Analyze your Office 365 Backup requirements with ease

Veeam

As organizations embrace the full suite of Office 365 and intend to extend their Veeam Availability Suite with Veeam Backup for Microsoft Officer 365, we often get the question on how to design the backup for Office 365 backup.

When you use Veeam Backup for Office 365, it creates a local or cloud backup of the information stored in Microsoft Exchange Online, Microsoft SharePoint Online and Microsoft OneDrive for Business. A typical question in the design phase is to calculate how much storage Veeam Backup for Office 365 requires.

Especially with the latest version of Veeam Backup for Office 365…
Veeam Backup for Office 365 version 4, released last month, offers object storage support, where backup data is stored in cloud storage like Microsoft Azure blob storage, Amazon S3 (or compatible) and IBM Cloud Object Storage. Especially for organizations wanting to use this feature it’s ideal to know the size of their storage needs. Although cloud storage may scale indefinitely, so would storage costs. Wrong calculations of required (future) storage would make these costs increase harder, especially when blob storage needs to be reconfigured and/or migrated.

 

Introducing the Office 365 Backup Sizing tool

Calculating how much storage Veeam Backup for Office 365 requires does not have to rely on guess work. Veeam’s Senior Solution Architect Hal Yaman created a web-based tool to provide you all the answers you need upfront, without a need to install anything: The Microsoft Office 365 Backup Sizing tool, version 2.

Pros

Version 2 of the Microsoft Office 365 Backup Sizing Tool offers the following functionality:

Overview of your Office 365 usage

Many organizations have no idea on the actual size of data in Office 365 services, like Exchange Online, SharePoint Online and OneDrive for Business.

From the navigation menu on the left of the Microsoft Office 365 Backup Sizing tool, you can see the actual storage use for Mailbox, OneDrive and SharePoint data and active users for each of the corresponding Office 365 services.

Trends in Office 365 usage

The Microsoft Office 365 Backup Sizing tool provides trends so you can provide accurate storage size projections for future growth, too. By default, the tool provides graphs for storage consumption for the last 7 days, but you can view storage consumption for as long as 180 days. You actually don’t have to calculate or export the data to get the trends, because the tool displays these trends in the lower left corner for Current State in terms of Change Rate for report Days in both MBs and percentage.

Calculation of data usage for Veeam Backup for Office 365

The last item in the left navigation menu reads Backup Sizing.

An example of the output of the Office 365 Backup Sizing tool

This is where to web-based tool shines! It provides a clear overview of:

  1. The number of mailboxes, drives and sites, along with their respective cumulative sizes in GBs.
  2. The sum of the Veeam Backup for Office 356 repository size.
    (depending on the checks you leave on for Mailbox Sizing, OneDrive Sizing and SharePoint Sizing, in case your organization wants to backup only selected services)
  3. The Backup infrastructure needed for Veeam Backup for Office 365 in terms of backup servers, backup proxies, repository servers and backup jobs.
  4. Several levers allow you to apply a storage multiplier, a change rate percentage, and percental increases in the number of mailbox users, archive users, OneDrive drives and SharePoint sites.

No dependency on a Global administrator account

For many organizations, it’s not a challenge to sign into the tool with an account with Global administrator privileges in Azure AD, but luckily, you don’t have to. This is good news for larger organizations where management is delegated to several groups. Assigning the Application administrator role in Azure AD and then consenting to the following permissions for the associated VboWebApp Enterprise Application suffices:

  • Microsoft Graph: Sign Users In
  • Microsoft Graph: View user’s basic profile
  • Microsoft Graph: Maintain access to data you have given it access to
  • Microsoft Graph: Sign in and read user profile
  • Microsoft Graph: Real all usage reports

Consent prompt for the Office 365 Backup Sizing tool

 

Cons

The Microsoft Office 365 Backup Sizing tool isn’t perfect.

Calculation of Archive Mailboxes

As the Microsoft Graph API currently does not offer a way to get information on archive mailboxes, this information is not available automatically in the Microsoft Office 365 Backup Sizing tool.

However, Hal Yaman provides a PowerShell script, that an admin can download. and run locally to retrieve the number of mailboxes with archive enabled, and read out the total size of all the archive mailboxes. Then, this information can be entered manually in the web-based tool.

Export of data

The Microsoft Office 365 Backup Sizing tool provides graphical representations of Office 365 usage, but all this goodness cannot be exported. The overall sizing recommendations for Veeam Backup for Office 365 can also not be exported.

I would welcome this functionality, to be able to include this data as an annex to Veeam Backup for Microsoft Office 365 design documents.

No clean exit

The way the Microsoft Office 365 Backup Sizing tool should be configured in a delegated environment is clearly documented. However, there are no instructions available for actions when you’re done with the tool.

My recommendation is to delete the VboWebApp Enterprise Application from Azure Active Directory when you have no further need for the Microsoft Office 365 Backup Sizing tool, using the following line of Windows PowerShell on a system with the AzureAD PowerShell Module installed:

Remove-AzureADServicePrincipal -ObjectId (Get-AzureADServicePrincipal -SearchString VboWebApp).ObjectId 

 

Concluding

The Microsoft Office 365 Backup Sizing tool is a very helpful tool in the design process for Veeam Backup for Microsoft Office 365. I highly recommend it.

