I recently added a SAN to the Veeam Server in the Infrastructure Settings. As soon as it was connected and Veeam had finished doing the Inventory it looks like all our existing backup jobs started using the SAN for creating the snapshots. I did not change any of the backup job settings. Is there a way in the backup job to turn off the ability to use the SAN for snapshots and force it to use the usual way and have Veeam create the snapshot in vCenter?

The backup job now uses the Backup from storage snapshot option. If Veeam Backup & Replication (VBR) detects a supported storage array, it turns on the integration automatically. To return to the previous backup method, disable the option.

I’m looking at offsite Veeam Copy\Replication with 2 EMC Dedupe boxes. Is it better to use native replication or Veeam Copy?

We always recommend to use Veeam Backup Copy Jobs. In this case Veeam Backup & Replication is aware that every single block made it offsite successfully. There’s no such ‘insurance’ if you use native deduplicated replication.



It is clear that Veeam succeeded to get the possibilities of cloud in the heads of the attendees at VeeamON Virtual this year.

In cloud scenarios things change faster and Veeam is depending on the API possibilities from the cloud vendors.

That latter has always been the case, even when they started out with VMware vSphere. The difference today seems that vendors of hyperscale cloud platforms catch the eyeballs of people faster, entice them faster, but lack in API support. The number of organizations on the platform and demanding improvements dictates the development of secondary goals like API management.

Large cloud vendors get away with it, today. With their reputation of being a cutting-edge and agile data protection vendor, Veeam now sometimes take the hit, while from a secure development point of view, they’re walking the right path, the API path.


Video of my AppManagEvent 2019 session is now available

On Friday October 11, 2019, I presented a 45-minute session. The session was titled ‘Identity, the solid base for your organization’s future’. I presented the session in the context of Professional Development Systems’ 2019 edition of AppManageEvent in Utrecht.

Recent IT disasters have proven that there’s no such thing as a safe network. Firewalls continue to lose their value. Munchhausen by proxy has got a whole new meaning. However, a new perimeter has arisen, focusing on the individuals in your organization and their behavior, but with extensive auditing and near-real time mitigating measures: Identity. I explain it all in this session.

The session was live-recorded and made available, for everyone to enjoy with subtitles:


THANK YOU Thumbs up

Thank you to PDS for organizing AppManagEvent 2019 and inviting me as a speaker. They have also made the recording publicly available.


Pictures of the Dutch Windows Management User Group 2019-5 Meetup

OGD Delft

Last Wednesday I was a guest at the company I called ‘home’ for over 15 years. I was scheduled to deliver a 45-minute session on Azure AD Connect. As this is one of my favorite topics to talk on, I was really looking forward to the Dutch Windows Management User Group 2019-5 Meetup.

I started early at the customer that was scheduled for Wednesday November 13th, which was conveniently located in the vicinity of Delft. I left for the event at around 3PM and arrived early.

I met with several of my former co-workers, including their CEO Roel Nikkesen, other members of the management team and Rik van Berendonk. I also met one of OGD’s new CTOs Kay van Baarle.

Kenneth van Surksum kicking off the Meetup (click for larger photo from Adnan Hendricks)Follow Meetup (click for larger photo from Adnan Hendricks)

Kenneth van Surksum kicked off the event, followed by Master of Ceremony Rik and Kay introducing OGD as a software company and the proud host for the event. In true OGD style, they started late and ended even later.

Patrick van der Born presenting before our audience (click for larger photo)

After their introduction, Patrick van den Born delivered the first session on identity and access management with Ivanti Identity Director.

Presenting (Click for larger photo by Kenneth van Surksum)

Facing a hungry crowd and diner being scheduled in 30 minutes, I decided to deliver my session at lightning speed to provide food to the attendees on premise. That’s all the time I need to tear apart the choices Microsoft makes with Azure AD Connect…

Dinner is served! (Click for larger photo by Adnan Hendricks)Spekkoek as deserts... what could possibily go wrong? (Click for larger photo by Adnan Hendricks)Enjoying dinner (Click for larger photo by Adnan Hendricks)

At the break, I noticed that many familiar faces joined the event, including Osman Akagunduz and Erwin Derksen. Just in time, too, as Erwin was scheduled to deliver the third session of the event with a bulletpoint-free presentation on Azure Active Directory Domain Services.

Erwin responding to a question from the audience (click for larger picture by Kenneth van Surksum)

After Erwin’s session we had time left, so Patrick, Erwin and I organized a closing panel discussion to wrap up the event.

Closing Panel (Click for larger photo by Adnan Hendricks)OGD Bar (Click for larger photo by Adnan Hendricks)

We enjoyed a couple of drinks after the event, and I even visited OGD’s maker space, as invited by Mark van der Lars.

Thank you Thumbs up

Thank you to the Dutch Windows Management User Group for organizing this meetup at my former employer and inviting me as a speaker. Thank you to all the attendees and the people behind the technology panel that night.


Videos and slides are now available on demand for Microsoft Ignite 2019’s Azure AD-related sessions

Microsoft Ignite - November 4-8, 2019 - Orlando, Florida

During Microsoft Ignite 2019, (November 4th – November 8th, 2019) in Orlando, Florida, several sessions on Azure Active Directory were available to attendees to attend. These Azure AD-related sessions are now available on demand, when you sign-in with a free Microsoft TechCommunity account.

In this blogpost, I’ve categorized the sessions using Microsoft’s Standard Level Definitions, so you can step in at the level that best suits you. I’ve sorted the sessions on session code:


Level 100 session

The below session provides an overview of Azure Active Directory. This session assume little or no expertise with Azure AD and cover concepts, functions, features, and benefits. It’s perfect to get started with Azure AD:


BRK013 Identity: The control plane for your digital transformation, now and into the future

As provider of the world’s largest identity platform, Microsoft takes accountability for building greater security and mobility into enterprise technologies that billions of people rely on every day. Microsoft co-develops their identity products and services with customers to ensure Microsoft helps you secure access to any app or service—on-premises or in any cloud. Microsoft is pioneering ways to make identity-driven security more intuitive and automated, and Microsoft is architecting solutions using blockchain technology to give people back control over their privacy. Using real customer stories, this session shares Microsoft’s vision for Azure Active Directory, the latest product innovations, and concrete examples of how Microsoft is making it easier for you to manage and secure identities now and into the future.