Further reading

Your Exchange Online Contingency Plan is here with Veeam Backup for Office 365  What’s New in Veeam Backup for Microsoft Office 365 version 4
Office 365 Backup Analysis
How to Delete App Registrations and Enterprise Applications from Azure AD

Posted on January 2, 2020 by Sander Berkouwer in Office 365, Veeam, Veeam Vanguard

0  

Goals for 2020

Welcome to a new decade!

As the cold January days embrace me after the warm festivities of Christmas, I feel invigorated to look ahead and set goals for the year to come.

Blogging

I’ve been blogging here for the past 13 years:

Blogposts per month for The Things Better Left Unspoken

In May 2019, I set out to share more of my experiences. My new goal was to post 200 Identity-related blogposts per year. While I’m striving to share news, insights and howto’s each working day, I feel that it’s hard to maintain during my off-weeks. However, my goal in relation to sharing through blogposts remains the same: one each working day.

You can already see the difference in the above graph that provides an overview of the number of blogposts per month since the inception of this blog in June 2006.

Speaking

I love speaking. It is my favorite way to share. I love the feedback it provides. However, I haven’t been speaking publicly a lot in 2019, as I look back at my history of community efforts:

Community efforts 2014-2019

Time to step it up a bit, and I have created some compelling abstracts, that are already gaining traction with some of the events I loved presenting on in the past. Fingers crossed

Video

Another activity that stands out in the above graphical representation of my community efforts throughout the past years, is that I started focusing on video. The goal was to share weekly Identity-related videos. Obviously, I didn’t reach that goal. Doing video right requires dedication and there were just a lot of things that came in between. We arranged a dedicated studio room a while ago, but then I lost my voice…

It’s back now.
Definitely look out for more video’s at identityguy.nl in 2020!

Projects

At SCCT, I never have to doubt the consultancy projects that end up on my plate. Just like the projects my team handles, my projects are fun and engaging. At the end of 2019, I finished a project that took over two years to complete (though not full-time), that is already paying dividends in other organizations reaching out to us to help them with the same endeavor.

I feel these projects are a critical link in sharing with you and to the audiences in my speaking gigs, but also in providing feedback to Microsoft, Veeam and VMware.

Balance

My wife and daughter have a great understanding of what makes me tick. I’ve overstepped boundaries many times, but they have always understood why it was important to me. I intend to sway the balance towards family and being at home in 2020, just to make up for the past years.

 

Join me for an awesome 2020! Thumbs up

Posted on January 1, 2020 by Sander Berkouwer in Community, Microsoft MVP, Personal, Veeam Vanguard, VMware vExpert

0  

2019 in Review

2019

It’s that time of the year again. While businesses are finishing off 2019 and people start to reminisce of all the good, the bad and the ugly. This year, I’ll join the people who look back at another trip around our sun on our beautiful planet Earth.

Let’s look back!

January 2019

The year usually starts with cold short days, where I just plough through my work like a champ. I finished several cool projects this month and made new friends at a partner when I reimplemented their Hybrid Identity solution.

Later, this partner went on to win a Microsoft Partner of the Year award. Making customers more successful? Check.

February 2019

To me, February is holiday time with the family. We spent most of our time at several parks. You just can’t work all year.

March 2019

In recent years, I’ve looked forward to March. Microsoft plans its Global MVP Summit in this month. It’s the month where I get updated on all the stuff the Identity division is working on. It provides energy, that lasts for a long time.

At the Microsoft campus in Redmond

I turned 42 this March. As 42 is the answer to life, the universe and everything, we made sure to mark it appropriately.

April 2019

Planned between customer engagements, April led me to Croatia again for WinDays. These couple of days allow me to reconnect with my Balkan friends. Located in Šibenik, I specifically got to enjoy the Croatian highways this trip; I flew into and out of Zagreb, a roughly 350KM drive through half of the country to and from Šibenik.

May 2019

In May, I finished writing the Active Directory Administration Cookbook. I had been working on the 147 recipes it contains, since October 2018 and finally, on May 3rd it was published:

Celebrating getting published

May was also the busiest month for me in terms of speaking gigs. This year’s spring events where Heliview’s IAM Congress, NT Konferenca in Slovenia, and Techorama in Belgium. My 93-minute delay flying into CDG from AMS, meant this month marks the first time I missed a connecting flight. Luckily, everything was sorted thanks to my good friend Luka.

Speaking at Heliview IAMSlovenia

June 2019

Work Hard, Play Hard. After a busy month of May and early June with Experts Live Netherlands, we took another family holiday to Disneyland Paris.

Experts Live NetherlandsAt Buffalo Bill's Wild West Show in Disneyland Paris

Then, it was off to a couple of book launch events and training sessions for Compu’Train. One of these sessions was at a stadium. Awesome!

From a technology perspective, I was surprised by OneDrive’s Personal Vault feature, this month. It has a nice trick up its sleeve as a Microsoft first: It performs step-up multi-factor authentication; Even when you’ve already signed in with MFA, it will still prompt for MFA.

July and August 2019

At the beach in Greece
Nothing much happens in July and August. Except for MVP renewals on July 1st. That’s why we’ve spent most time these months in France and Greece celebrating.

September 2019

What do you do when your company exists for five years? You celebrate!
We spent an entire weekend on the island of Mallorca. It’s weird to call it ‘vacationing’ when the boss pays for everything, but it sure felt like it!

With my colleagues in Mallorca

This month, I was amazed by the ability to Azure AD Join a Windows 10 device (running a pre-release build) in a password-less fashion. Simply sign-in with the Authenticator app and be done.

October 2019

The Fall speaking season usually kicks off late September and lasts until mid-November. I managed to speak at the Dutch Windows Azure User Group, KNVI IT Infra Day of the Year, AppManagEvent and SharePoint Saturday in Brussels. Hosting three webinars with Netwrix? Yes, I’ve also done those.

In addition to speaking, I also got updated on all things Veeam at the annual Veeam Vanguard Summit at Veeam’s HQ in Prague.

Organizing the KNVI IT Infra Day of the Year again.Running the TCS Amsterdam 8K

For “sharpening my saw”, I participated in the TCS 8KM run in Amsterdam again. I first ran this distance in 2018, so my goal was to run it in roughly the same time. I succeeded, thanks to the help of my father.

November 2019

The highlight of my year, again, was VMworld Europe in Barcelona. The opportunity to speak on Active Directory at a grand event like VMworld Europe is awesome! Deji and I provided good information on virtualizing Active Directory on top of VMware vSphere, but meeting Pat Gelsinger, VMware’s CEO was something else.

Meeting Pat Gelsinger at VMworld Europe

Being invited by the Dutch Windows Management User Group at a former employer was also a nice twist, this October.

December 2019

Which leads us to December… Earlier this month, I presented two sessions at the European SharePoint Conference in Prague. I got some great feedback on my session on GDPR:

This was nowhere as boring as I expected it to be.
– ESPC 2019 attendee

I didn’t returned to the Netherlands in time to celebrate Sinterklaas with the family due to the French strike, but I did finish up the project I have been working on for the last 2 years. Christmas was magical.

 

Wishing you all the best!

I hope your year was as successful, healthy and filled with love as mine was. I wish everybody all the best for 2020!

Posted on December 30, 2019 by Sander Berkouwer in Community, Microsoft MVP, Personal, Veeam Vanguard, VMware vExpert

2  

HOWTO: Change the Security Response Headers on AD FS

This entry is part 21 of 23 in the series Hardening Hybrid Identity

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the security headers for AD FS implementations.

Note:
This blogpost assumes you’re running AD FS Servers as domain-joined Windows Server 2016 Server Core installations. The same information applies to AD FS Servers running Windows Server 2016 with Desktop Experience (Full).

 

Why look at Security Headers?

To prevent malicious attacks, many new protections for websites utilize security headers. Through security headers, you can prevent malicious scripts from running in browsers visiting your AD FS infrastructure, prevent the acceptance of forged TLS certificates and prevent clickjack attacks.

Reasons why

Through security response headers, the information security level of the AD FS infrastructure can be upgraded to a higher level.

Possible negative impact (What could go wrong?)

When the security response headers to tighten the security of the AD FS sign-in experience are configured wrongly, scripts can be blocked and the entire functionality of the AD FS implementation can be severely crippled.

When AD FS is used in default scenarios, the default settings for the AD FS security response headers can be safely used.

 

Getting ready

To change the security headers throughout the AD FS infrastructure, make sure to meet the following requirements:

SYSTEM REQUIREMENTS

Make sure the AD FS servers run Windows Server 2016, or above, and are installed with the latest cumulative Windows Updates. At a minimum, make sure AD FS Servers running Windows Server 2016 have the July 2019 Cumulative update (KB4507459) installed.

Note:
The ability to manage security headers is built into Active Directory Federation Services (AD FS) on Windows Server 2019.

PRIVILEGE REQUIREMENTS

Make sure to sign in with an account that has privileges to manage the AD FS farm.

In case of Windows Internal Database (WID) as the storage method for the AD FS Configuration database, sign in with an account that has local administrator privilege on the primary AD FS server.

 

How to change the Security Response Headers

There are five security headers of interest:

  1. HTTP Strict-Transport-Security (HSTS)
    The HSTS reponse header indicates to the browser that HTTPS is available and should always be used. This way, the connection cannot be downgraded to HTTP for the time period defined. The recommended value is 31536000 seconds (1 year)
  2. X-Frame-Options
    The X-Frame-Options response header defines the ways the AD FS sign-in experience can be a part of an iFrame. To prevent attacks, it shouldn’t be, so deny is the best option for this header.
  3. X-XSS-Protection
    The X-XSS-Protection response header used to stop web pages from loading when cross-site scripting (XSS) attacks are detected by browsers. This is referred as XSS filtering. The value 1; block is the most effective, as the browser will not render the AD FS sign-in experience when an XSS attack is detected.
  4. Cross-origin Resource Sharing (CORS)
    Web browsers prevent web pages from making cross-origin requests initiated from within scripts. This can be enabled to allow accessing resources in other origins (domains). CORS is disabled by default and should remain disabled.
  5. Content-Security-Policy (CSP)
    The CSP response header is used to prevent cross-site scripting, clickjacking and other data injection attacks by preventing browsers from inadvertently executing malicious content.