Level 200 sessions

The below sessions offer intermediate material. These sessions assume 100-level knowledge and provide specific details about Azure Active Directory:


BRK2080 Simplify sign in and authorization with the Microsoft identity platform

Building a secure and usable authentication experience has been difficult and time-consuming. Whether you’re building an app to reach consumers or enterprises, the Microsoft identity platform is here to help. In this session, you’ll learn how to authenticate personal Microsoft or Azure AD accounts, and securely access APIs in your apps. Once integrated with the Microsoft identity platform, see how you can start accessing data in Microsoft Graph to build richer applications.


BRK2130 Azure Active Directory: New features and roadmap

For anyone working on or looking in to identity and access management in the cloud, this can’t-miss session provides updates on Azure Active Directory and Microsoft’s vision and roadmap areas for identity in the next year. You’ll hear about the newest features and experiences that provide seamless access for any identity, protect your organization from breaches, and use the latest open standards.


BRK2132 How Microsoft uses Azure Active Directory Identity Protection and Conditional Access to protect its assets

Identity security is one of the most critical measures you can take for your organization today. To continually strengthen your identity security, you must be able to identify and protect against attacks on your users.
Learn how Microsoft has done this in their own IT environment. First, by using Azure Active Directory Identity Protection to gain crystal clear visibility into the frequency and types of attacks on users, then protecting the user accounts with Conditional Access policies to require MFA and block legacy apps. We’ll take you along our journey, discuss pitfalls, best practices, and resulting product improvements.


BRK2232 Zero Hype – Taking practical steps to Zero Trust

Over the past several years, there has been a lot of hype around Zero Trust with a focus around vendor-specific implementation. Products emerged that were Zero Trust even before the concept became cool and well known, but what does this abstract and buzzy word really mean for your organization? In this session, the speakers focus on the principles and foundation pillars of Zero Trust, and dive into their impact on the threat landscape to understand how threat shifts when Zero Trust principles are widely applied.


BRK2261 Empower firstline worker productivity from day one

Digitally empower your firstline workers through seamless and secure access to the tools they need to be productive on day one. Learn about Microsoft’s current and upcoming investments in the firstline worker identity management space and how you can drive end-to-end transformation in your organization.


BRK3112 Love all your identities – Building digital relationships with your customers and partners

Modern organizations are looking for new ways to engage and collaborate with their customers and partners, which requires a secure and seamless way to manage these external identities. Learn how to provide seamless and secure digital experiences for partners, customers, citizens, and others with the level of customization and control your business requires. Learn about how our customers are using Azure Active Directory to provide a customized authentication experience for their customers, seamlessly govern external access to first-party apps, and effectively collaborate with partners.


BRK4007 Microsoft identity platform best practices for developers

This session walks through the details of how the Microsoft identity platform works for Authentication and Authorization. The speakers cover how developers can architect their solutions for the best user experience, best practices for working permissions and consent, and debugging techniques for authentication and authorization.


SECO10 Secure your enterprise with a strong identity foundation

The three identity and access management needs Microsoft hears most often from its customers are to reduce costs, improve security, and enhance user productivity. This session provides stories of how Azure Active Directory has delivered these benefits to customers and grants greater visibility and control over users, apps, devices, and data.

This Learning Path session is primarily targeted at organizations considering modernizing their identity and security solutions and have not yet adopted Azure AD widely, or existing customers that would like a refresher on the customer scenarios addressed. This video is currently unavailable.


TK03 Microsoft’s roadmap for security, compliance, and identity

This session covers how Microsoft can help you with your security, identity, and compliance needs. Hear Kirk Koenigsbauer share Microsoft’s strategy and investments with special guests including Ann Johnson, from Microsoft’s Cybersecurity Solutions Group, and Bret Arsenault, Microsoft’s CISO.


THR2002 Authentication without passwords in 20 minutes

Password are complex – though usually they are not, and that is the problem! Users forget them and hackers don’t. So it’s time to move away from this pain point and to utilize stronger authentication. In this 20-minute session, Brian Reid looks at how you go password-less using hardware security devices and mobile apps.


THR2047 Real-world hybrid Active Directory join and compliance in 20 minutes

One of the easy ways to secure your cloud journey is to ensure that the end user is on a company device. In this session, Brian Reid looks at how this works for Active Directory domain-joined workstations. The steps to get there and what you can do once your devices and your users are synced to Azure Active Directory. He also looks at how to troubleshoot AAD Hybrid Join and take real customer examples so you can avoid common issues.


THR2200 Lift and shift your legacy applications using Azure Active Directory Domain Services

Do you have hundreds of on-premises, legacy applications slowing your acceleration to the cloud? Learn how Azure Active Directory can help you lift-and-shift your legacy apps, secure legacy authentication, and see Microsoft’s roadmap of exciting new features and capabilities to lighten your on-premises server and application footprint.


THR2201 Reduce IT friction with seamless identity end-user experiences

In a world where every employee needs a sea of applications and tools to do their job, and your end-users are getting increasingly mobile, so much productivity is lost on simply finding the right app, remembering the right password, and reaching out to IT to retrieve lost credentials. Learn how you can become your organization’s hero by eliminating access friction and deliver a seamless and secure user experience.


THR3136 Streamline your business processes and development with Azure Active Directory APIs in Microsoft Graph

The availability of Azure AD APIs in Microsoft Graph has grown over the past year to help developers build out scenarios in Azure Active Directory. In fact, all Azure AD Graph APIs are now available in Microsoft Graph, which includes even more functionality across all Office 365 workloads. In this session, learn how to use Azure AD APIs in Microsoft Graph for user onboarding and dynamic group provisioning, enabling governance with Privileged Identity Management and enabling more granular access control with Azure AD RBAC.


Level 300 sessions

The below sessions offer advanced material. These sessions assume 200-level knowledge, in-depth understanding of features in a real-world environment, and strong coding skills. These sessions aim to provide detailed technical overviews of only a subset of the products and technology features, covering architecture, performance, migration, deployment, and development:


THR3080 Gain fine-grained access controls of your administrative roles with Azure Active Directory custom roles

Learn how to control access to Azure Active Directory using Azure AD administrative roles, including capabilities like custom RBAC controls, and see what’s coming for future role and access control capabilities.


BRK3110 Winning strategies for identity security and governance

Cybersecurity incidents make news regularly, and the attacks have become more sophisticated and complicated for organizations to keep up with. This increase is in spite of high spending on security solutions and resources. The key to successful identity management is moving towards an identity-centric security strategy. Think like a bad actor and work out the attacks you’re most likely to face, and guard against them to the best of your ability. In this session, the speakers discuss some of the winning strategies for effective identity management.


BRK3113 New frontiers in identity standards

Interested in the future evolution of the identity industry? Join Pamela Dingle for an entertaining tour through the work currently occurring in standards bodies like IETF, W3C, ISO, and the OpenID Foundation. Pamela explains the efforts that are underway as well as describe what future impact this work might have on enterprises and the internet. If part of your job is to future proof your organization, this overview may give you useful insight into areas you need to monitor or perhaps links to technologies that your organization might want to help shape.