The step to enabling the above security response headers is to run the following line of Windows PowerShell in an elevated PowerShell window:

Set-AdfsResponseHeaders -EnableResponseHeaders $true

It should be enabled by default, but if not, running the above line of Windows PowerShell sets the X-Frame-Options security response header to deny on Windows Server 2016.

Note:
On Windows Server 2019, it enables the other four security response headers, too.

Then, run the following four lines of Windows PowerShell in an elevated PowerShell window:

Set-AdfsResponseHeaders -SetHeaderName “Strict-Transport-Security” -SetHeaderValue “max-age31536000; includeSubDomains”

Set-AdfsResponseHeaders -SetHeaderName “X-Frame-Options” -SetHeaderValue “deny”

Set-AdfsResponseHeaders -SetHeaderName “X-XSS-Protection” -SetHeaderValue “1; mode=block”

Set-AdfsResponseHeaders -SetHeaderName “Content-Security-Policy” -SetHeaderValue “default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ data:”

 

This will enable the above security response headers with the following settings:

Table of Security Response Headers for AD FS

AD FS uses JavaScript in the authentication process and therefore enables JavaScript by including ‘unsafe-inline’ and ‘unsafe-eval’ sources in default policy. While this is not the safest value for the Content Security Policy header, it’s needed to allow the onload.js script to run, to enable customizations of this Javascript and/or to replace the built-in Javascript to switch to the Paginated User Experience for AD FS.

 

Testing Security Response Headers

SecurityHeaders.com offers a great web interface to query the security response headers of your AD FS infrastructure.

 

Concluding

Deep in the basement of AD FS, a couple of values live, that true security admins will try to tame: security response headers. Use the information in this blogpost to tame these response headers and prevent common attacks against AD FS.

Further reading

Customize HTTP security response headers with AD FS 2019
An Introduction to HTTP Response Headers for Security
The 8 HTTP Security Headers Best Practices
HTTP Security Headers: 5 Headers You Must Implement on Your Site
Hardening your HTTP response headers

Posted on December 19, 2019 by Sander Berkouwer in Active Directory, Active Directory Federation Services, Azure Active Directory, Security

0  

HOWTO: Enable Azure Multi-factor Authentication on AD FS

This entry is part 20 of 23 in the series Hardening Hybrid Identity

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll add an additional layer of information security to authentications that are routed through the Active Directory Federation Services (AD FS) implementation.

Note:
This blogpost assumes you’re running AD FS Servers as domain-joined Windows Server 2016 Server Core installations. The same information applies to AD FS Servers running Windows Server 2016 with Desktop Experience (Full).

 

Why look at Multi-Factor Authentication

Many organizations rely on usernames and corresponding passwords to verify the person authenticating. However, there are several reasons why this is not a sufficient method to securing authentication:

  1. Web-based applications typically use the email address as the user name, because this is a globally unique identifier that people can get cheaply. Microsoft recommends keeping the userPrincipalName attribute equal to the mail attribute.
  2. People reuse passwords between accounts.
  3. Accounts are breached at a rate of 2 services per day.
  4. People are bad at coming up with strong passwords.

A (temporary) solution is to add multi-factor authentication to the authentication flow. This way, after a person has correctly entered the username and password, a second verification is performed. This verification is based on information that was previously registered, and should leverage a different authentication factor:

  • Something you can prove you know
    The password most organizations use
  • Something you can prove you are
    Think of a fingerprint, face or iris scan, like Apple has with TouchID and FaceID, and Microsoft offers on its Surface devices.
  • Something you can prove you have
    Think of a token device, a FIDO 2.0 key, certificate tied to a TPM chip or access to a phone or phone number in the form of returning a one-time password that you receive through a text message, a phone call or an authenticator app,

When you combine multiple authentication factors, multi-factor authentication (MFA) emerges, allowing for more secure authentication.

Reasons why

Usually, it only takes one leaked password to get to sensitive information an organization harbors. This could be privacy-related information related to employees and customers, but could also be information regarding products (source code), intellectual property and patents.

For systems, services and applications containing these types of information, multi-factor authentication should be used. For Azure AD-integrated applications, Conditional Access and Identity Protection offer multi-factor authentication, when needed. For AD FS-integrated applications, applying multi-factor authentication is more straightforward, unless you want to dig deep into REGEX…

Possible negative impact (What could go wrong?)

Multi-factor Authentication is a burden to end-users. Your colleagues and customers might not understand how to effectively perform multi-factor authentication, or move to a competitor that doesn’t require multi-factor authentication, or only when needed.