BRK3114 Building trust into digital experiences with decentralized identities

Organizations are exploring ways to improving the trust of digital experiences. This effort can be accelerated by empowering people to own, control and verify their identity. Learn how Decentralized Identity can enable use of portable claims based on the Verified Credentials standard, see a proof of concept to compare with existing account-based systems, learn about known challenges and most importantly how you can get involved.


BRK3194 Azure Active Directory cloud authentication doesn’t just mean “sign-in”

When you sign-in to the Azure AD, cloud fault tolerance, scalability, and enhanced security are built-in. Through the Azure AD management portal, it is simple to enable a plethora of technologies, enhancing both your organization’s security posture and user experience. In this session, John Craddock shares his real-world experience and insight into reaping the rewards and benefits of Azure AD. Learn how to choose the best sign-in options for both your cloud and hybrid-users. Also, learn how to mitigate risk through the use of conditional access policies. Combine this with Windows Hello or FIDO, and you are building secure sign-in for the future. The session is packed with demos and definitely should not be missed.


SECI10 Identity and access management best practices from around the world

Join the Azure Active Directory customer success team and learn how they have helped hundreds of customers around the world accelerate digital transformation with identity and access management. Find out how you can quickly and easily get Azure Active Directory up and running and be the hero of your organization.


SECI20 Shut the door to cybercrime with identity-driven security

Today, in most organizations, there exists an abundance of security solutions and yet what will actually make you secure remains obscure. Watch this session to get your much needed answers on the steps you can quickly take to protect yourself against the most prevalent current and emerging threats!


BRK3105 Connect your workforce to all the apps they need with Azure Active Directory

Azure AD is the place for all your apps, but do you know how to take full advantage of the rich ecosystem Microsoft offers? Watch this session to learn about what Microsoft is doing to enrich their apps ecosystem with the apps you care about, to make it easy for you to connect and build the apps your organization needs, and all the cool stuff you can with those apps once you join the party!


BRK3106 Eliminate your weakest link with password-less authentication

The new standard for authentication is password-less. Learn about how to start using and deploying the Microsoft suite of password-less solutions that can help you provide secure options for your users and protect your company from password spray, phishing and other attacks. Join the millions of users of FIDO2, Windows Hello, and Microsoft Authenticator in conjunction with Azure Active Directory that have made passwords a relic of the past.


BRK3108 Modernize your on-premises application security with Azure Active Directory

Watch this session to learn how to extend modern cloud-driven security and scalability to your on-premises apps using Azure Active Directory. When you have your users operating under a common identity across your hybrid identity environment, you can securely connect and protect all your applications to Azure AD including classic applications that use protocols such as Kerberos and header-based authentication or on-premises LOB apps. The speakers show you how you can do this from Azure AD-native solutions or through integrations with partner infrastructure that you may already be using in your organization.


BRK3109 Govern your workforce and guest user access with Azure Active Directory

Organizations are faced with an explosion of new, collaboration-focused SaaS apps and services, where it is increasingly becoming as easy to share resources with business partners as with employees. It is more challenging than ever to ensure timely access and productive collaboration while maintaining data security and access compliance. Watch this session to learn how Azure Active Directory can deliver Identity Governance and Administration for both your employees and guest users, empowering the entire organization while balancing security and productivity.


BRK3154 Integrating CASB into IAM for a comprehensive identity security strategy

Standalone, identity and access management solutions protect access to your apps, and a Cloud Access Security Broker (CASB) provides discovery, threat, and information protection across them. Combining these two powerful solutions enables a deeper level of visibility and the ability to control user sessions in real-time. In this session the speakers share how Azure Active Directory Conditional Access and Microsoft Cloud App Security uniquely integrate to provide actionable insights, an improved security posture, better threat detection, and adaptive access control to all apps, Microsoft and third-party, in your organization. The speakers discuss some of the top use cases and demo how easy it is to deploy them.


BRK3195 Azure Active Directory B2B versus multi-tenant apps: Notes from the field

John Craddock has created this session as the result of a real-world scenario. A forms-authenticated app, running in Azure, was providing services to several enterprise customers. These enterprise customers were requesting that they should have SSO using their on-premises AD credentials. How can the solution be built? We have to start by selecting a federated authentication protocol for the app. Allowing partners and other organizations to access the application requires either the creation of an Azure AD multi-tenant app or providing access to the app via Azure AD B2B services. Watch this session and learn about the pros and cons of each solution. Don’t miss the demos showing the results.


BRK3257 Leverage the cloud to strengthen your on-premises Active Directory security

As you traverse your digital transformation journey to the cloud, you will likely find yourself in a state with on-premises and cloud identity systems working in tandem as a hybrid identity infrastructure. This not only provides a single identity for users to access resources, but also cloud security enhancements can be extended to on-premises. Watch this session to learn how the scalability and advanced security of Azure Active Directory can be leveraged to protect your Windows Server Active Directory infrastructure. This session focuses on a few quick wins and some key strategies you should be focusing on with your Active Directory.


BRK3267 Increase M&A agility by integrating quickly and securely with Azure Active Directory

M&A is an increasingly important growth driver for modern enterprises but with the increasing complexity of technology solutions, it can be a major challenge for IT and Security teams. Join us to learn how to consolidate directories and enable access to resources from day one, simplify collaboration, and eliminate cybersecurity threats with identity as the control plane.


BRK4017 The science behind Azure Active Directory Identity Protection

Azure AD Identity Protection detects and prevents identity attacks in the cloud and on-premises. It also enables identity admins to understand their risk standing with insights and advanced risk reports. Using this information, identity admins can setup risk-based policies for a handsfree security experience – achieving both security and productivity. At the core of Identity Protection is it’s risk engine, which uses machine learning, UEBA, and anomaly detection to detect the compromised users in your organization. Watch this session to learn about the new features available in the refreshed Identity Protection. The speakers show the new capabilities and they go deep into the science that powers Identity Protection.


THR3076 Get the most out of password-less authentication and avoid pitfalls

Learn about Microsoft’s password-less strategy and tangible next steps on taking your enterprise password-less. Watch this session to gain tips for a seamless deployment and user adoption with Microsoft-supported authentication tools like Windows Hello, Microsoft Authenticator, and FIDO security keys.


THR3079 Govern access for employees and partners with Azure Active Directory Identity Governance

Azure Active Directory has new identity governance and administration capabilities to help scale and govern access management for your entire workforce including partners. Check out the latest news and demos around Access Reviews and Entitlement Management.


THR3135 Secure customer identity and access management using Azure Active Directory B2C

How can you help your customers create seamless sign-up or sign-in experiences for their consumer-facing applications? Learn about Azure Active Directory B2C, an enterprise-grade customer identity and access management service, and how it allows you to easily secure consumer-facing (or citizen-facing) web and mobile applications and to create user friendly, frictionless experiences while protecting user data.


THR3078 Migrate to modern authentication with Azure Active Directory

Embrace modern authentication for your users and their single sign-on into apps with Azure Active Directory. See the latest tools that can help you plan and deploy a rollout of cloud authentication and also migrate your apps to cloud management and security.


WRK 3029 Secure and manage your identities with Azure Active Directory

With identity as the control plane, you can have greater visibility and control over who is accessing your organization’s applications and data and under which conditions. This workshop gives you hands-on experience with Azure Active Directory, a universal identity platform for you to keep your employees and external users productive and secure, while staying compliant and protecting against threats. Learn how to build and deploy risk-based access policies, seamlessly connect users to all their apps, manage guest users as easily and securely as your own employees, and more! Become an identity and access management hero for your organization.


Getting Started with Azure Monitor Workbooks for Azure Active Directory

Azure Active Directory

It’s time to take a look at the Azure Workbooks and get started with monitoring Azure Active Directory the new way.

In the overview of What’s New in Azure Active Directory for August 2019, Microsoft announced the deprecation of the Azure AD Power BI content packs in favor of Azure Monitor Workbooks. Microsoft also made announcements for Azure Active Directory at Microsoft Ignite 2019, indicating new and enhanced Azure Monitor Workbooks for Azure AD.


About the Azure AD Power BI content packs

For years, Azure AD admins could gain insights in Power BI, based on the Azure Active Directory Activity Logs content pack in Power BI on the Web:

Azure Power BI Contents Packs

Especially when combined with the Azure Audit Logs, Azure Backup, Azure Security Center Security Insights and Azure Security Center Policy Management, Power BI provides a great overview of the health of the organization’s cloud services.


About Azure Monitor workbooks

Azure Monitor Workbooks replace Power BI content packs.

For Azure Monitor workbooks, log data is stored in a Log Analytics workspace and is collected and analyzed by the Log Analytics service. Azure Monitor is then used to view the data in comprehensive reports. Compared to the Power BI content packs, this method improves speed and allows for alerts, all without the need for Power BI licenses throughout the organization.



To use Azure Monitor workbooks, you need:

  • An Active Directory tenant with at least one Azure AD Premium (P1 or P2) subscription license.
  • A Log Analytics workspace
  • Access to the log analytics workspace
  • Sign in with one of the following roles in Azure Active Directory, if you are accessing Log Analytics through Azure Active Directory portal:
    • Security administrator
    • Security reader
    • Report reader
    • Global administrator
    • Global reader
  • Sign in with one of the following roles to gain access to underlying Log Analytics workspace to manage the Azure Monitor Workbooks:
    • Global administrator
    • Global reader
    • Security administrator
    • Security reader
    • Report reader
    • Application administrator


How to get it working

Here’s how to get Azure Monitor Workbooks for your Azure AD tenant working:


Step 1: Set up a Log Analytics workspace

Azure Monitor Workbooks require a Log Analytics Workspace. As Azure subscriptions, by default, do not get configured with a Log Analytics workspace, the first step is to create a Log Analytics Workspace. Perform these steps:

  • Sign into the Azure Portal with an account that has one or more of the roles mentioned in the above requirements paragraph.
  • In the Azure portal, click All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces from the list.
  • Click + Add.
    The Log Analytics workspace blade appears.
  • Fill in the required information to add a Log Analytics workspace.
  • Click OK on the bottom of the blade to create the Log Analytics workspace.

The pricing model for Log Analytics is per ingested GB per month. However, the first 5 GB per month is free. Data ingestion beyond 5 GB is priced at € 2,52 per GB per month. Ingesting Azure AD with Log Analytics will mostly result in free workspace usage, except for large busy Azure AD tenants.


Step 2: Integrate Azure AD logs into Log Analytics

Perform the following steps to route audit activity logs and sign-in activity logs from Azure Active Directory to the Log Analytics Workspace:

  • While still logged on in the Azure AD Portal, click on Azure Active Directory in the left navigation menu.
  • Select Diagnostic settings in Azure AD’s navigation menu.
  • In the main pane, click Add diagnostic setting.
    The Diagnostic settings blade appears.
  • On the Diagnostic settings blade, provide a name for the diagnostic settings.
  • Select the Send to Log Analytics workspace check box.
  • Select the Log Analytics workspace you want to send the logs to, or create a new workspace in the provided dialog box.
  • Do either or both of the following:
    • To send audit logs to the Log Analytics workspace, select the AuditLogs check box.
    • To send sign-in logs to the Log Analytics workspace, select the SignInLogs check box.
  • Select Save on top of the blade to save the diagnostic settings.

Allow for ample time for the diagnostic settings to apply and the data to be streamed to the Log Analytics workspace.


Step 3: Enjoy the Azure Monitor Workbooks

Perform the following steps to view the information in the Azure AD Workbooks:

  • While still logged on in the Azure AD Portal, click on Azure Active Directory in the left navigation menu.
  • Select Workbooks in Azure AD’s navigation menu.
    The Workbooks main page appears:

Azure AD Workbooks (click for larger screenshot)

  • Make your own workbook, starting from an empty report, or choose your favorite workbook from the readily available workbooks in the categories Usage, Conditional access and Troubleshoot:
    • Sign-ins
    • Sign-ins using Legacy Authentication
    • App Consent Audit
    • Conditional Access Insights (Preview)
    • Sign-ins by Conditional Access policies
    • Sign-ins by Grant Controls
    • Sign-ins Failure Analysis

Since I was missing the default sign-ins maps, that I used the Power BI content packs for a lot, I decided to create a new report, based on the Kusto Query Language (KQL).



While Azure AD’s workbooks don’t provide the functionality of the Power BI content pack, yet, it is a very powerful solution to get acquainted with what’s going on in the organization’s Azure AD tenant.

I believe what we’re seeing today in Azure AD’s workbooks is the start of something that answers the big questions organizations have today, and will grow into a solution that organizations with Azure AD Premium licenses love to use to keep tabs on their Azure AD tenant(s).