Choosing the right authentication method is important. Some multi-factor authentication methods are not as secure and user-friendly as others. For instance, because of recent SIM-swapping attacks, MFA through text messages is deemed too insecure to serve a purpose as multi-factor authentication method. Text messages are also inadequate for the situation where a person is on a plane, does have WiFi, but doesn’t have cellular reception.

 

About the Azure MFA Adapter

Microsoft introduced the Azure MFA Adapter in Windows Server 2016. When the AD FS farm runs the Windows Server 2016 Farm Behavioral Level (FBL), or up, this built-in adapter can be enabled and used.

When used, the Azure MFA Adapter communicates to Microsoft’s Azure MFA service to perform multi-factor authentication. People register only once for Self-service Password Reset, multi-factor authentication for Conditional Access, multi-factor authentication for Identity Protection and for multi-factor authentication for systems, services and applications through Active Directory Federation Services (AD FS).

Note:
Azure MFA Server also offers an AD FS MFA Adapter, but Microsoft recommends not performing new implementations of Azure MFA Server.

 

Getting ready

To implement the Azure MFA Adapter and secure AD FS-integrated systems, services and applications with multi-factor authentication, make sure to meet the following requirements:

Roll-out requirements

First off, everyone in scope for the AD FS-integrated systems, services and applications with multi-factor authentication needs to have performed their Azure MFA registration.

If a person doesn’t have an Azure MFA registration, access to the AD FS-integrated systems, services and applications for which multi-factor authentication is required, will be denied.

The scripts to get to know the colleagues using Azure Multi-Factor Authentication still offer sufficient functionality to discover who has an Azure MFA registration and which authentication method they use.

Information Requirements

To avoid multi-factor authentication prompt fatigue, multi-factor authentication should ideally only be required when strictly needed. It’s not the most brilliant of ideas to require multi-factor authentication for all AD FS-integrated systems, services and applications. Determine the systems, services and applications that truly need it, and require MFA in the situations where you need it. Application owners typically know best what their application does and needs.

System requirements

Make sure the AD FS servers run Windows Server 2016, or above, and are installed with the latest cumulative Windows Updates. Make sure the AD FS farm runs the Windows Server 2016 Farm Behavioral Level (FBL), or above.

As Azure Multi-factor Authentication information is stored in Azure AD only, and not written back to the on-premises Azure AD Connect or Active Directory environment, but is now used to integrate with on-premises systems, services and applications, now is a good time to look for a solution that creates backups of the Azure AD tenant.

Network requirements

The AD FS servers in the AD FS farm need to be able to communicate to the following urls over TCP port 443 (HTTPS):

PRIVILEGE REQUIREMENTS

Make sure to sign in with an account that:

  • Is a member of the Enterprise Admins group in Active Directory, and;
  • Has privileges to manage the AD FS farm.

Note:
In case of Windows Internal Database (WID) as the storage method for the AD FS Configuration database, sign in with an account that has local administrator privilege on the primary AD FS server.

Also, you’ll need the credentials of an account with the Global Administrator role in the Azure AD tenant in which you want to use Azure multi-factor authentication. If running these

WHO TO COMMUNICATE TO

If your users have not registered for Azure MFA yet, than this part of the implementation requires a communications plan.

 

How to enable Azure MFA on AD FS

Enabling Azure Multi-Factor Authentication on AD FS requires three steps:

  1. Register Azure MFA in the tenant
  2. Enable Azure MFA as AD FS Multi-factor Authentication method
  3. Choose an appropriate Access Policy per AD FS Relying Party Trust (RPT)

 

Register Azure MFA in the tenant

First, run the following lines of Windows PowerShell in an elevated PowerShell window on each of the AD FS servers in the AD FS farm:

Install-Module MSOnline

Connect-MsolService

Log in.

$TenantID = (Get-MsolCompanyInformation).ObjectID$Certbase64 = New-AdfsAzureMfaTenantCertificate –TenantID $TenantID

New-MsolServicePrincipalCredential -AppPrincipalId
981f26a1-7f43-403b-a875-f8b09b8cd720 -Type Asymmetric –Usage Verify  -Value $CertBase64

Then, on the primary AD FS server in the AD FS farm, run the following lines of Windows PowerShell:

Set-AdfsAzureMfaTenant -TenantId $TenantID -ClientId
981f26a1-7f43-403b-a875-f8b09b8cd720

 

Enable Azure MFA as AD FS multi-factor authentication method

Now that the Azure MFA Adapter is available as a multi-factor authentication mechanism, we need to enable it for the AD FS farm, again on the primary AD FS server.

Run the following lines of Windows PowerShell:

$C = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider

$C.Add(“AzureMfaAuthentication”)

Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $C

 

Choose an appropriate Access Policy per Relying Party Trust

Each AD FS-integrated system, service and application has its own relying party trust (RPT) relationship with AD FS. In AD FS on Windows Server 2016, and above, you can enable multi-factor authentication with built-in access policies.