Further reading

Azure Monitor overview
How to use Azure Monitor workbooks for Azure Active Directory reports
Create a Log Analytics workspace in the Azure portal


Azure AD Connect v1.4.32.0 fixes Azure AD Join challenges

It’s time for a new version of Azure AD Connect to incorporate Microsoft’s lessons learned and distribute the fixes Microsoft made to the larger public. Last Friday, Microsoft released the third version in the 1.4 branch of Azure AD Connect: v1.4.32.0.

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.



Fixed Azure AD-joined device synchronization

This version fixes an issue with existing Hybrid Azure AD-joined devices.
Release contains a new device sync rule that corrects this issue.

This rule change may cause deletion of obsolete devices from Azure AD. This is not a cause for concern, as these device objects are not used by Azure AD during Conditional Access authorization. For some customers, the number of devices that will be deleted through this rule change can exceed the deletion threshold. If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it is advised to allow the deletions to go through. How to allow deletes to flow when they exceed the deletion threshold.

Schema change requiring MSOnline Module, or up

Versions 1.4.x of Azure AD Connect add several URLs to the AdditionalWSFedEndpoint property of the ‘Microsoft Office 365 Identity Platform’ relying party trust between your AD FS Farm and Azure AD. Due to an internal schema change in version of Azure AD Connect, if you manage this relying party trust’z relationship configuration settings in AD FS through Azure AD Connect using the MSOnline PowerShell, then you must update to version of the MSOnline PowerShell module, or to a newer version when it becomes available.


Version information

This is version of Azure AD Connect.
This release in the 1.4 branch for Azure AD Connect was made available for download on November 8, 2019.


Download information

You can download Azure AD Connect here.
The download weighs 91.0 MB.



After the upgrade to Azure AD Connect version completes, a full Synchronization cycle is automatically triggered, followed by a full import for the Azure AD connector and a full sync for the AD connector. Since this may take some time, depending on the number of objects in scope of your Azure AD Connect environment and the connectivity to both Active Directory and Azure AD, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.


HOWTO: Properly delegate Directory permissions to Azure AD Connect service accounts

This entry is part 18 of 20 in the series Hardening Hybrid Identity

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at properly delegating directory access to Azure AD Connect service accounts.


Why look at Directory Access for Azure AD Connect Service Accounts

Azure AD Connect uses three service accounts:

  1. A local account on the Windows Server installation running Azure AD Connect, used to run the he Microsoft Azure AD Sync service. This account can be configured as a group Managed Service Account (gMSA)
  2. An account in the Azure Active Directory tenant
  3. One account per Active Directory Domain Services environment in scope for Azure AD Connect.

Azure AD Connect offers a choice when creating this third account in the AD forest account dialog screen. You can specify your own service account, or let Azure AD Connect create the service account. The latter option is the default option.

The default Azure AD Connect service account

When you let Azure AD Connect create the account, an account is created that follows the naming convention, resulting in a name starting with MSOL_, followed by the first 8 bytes of the Azure AD Connect installation ID (a version 4 UUID) and the server name. It is placed in the Users container per Active Directory domain in scope.

This account then is delegated the following Directory Services permissions at the root level of the Active Directory domains in scope:

  • Replicate changes
  • Replicate changes all
  • User objects: reset password, change password and read/write all properties
  • InetOrgPerson objects: read/write all properties
  • Groups: read/write all properties
  • Computer objects: read/write all properties

When you have Device Writeback configured, the service account is also delegated extensive permissions to the RegisteredDevices container. These delegations are created when you configure Device Options in the Azure Active Directory Connect Configuration wizard.

The issue

These permissions are too lenient, when:

  • Organizations use Domain and OU Filtering
    These organizations do not synchronize all Organizational Units and containers of their Active Directory domain(s) to Azure AD with Azure AD Connect, and/or
  • Organizations use Azure AD App Filtering
    These organizations do not synchronize all attributes for the objects in scope of their Active Directory domain(s) to Azure AD with Azure AD Connect
  • Organizations wish to apply least privileges to Azure AD Connect service accounts

In these cases, the permissions mentioned above should be restricted.
Further more, per Microsoft’s own recommended practice, delegation of Directory Services permissions should be per group, not per individual user object.

Possible negative impact (What could go wrong?)

I feel delegated Directory Services permissions should be ‘just right’.

If you have too strict permissions, functionality might break. For instance, Device Writeback may not work.

If you have permissions outside the scope of Azure AD Connect, you might experience a large fall-out when the service account in breached. For instance, the permissions might be used to add people to over 1015 groups in a Denial of Service attack or eventually be used to change the password of admin accounts (although not directly).

If you have delegated Directory Services permissions to a user account, these permissions get orphaned when the user object is deleted. This will result in several unusable permissions referring to the sID of the user object; garbage weighing Active Directory down. This is why we prefer to use groups.


Getting Ready

To properly delegate Directory access to Azure AD Connect service accounts, make sure to meet the following requirements:


System requirements

Make sure you have a clear inventory of the Active Directory OU structure, what OUs and containers are in scope for Azure AD Connect and what type of objects reside per OU and container.

If you intend to move objects around in another project, postpone or abandon properly delegating Directory Services permissions at a granular level.

You can use the following lines of Windows PowerShell on a Windows Server with an Azure AD Connect installation to achieve this goal:

$c = Get-ADSyncConnector -Name domain.tld
($c).Partitions.ConnectorPartitionScope.ContainerInclusionList | Out-GridView


The below commands make the assumption that you explicitly enable Organizational Units and containers on the Domain and OU Filtering screen in the Azure Active Directory Configuration wizard. If you enable an OU and then disable a child OU of this OU, remove the /I:S part of the command on the parent OU.


Privilege requirements

Make sure to sign in with an account that has privileges to make changes on the Security tab of OUs and containers. For an Active Directory environment with a single domain, an account that is a member of the Domain Admins group will suffice. For multi-domain Active Directory forests, a member of the Enterprise Admins group is required.


How to do it

Follow these steps to properly and granularly delegate Directory Services permissions for Azure AD Connect service accounts:


Create groups

First off, we create the Active Directory groups to delegate Directory Services permissions to:

  1. A group for the base Active Directory permissions
  2. A separate group for Password Reset permissions
  3. A separate group for Password Writeback
  4. A separate group for Group Writeback
  5. A separate group for Device Writeback
  6. A separate group for Hybrid Exchange

Provide these groups with apt names, following the naming convention within your organization. Place them wherever you like in your Active Directory environment, but preferably outside of the Azure AD Connect synchronization scope.


Delegate base permissions

Use the following line on a Command Prompt (cmd.exe) to properly provision the group for the base Active Directory permissions:

dsacls.exe “dc=domain,dc=tld” /G “DOMAIN\GroupBasePermissions:CA;Replicating Directory Changes;” DOMAIN\GroupBasePermissions:CA;Replicating Directory Changes All;” 


Delegate Write-back of the ms-DS-ConsistencyGUID source anchor

Recent versions of Azure AD Connect use the mS-DS-ConsistencyGUID attribute as the source anchor for user objects. As this is the new standard, my recommendation is to add the delegated permissions to the base permissions group.

Use the following line on a Command Prompt (cmd.exe) to allow members of the base permissions group to writeback the source anchor attribute.

Use this line on each OU in scope for Azure AD Connect with user objects in scope for Azure AD Connect.

dsacls.exe “OU=OrganizationalUnit,dc=domain,dc=tld” /I:S /G “DOMAIN\GroupBasePermissions:WP;mS-DS-ConsistencyGUID;user”


Delegate password reset permissions

Use the following line on a Command Prompt (cmd.exe) to properly provision the separate group for Password Reset permissions:

Use this line on each OU in scope for Azure AD Connect with user objects that will be configured with Azure AD Self-service Password Reset.

dsacls.exe “OU=OrganizationalUnit,dc=domain,dc=tld” /I:S /G “DOMAIN\GroupNamePasswordReset:CA;Reset Password;user” DOMAIN\GroupNamePasswordReset:CA;Change Password;user”


Delegate password Writeback permissions

Use the following line on a Command Prompt (cmd.exe) to properly provision the separate group for Password Writeback permissions:

Use this line on each OU in scope for Azure AD Connect with user objects that will be configured with Password Writeback.

dsacls.exe “OU=OrganizationalUnit,dc=domain,dc=tld” /I:S /G “DOMAIN\GroupNamePasswordWriteBack:CA;Reset Password;user” DOMAIN\GroupNamePasswordWriteBack:CA;Change Password;user” DOMAIN\GroupNamePasswordWriteBack:WP;lockoutTime;user” DOMAIN\GroupNamePasswordWriteBack:WP;pwdLastSet;user”


Delegate Device Writeback permissions

Use the following line on a Command Prompt (cmd.exe) to properly provision the separate group for Device Write-back on the RegisteredDevices container:

dsacls.exe “CN=RegisteredDevices,CN=System,DC=domain,DC=tld” /I:S /G “DOMAIN\GroupNameDeviceWriteBack:CCDCRPWP;;computer”     


Delegate group writeback permissions

Use the following line on a Command Prompt (cmd.exe) to properly provision the separate group for Group Write-back:

Use this line only on the OU you’ve specified for Group write-back when you’ve configured Azure AD Connect.

dsacls.exe “OU=WrittenBackGroups,DC=domain,DC=tld” /I:S /G “DOMAIN\GroupNameGroupWriteBack:WP;members;group”


Delegate Exchange Hybrid permissions

Use the following line on a Command Prompt (cmd.exe) to properly provision the separate group for Hybrid Exchange permissions to write back attributes to user objects:

Use this line on each OU in scope for Azure AD Connect with user objects in scope for Azure AD Connect.

dsacls.exe “OU=OrganizationalUnit,dc=domain,dc=tld” /I:S /G “DOMAIN\GroupExchangeHybrid“:WP;”proxyAddresses”;user”


Add service accounts to the groups

With the right permissions in place, we can now add existing Azure AD Connect service accounts to the groups, or create new service accounts.

Azure AD Connect initiates synchronization cycles every 30 minutes, by default. The new group memberships will be automatically effective the next synchronization cycle, unless you run the Azure AD Connect service with the same service account. In this latter case, restart the Azure AD Connect server(s) for the changes to take effect.


Remove legacy permissions

After you’ve properly and granularly delegated Directory Services permissions, you can remove the legacy permissions. You can use the Security tab on the domain level to observe and remove these permissions. Don’t be surprised if you stumble upon even older Azure AD Connect service accounts here.


Optionally: Remove  old Azure AD Connect service accounts

When you choose to start over with new accounts, you can now safely remove the old Azure AD Connect accounts, as they will no longer be used by Azure AD Connect, and will no longer have any delegated permissions associated to them in Active Directory.



Having a Microsoft product use default settings does not always result in the most securely configured environment. Having Azure AD Connect create its service account doesn’t result in a desired environment from  a security perspective.

Further reading

AADSync – AD Service Account Delegated Permissions
DSACLS command to Grant Domain Groups Password Reset and Unlock Account
Active Directory Delegation with DSACLS
HOWTO: Properly set and manage Azure AD Connect’s Export Deletion Threshold
HOWTO: Use Domain and OU Filtering to limit objects in scope for Azure AD Connect
HOWTO: Use Azure AD App Filtering to limit attributes for the objects in scope for Azure AD Connect


Pictures of VMworld Europe 2019

VMworld Europe 2019 at Fira Gran Via

Deji Akomolafe invited me over to Barcelona last week, to present two sessions with him at VMware’s VMworld Europe 2019 event.

After I had spend Tuesday November 5th at one of my favorite customers, I drove to the airport to take my first flight to Paris Charles de Gaulle airport. I had a short layover, that was truly magnificent to enjoy a French dinner at Air France’s lounge. Then, we flew onward to Barcelona, where we landed shortly before 7 PM.

Desert at the Air France Lounge in Paris (click for larger picture)Flying over Paris and seeing the Eiffel Tower like that. Priceless (click for larger photo)

I took a cab to Fire Gran Via and got there just in time to pick up my VMworld badge. I needed it to get access to my evening activities, so was glad to be there just before registration closed at 7:30 PM.

I headed to my first activity, that was organized by the vExpert program. Near the incredible W Hotel, near the beach, we gathered and had some nice conversations, including conversations with Pat Gelsinger, VMware’s CEO, who joined us.

Meeting with Pat Gelsinger (click for larger photo)The Legendary Veeam Party (click for larger photo)

After the vExpert meeting, I headed to the Benelux party, together with the RedLogic vExperts. It was a busy party at Fabrica Moritz. I talked to my countrymen and -women at this party. Then, I headed for the Veeam party. I talked to Nikola Pejková, as I was interested in how her presentation on the Veeam Vanguard program went at the Community stage.

As the Hotel Catalonia Plaza is just around the corner of the Veeam party, I crawled over and checked in to enjoy a nice warm bed.

Rubber Chickens (click for larger photo)On Stage With A Chicken in my pocket (click for larger photo by Nikola Pejková)

The next morning, on Wednesday November 6th, I joined Deji in the speaker room. Deji shared his intention to reintroduce rubber chickens at identity sessions (of DEC origin) so we devised a strategy to share them. We then discussed the session and the flow in the slides.