These policies are aptly named:

  • Permit everyone and require MFA for specific group
  • Permit everyone
  • Permit everyone for intranet access
  • Permit everyone and require MFA from unauthenticated devices
  • Permit everyone and require MFA from extranet access
  • Permit specific group
  • Permit everyone and require MFA, allow automatic device registration
  • Permit everyone and require MFA

Note:
You can add access policies yourself if none of the built-in access policies fit your organization’s needs.

By default, every relying party trust is not configured with an access policy, which is the equivalent of the Permit Everyone access policy. You can change it to another policy using the following line of Windows PowerShell:

$RPT = Get-AdfsRelyingPartyTrust -Name “Microsoft Office 365 Identity Platform”

Set-AdfsRelyingPartyTrust -TargetRelyingParty $RPT -AccessControlPolicyName “Permit everyone and require MFA from extranet access”

 

Testing Azure MFA on AD FS

After enabling the Extended Protection for Authentication feature,  it’s time to test.

The Permit everyone and require MFA for specific group access policy is the ideal method to test the correct registration and working of Azure MFA. Simply create a group in Active Directory, configure the access policy for a relying party trust with the access policy and the group. Then, add a user account that had previously registered MFA to the group and use it to sign in to the system, services or application that is represented by the relying party trust.

 

Concluding

One Multi-factor Authentication method for all your organization’s Azure AD- and AD FS-integrated systems, services and applications?

Yes, it’s possible!

Further reading

Configure AD FS 2016 and Azure MFA
Getting started with Azure Multi-Factor Authentication and AD FS
Securing cloud resources with Azure Multi-Factor Authentication and AD FS
AD FS 2016 and Azure MFA – a few Nuances
Step-by-Step guide to configure Azure MFA with ADFS 2016

Posted on December 12, 2019 by Sander Berkouwer in Active Directory Federation Services, Multi-Factor Authentication

0  

What’s New in Azure Active Directory for November 2019

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for November 2019:

  

What’s Planned

Support for the SameSite attribute and Chrome 80

Service category: Authentications (Logins)
Product capability: User Authentication

As part of a secure-by-default model for cookies, the Chrome 80 browser is changing how it treats cookies without the SameSite attribute. Any cookie that doesn’t specify the SameSite attribute will be treated as though it was set to SameSite=Lax, which will result in Chrome blocking certain cross-domain cookie sharing scenarios that apps may depend on. To maintain the older Chrome behavior, apps can use the SameSite=None attribute and add an additional Secure attribute, so cross-site cookies can only be accessed over HTTPS connections. Chrome is scheduled to complete this change by February 4, 2020.

Microsoft recommends all developers to test their apps using this guidance:

  • Set the default value for the Use Secure Cookie setting to Yes.
  • Set the default value for the SameSite attribute to None.
  • Add an additional SameSite attribute of Secure.

What’s New

Google social ID support for Azure AD B2B collaboration General Availability

Service category: B2B
Product capability: User Authentication

New support for using Google social IDs (Gmail accounts) in Azure AD helps to make collaboration simpler for users and partners. There’s no longer a need for Google-based partners to create and manage a new Microsoft-specific account. Additionally, Microsoft Teams now fully supports Google users on all clients and across the common and tenant-related authentication endpoints.

For more information, see Add Google as an identity provider for B2B guest users.

Microsoft Edge Mobile Support for Conditional Access and Single Sign-on General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

Azure AD for Microsoft Edge on iOS and Android now supports Azure AD Single Sign-On and Conditional Access:

  • Microsoft Edge single sign-on (SSO): Single sign-on is now available across native clients (such as Microsoft Outlook and Microsoft Edge) for all Azure AD-connected apps and services.
  • Microsoft Edge conditional access: Through application-based Conditional Access policies, users must use Microsoft Intune-protected browsers, such as Microsoft Edge.

Azure AD entitlement management General Availability

Service category: Other
Product capability: Entitlement Management

Azure AD entitlement management is a new identity governance feature, which helps organizations manage identity and access lifecycle at scale. This new feature helps by automating access request workflows, access assignments, reviews, and expiration across groups, apps, and SharePoint Online sites.

With Azure AD entitlement management, Azure AD admins can more efficiently manage access both for employees and also for users outside your organization who need access to those resources.

Updates to the My Apps page along with new workspaces
Public Preview

Service category: My Apps
Product capability: 3rd Party Integration

Azure AD admins can now customize the way their organizations’ users view and access the refreshed My Apps experience. This new experience also includes the new workspaces feature, which makes it easier for users to find and organize apps.

For more information about the new My Apps experience and creating workspaces, see Create workspaces on the My Apps portal.

New AD FS app activity report to help migrate apps to Azure AD Public Preview

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Azure AD Admins are welcome to use the new Active Directory Federation Services (AD FS) app activity report in the Azure portal. This way, admins can identify which of their apps are capable of being migrated to Azure AD. The report assesses all AD FS apps for compatibility with Azure AD, checks for any issues, and gives guidance about preparing individual apps for migration.