Full Room for an Active Directory session at VMworld :-) (Click for larger photo by Nikola Pejková)Presenting with Deji (Click for larger photo by Rachel Onamusi)

We walked up to room 32 and were present 30 minutes early. Unfortunately, the keynote went over time, so we had to cut our 60-minute session short by 10 minutes. That’s okay, we were only trying to discuss 70 minutes of Active Directory goodness in 60 minutes anyway…

With feedback like “The best from Monday till now :)” and “very entertaining speakers”, I think we still managed to provide good information on virtualizing Active Directory on top of VMware vSphere.


After the session, I visited the Expo Hall and enjoyed some nice chats with a couple of vendors, including Microsoft. Microsoft brought their proposition to run VMware vSphere on physical servers in Azure datacenters to VMworld. So we had a good chat on that. At 5 PM it was time for the Hall Crawl. It was followed by VMworld Fest. I enjoyed the food, but chose to leave drinks be; there was another session planned for Thursday.

Again, I arrived early at VMworld. This time, I met up with Remko Deenink. We studied together in 2007, so it was about time to get up to speed with what we’re both doing. It was nice seeing Remko again.

Deji presenting (click for larger photo)Deji Presenting, picture from the audio booth (click for larger photo)

At 10:30 AM, Deji and I kicked off the 4-hour workshop on architecting and implementing Active Directory on vSphere. For this session, we had all the time we needed to properly discuss time synchronization, the VM-GenerationID, Virtualization-safer Active Directory, Domain Controller Cloning, Domain Controller scaling, DNS and VM encryption. Sufficient time for me to snap some pictures of Deji, too.

My 2019 VMworld badge, including the vExpert, Speaker and Alumni flair (click for larger photo)

After the session, I had to leave for the airport to catch my flight back to the Netherlands, but not before I recorded a short Identity Guy movie from the roof of the hotel.


Thank you! Thumbs up

Thank you to VMware for organizing VMworld Europe 2019 and to Pat Gelsinger for taking the time to discuss technology, partnerships and the future. Thank you, Deji.  Thank you to all the attendees, especially the people in our sessions.


What’s new in Azure Active Directory at Microsoft Ignite 2019

Microsoft Ignite - November 4-8, 2019 - Orlando, Florida

Microsoft’s Identity Division made announcements and released functionality for Azure Active Directory during Microsoft Ignite 2019 (November 4th – November 8th, 2019) in Orlando, Florida:



Azure AD Security Defaults Public Preview

Security Defaults is a set of basic identity security mechanisms, recommended by Microsoft. When enabled, these recommendation will be automatically enforced. Admins and users will be better protected from common identity-related attacks.

Security defaults are available right now, from the tenant properties blade in the Azure Portal. Security Defaults replace the Baseline Policies in Conditional Access. When you enable Security Defaults, the Baseline Policies disappear.


Azure MFA for free

Microsoft announced that Azure Multi-factor Authentication (MFA) is now free.
Azure MFA will be enabled as part of the new Security Defaults feature for all new Azure Active Directory tenants for Microsoft 365, Office 365, Dynamics, and Azure.

As of November 1, 2019, there will be no charges for using multi-factor authentication or password-less authentication.


Password-less authentication for free

Organizations with any Azure Active Directory plan can now use the Microsoft Authenticator app to securely access their apps without a password. Previously, only customers with a paid plan could use the app for password-less authentication.

The password-less authentication methods feature in Azure Active Directory launched in Public Preview last year; General Availability is expected in 2020.


Refreshed Azure AD Identity Protection General Availability

The new Azure AD Identity Protection is now generally available. It offers new detections and capabilities. These new User and Entity Behavioral Analytics (UEBA) capabilities and their enhanced signals, massively improved APIs for integration with Security Operations Center (SOC) environments, and a new user interface, make Azure AD admins and their security counterparts more efficient.


Conditional Access Report-only mode Public Preview

Conditional Access Report-only mode allows admins to evaluate the potential impact of new Conditional Access policies before rolling them out. Organization with an Azure Monitor subscription can monitor the impact of Conditional Access policies in report-only mode using the new Conditional Access insights workbook. In combination with the Global Reader role this allows for further visibility into settings and policies without added risk.



Azure Active Directory Connect cloud provisioning Soon

Microsoft announced Azure Active Directory Connect cloud. It will become available for preview soon.

Azure Active Directory Connect cloud provisioning allows customers to easily consolidate disconnected on-premises Active Directory forests and eliminate the need for on-premises Azure AD Connect installations, all while enabling greater availability of connectivity (such as multiple deployments to disconnected forests for redundancy) and lowering costs.

Azure Active Directory Connect cloud provisioning provides a lightweight, on-premises agent that enables provisioning from multiple, disconnected on-premises Azure Directory forests and move all the synchronization complexity and data transformation logic to the cloud.


Inbound user provisioning from SAP SuccessFactors Public Preview

Microsoft announced the public preview of inbound user provisioning from SAP SuccessFactors. With this feature, admins can implement end-to-end identity lifecycle management covering the entire spectrum of Joiner-Mover-Leaver scenarios using SuccessFactors as the “system of record”. New employees can get up and running on their first day, and admins can modify or revoke access automatically based on the employee’s role and status in SuccessFactors.


Azure AD Entitlement Management Generally Available

34% of security breaches involve inside access, according to a 2019 Verizon report on data breaches. Microsoft is helping organizations manage access to information with entitlements management for Azure Active Directory, now generally available.

Entitlements management simplifies employee and partner access requests, approvals, auditing, and workflows.
Additionally, it allows organizations to create access packages that make it easier for employees and partners to request access to the information they need while ensuring that only the right people have access to the appropriate resources.


Azure Active Directory MyApps portal updates with new look and features Public PReview

A revamped look and more capabilities for the Azure Active Directory MyApps portal give users a simplified experience with all apps in one place.
The new features, now in preview, include a mobile-first launching experience for all enterprise apps, workspaces for administrator-curated apps, and a unified app launching experience with Microsoft 365 surfaces across the portal, Office 365 search, and Office navigation.


Easier sign-in and better security for firstline workers Soon

Microsoft announced new identity features in Microsoft 365 to help empower firstline workers to access company resources and work securely, whether on a personal or shared device.
The features, in private preview and available later this year, include:

  • SMS sign-in that allows workers to sign in with their phone number and an SMS code for authentication, eliminating the need for passwords.
  • Global sign-out, rolling out later this year for Android devices, that enables workers to sign out of all their apps with just one click and help ensure that nobody else can use the same devices under their account.
  • Delegated user management that will enable scale and reduce stress on IT support by allowing firstline managers to manage users and credentials.