New workflow for users to request administrator consent Public Preview

Service category: Enterprise Apps
Product capability: Access Control

The new admin consent workflow gives Azure admins a way to grant access to apps that require admin approval. If a user tries to access an app, but is unable to provide consent, they can now send a request for admin approval. The request is sent by email, and placed in a queue that’s accessible from the Azure portal to all the admins who have been designated as reviewers. After a reviewer takes action on a pending request, the requesting users are notified of the action.

New Azure AD App Registrations Token configuration experience for managing optional claims Public Preview

Service category: Other
Product capability: Developer Experience

The new Azure AD App Registrations Token configuration blade on the Azure portal now shows app developers a dynamic list of optional claims for their apps. This new experience helps to streamline Azure AD app migrations and to minimize optional claims misconfigurations.

New two-stage approval workflow in Azure AD entitlement management Public Preview

Service category: Other
Product capability: Entitlement Management

Microsoft has introduced a new two-stage approval workflow that allows Azure AD admins to require two approvers to approve a user’s request to an access package. For example, they can set it so the requesting user’s manager must first approve, and then they can also require a resource owner to approve. If one of the approvers doesn’t approve, access isn’t granted.

Automated user account provisioning for additional SaaS apps

Service category: Enterprise Apps
Product capability: 3rd Party Integration

Azure AD admins can now automate creating, updating, and deleting user accounts for these eight newly integrated apps:

New Federated Apps available in Azure AD App gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2019, Microsoft has added these 21 new apps with Federation support to the app gallery:

What’s Changed

New and improved Azure AD application gallery

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Microsoft has updated the Azure AD application gallery to make it easier for admins to find pre-integrated apps that support provisioning, OpenID Connect, and SAML on Azure Active Directory tenants.

Increased app role definition length limit from 120 to 240 characters

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Based on feedback from customers that the length limit for the app role definition value in some apps and services is too short at 120 characters. Microsoft has increased the maximum length of the role value definition to 240 characters.

 

New hotfix for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2)

Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

A hotfix rollup package (build 4.6.34.0) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2). This rollup package resolves issues and adds improvements that are described in the “Issues fixed and improvements added in this update” section of 4512924 Microsoft Identity Manager 2016 Service Pack 2 (build 4.6.34.0) Update Rollup is available.

Posted on December 11, 2019 by Sander Berkouwer in Azure Active Directory, What's New

0  

Pictures of the 2019 European SharePoint Conference

#ESPC19

Last week, I delivered two sessions at the European SharePoint Conference in Prague.

View from the train station at Nieuw Vennep (click for larger photo)Lots of space in the plane (click for large photo)

After a day of consulting on Tuesday December 3rd at one of my long-term customers, I traveled to Schiphol airport. My choice to not park at the airport anymore, led me to the parking lot near the train station in Nieuw Vennep. A short train ride brought me to Amsterdam Schiphol Airport in time for my flights to Prague.

The Prague Corinthia Hotel (click for larger photo)Welcome to ESPC19 (click for large photo)

I arrived late and went to bed. In the morning, I got up early to get to the venue, register and watch Alex Simons’ keynote. The short walk from the Corinthia hotel to the Prague Congress Center allowed for sufficient time to soak up the atmosphere and sun. I must admit we had the best weather you can wish for in Prague in December with an abundance of sun.

Alex Simons delivering the Identity Keynote at ESPC 19 (click for larger photo)Alex Simons explaining Microsoft's zero trust solution (click for larger photo by Samir Daoudi)

I prepared for my first session in the speaker room, where I met with a lot of familiar community faces, including Morgan Simonsen, Thomas Vochten, Fabian Williams and Luise Freese.

At 11:45 AM it was time to present on GDPR. The room featured 100 seats, and the room was packed with people interested in my experiences with GDPR in the past 17 months.

Presenting on GDPR (Click for larger photo by Marleen Madsoleh-van der Meulen)

I thought my abstract made it clear that my session on GDPR was anything but boring, but getting the below feedback from an attendee was still wonderful:

This was nowhere as boring as I expected it to be, based on the topic.

After the session, I scoured the expo for people I know and organizations offering technology I might need.

Having fun with Julia Ivanova at the Netwrix booth (click for larger photo)

I ran into Nikola Pejková at the Veeam booth and ran into Julia Ivanova at the Netwrix booth. It was fun to meet the person behind many of the webinars I did in recent years with Netwrix.

Presenting your Identity Roadmap to 2022 (click for larger photo by Julia Ivanova)

At 4:45PM, I started my second presentation. This is the helping hand to organization that want to get the most out of their Microsoft-oriented Identity and Access Management (IAM) investments.

After the session, I went to the hotel to drop my stuff and get ready for the party. We had a great time at Club SaSaZu, but I had to get back to the hotel early for my 5AM ride to the airport.

On Thursday December 5th, I was scheduled to arrive at 11:45 AM at Amsterdam Schiphol Airport, after two short flights with a layover in Paris. However, due to the French strike, full flights, a reroute via Frankfurt and a sick copilot, I eventually arrived at 11:45 PM at Amsterdam…

 

Thank you Thumbs up

Thank you to the European SharePoint Conference Program Team for inviting me as a speaker. Thank you to all the attendees, especially the people in my sessions.