The capabilities will also be available on Teams, which also sees the rollout of off-shift access for firstline workers, which allows companies to grant Teams app access to firstline workers and still comply with designated work hours.



Azure Active Directory secure hybrid access with partners Soon

Microsoft announced secure hybrid access partnerships with Akamai, Citrix, F5 and Zscaler to simplify secure access to applications that use legacy protocols like header-based and Kerberos authentication.

With these new integrations, admins can apply the same risk-based Azure AD Conditional Access policies and Identity Governance processes to legacy authentication-based applications as to the rest of the digital environment.


MSAL for Python and Java Public Preview

Hot on the heels of the General Availability of Microsoft Authentication Libraries (MSAL) for Android, iOS and MacOS, Microsoft announced the Public Preview of the Microsoft Authentication Libraries (MSAL) for Java.


Azure AD Domain Services Resource Forest Public Preview

If you are looking to move your legacy authentication-based applications to the cloud, you can use the new Azure Active Directory Domain Services resource forest functionality, now in public preview.It allows organizations to create an instance of Azure AD DS that has a one-directional trust with the on-premises Active Directory domains and eliminates the need to synchronize password hashes to Azure AD DS.

Microsoft also made several enhancements to Azure AD Domain Services including additional availability zones, improved load balancer, Azure workbooks, audit logs, and a new set up experience.


binocularFuture of Identity

Microsoft has developed a Proof of Concept (PoC) for a decentralized identity system with the UK National Health Service (NHS), based on its research for an identity that lets individuals bring a digital identity with verifiable claims through blockchain technology.

NHS sponsors the project to help graduating doctors spend more time with patients, and less time onboarding and managing credentials.


On-premises Identity updates & fixes for October 2019

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for October 2019:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4524152 October 3, 2019

The October 3, 2019 update for Windows Server 2016 (KB4524152), updating the OS build number to 14393.3243 is an update that fixes an intermittent issue with the print spooler service that may cause print jobs to fail. Some apps may close or generate errors, such as the remote procedure call (RPC) error. This issue was introduced in the KB4522010 update for Internet Explorer on September 23, 2019.

KB4519998 October 8, 2019

The October 8, 2019 update for Windows Server 2016 (KB4519998), updating the OS build number to 14393.3274 is a security update.

Two NTLM authentication vulnerabilities discovered by security firm Preempt are fixed in this update, When abused, these vulnerabilities allow bypassing protections put in place by Microsoft to prevent NTLM relay attacks, including MIC (Message Integrity Code) protection, Enhanced Protection for Authentication (EPA) and target SPN validation. These vulnerabilities were assigned CVE IDs CVE 2019-1166 and CVE-2019-1338.

After applying this update or later (cumulative) updates, Windows Server installations are protected against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. However, Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627).

If your see “The request was aborted: Could not create SSL/TLS secure Channel” errors or events with Event ID 36887 logged in the System event log with the description, “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​”, then this is caused by the behavior in this update. Please refer to KB4528489 for troubleshooting information.

KB4519979 October 15, 2019

The October 15, 2019 update for Windows Server 2016 (KB4519979), updating the OS build number to 14393.3300 is a quality update. It includes the following identity-related improvements:

  • It addresses an issue that prevents Computer objects from being added to local groups using the Group Policy Preference “Local Users and Groups”. The Group Policy Editor returns the error message, “The object selected does not match the type of destination source. Select again.”
  • It addresses an issue that causes a query request of the Win32_LogonSession class for the StartTime to display the value of the epoch (for example, 1-1-1601 1:00:00) instead of the actual logon time.
  • It addresses an issue that prevents netdom.exe from displaying the new ticket-granting ticket (TGT) delegation bit for the display or query mode.
  • It addresses an intermittent issue in Active Directory Federation Services (AD FS) that fails to authenticate users. Additionally, AD FS redirects the browser back to the Microsoft Exchange Client Access services (CAS) with the wrong Audience uniform resource identifier (URI). Specifically, AD FS appends a slash to the Audience URI. Users see an error page and cannot access the Outlook Web App (OWA).
  • It addresses an issue with Lightweight Directory Access Protocol (LDAP) queries that have a memberof expression in the filter. The queries fail with the error, “000020E6: SvcErr: DSID-0314072D, problem 5012 (DIR_ERROR), data 8996.


Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4524148 October 3, 2019

The October 3, 2019 update for Windows Server 2016 (KB4524148), updating the OS build number to 17763.775 is an update that expands the out-of-band update dated September 23, 2019. This security update includes the Internet Explorer scripting engine security vulnerability (CVE-2019-1367) mitigation and corrects a recent printing issue some users have experienced since the September 23, 2019 update (KB4522015).

KB4519338 October 8, 2019

The October 8, 2019 update for Windows Server 2016 (KB4519338), updating the OS build number to 17763.805 is a security update.

Overview of KB4519338

Two NTLM authentication vulnerabilities discovered by security firm Preempt are fixed in this update, When abused, these vulnerabilities allow bypassing protections put in place by Microsoft to prevent NTLM relay attacks, including MIC (Message Integrity Code) protection, Enhanced Protection for Authentication (EPA) and target SPN validation. These vulnerabilities were assigned CVE IDs CVE 2019-1166 and CVE-2019-1338.

After applying this update or later (cumulative) updates, Windows Server installations are protected against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. However, Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627).

If your see “The request was aborted: Could not create SSL/TLS secure Channel” errors or events with Event ID 36887 logged in the System event log with the description, “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​”, then this is caused by the behavior in this update. Please refer to KB4528489 for troubleshooting information.

KB4520062 October 15, 2019

The October 15, 2019 update for Windows Server 2016 (KB4520062), updating the OS build number to 17763.832 is a quality update. It includes the following identity-related improvements:

  • It addresses an issue that prevents Computer objects from being added to local groups using the Group Policy Preference “Local Users and Groups”. The Group Policy Editor returns the error message, “The object selected does not match the type of destination source. Select again.”
  • It addresses an issue that causes a query request of the Win32_LogonSession class for the StartTime to display the value of the epoch (for example, 1-1-1601 1:00:00) instead of the actual logon time.
  • It addresses an issue that prevents netdom.exe from displaying the new ticket-granting ticket (TGT) delegation bit for the display or query mode.
  • It addresses an issue with Lightweight Directory Access Protocol (LDAP) queries that have a memberof expression in the filter. The queries fail with the error, “000020E6: SvcErr: DSID-0314072D, problem 5012 (DIR_ERROR), data 8996.
  • It addresses an issue in which an Active Directory Federation Services (AD FS) certificate is renewed and published by default each year. However, the client does not use them, which results in an authentication error.