Posted on December 10, 2019 by Sander Berkouwer in Community, Microsoft MVP, Personal

0  

Azure AD Connect version 1.4.38.0 offers some bug fixes

Azure AD Connect

It’s time for a new version of Azure AD Connect to incorporate Microsoft’s lessons learned and distribute the fixes Microsoft made to the larger public. Last Friday, Microsoft released the fourth version in the 1.4 branch of Azure AD Connect: v1.4.38.0.

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

 

What’s New

Microsoft made the following improvements:

Password Hash Sync

Microsoft updated Password Hash Sync (PHS) for Azure Active Directory Domain Services to properly account for padding in Kerberos hashes. This provides a performance improvement during password synchronization from Azure Active Directory to Azure Active Directory Domain Services.

Pass-through Authentication

Microsoft added support for reliable sessions between the authentication agent and the Azure service bus when Pass-through Authentication (PTA) is used as the authentication method.

This release of Azure AD Connect enforces TLS 1.2 for communications between the authentication agent and Azure AD when Pass-through Authentication (PTA) is used as the authentication method.

Microsoft added a DNS cache for websocket connections between the authentication agent and Azure AD when Pass-through Authentication (PTA) is used as the authentication method.

Microsoft added the ability to target a specific agent from cloud to test for agent connectivity.

Seamless Single Sign-on

Release 1.4.18.0 introduced a bug where the PowerShell cmdlet for Seamless Single Sign-on (also known as Desktop SSO) was using the login windows credentials instead of the admin credentials provided. As a result, it was not possible to enable Seamless Single Sign-on in multiple forests through the Azure AD Connect Configuration Wizard.

A fix was made to enable Seamless Single Sign-on (also known as Desktop SSO)simultaneously in all forests through the Azure AD Connect Configuration Wizard.

 

Version information

This is version 1.4.38.0 of Azure AD Connect.
This release in the 1.4 branch for Azure AD Connect was made available for download on December 6, 2019.

 

Download information

You can download Azure AD Connect here.
The download weighs 91.0 MB.

Posted on December 9, 2019 by Sander Berkouwer in Active Directory, Azure Active Directory, Tools I Use, What's New

0  

On-premises Identity updates & fixes for November 2019

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for November 2019:

 

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4525236 November 12, 2019

The November 12 update for Windows Server 2016 (KB4525236), updating the OS build number to 14393.3326 is an update that combines security and quality improvements.

While this updates contains updates for several vulnerabilities, even some rated critical, none of them are identity-related.

 

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4523205 November 12, 2019

The November 12 update for Windows Server 2019 (KB4523205), updating the OS build number to 17763.864 is an update that combines security and quality improvements.

While this updates contains updates for several vulnerabilities, even some rated critical, none of them are identity-related.

Posted on December 6, 2019 by Sander Berkouwer in Microsoft Windows Server 2016, Microsoft Windows Server 2019, Security Updates

0  

A new Identity and Security MVP! (Huy Kha)

Microsoft MVP

On December 1st, 2019, Huy Kha was awarded with the 2020-2021 Microsoft Most Valuable Professional (MVP) award for Enterprise Mobility with a specialization in Identity and Securty.

The team behind the DirTeam.com / ActiveDir.org weblogs would like to congratulate him with this achievement and welcome him to the select group of Enterprise Mobility MVPs.

About Huy Kha

Huy KhaHuy Kha is a Dutch security professional with a main focus on Identity & Access Management, Least-Privilege and Information Security in general.

In his spare time, he likes to blog about different topics, including the likes of Directory Services, SharePoint, and everything around Identity & Access.

Huy has a ”hands-on” attitude towards security and combines that with his technical background and leadership skills to align information security with executive vision.

Huy blogs at identityaccess.management. On Twitter he is known as @DebugPrivilege.

  

About the Microsoft MVP Program

The Microsoft MVP Award Program recognizes and thanks outstanding members of technical communities for their community participation and willingness to help others. The MVP Award is given to exceptional technical community leaders who foster the free and objective exchange of knowledge by actively sharing their real-world expertise with technology users. The MVP Award celebrates the most active community members from around the world who provide invaluable online and offline expertise that enriches the community experience and makes a difference in technical communities that feature Microsoft products.

MVPs are a select group of experts representing technology’s best and brightest people who share a commitment to community. While MVPs come from many backgrounds and a wide range of technical communities, they share a passion for technology and a demonstrated willingness to help others. MVPs do this by writing books and articles, managing Web sites, maintaining blogs, participating in user groups, hosting and contributing chats, presenting at events and training sessions, and answering questions in technical newsgroups, forums, or message boards.

Microsoft MVPs are an amazing group of individuals. By sharing their knowledge and experiences and providing objective feedback, MVPs help people solve problems and discover new capabilities. It gives us great pleasure to recognize and award MVPs as our way of saying thank you for their demonstrated commitment to helping others in technical communities worldwide.

Posted on December 5, 2019 by Sander Berkouwer in Community, Microsoft MVP

0