Best Practices for Pulling Identities Together with Redmond Magazine

Redmond Magazine

On Wednesday May 2nd, I featured in a webcast from the editors of Redmond Magazine. This webcast, sponsored by Okta, is now available on demand.

Best Practices for Pulling Identities Together: What Enterprises Are Doing Now to Stay Secure

OktaIn this editorial webcast, Lafe Low from Redmond Magazine, Daniel Lu from Okta and I walk through the best practices organizations are using to corral all the accounts an average employee uses today to log into tens of applications, and make sure these accounts are being used in a way that doesn’t compromise the rest of the organization.

Questions

Questions we covered included:

  • How are organizations unifying their identity and authentication processes through Single Sign-On, especially in organizations with an Active Directory environment?
  • How do organizations gain visibility into the SaaS apps that are being used by their employees?
  • How can organizations enforce secure password policies for their users on SaaS apps that are hosted by third parties?
  • What kind of education is most effective in preventing users from reusing passwords or otherwise skirting company policies?

Watch it now

Come away from this session with actionable tactics for minimizing the gaps in your company’s identity and authentication security posture.

Register for the on-demand version of the webcast here.

We’re sure you’ll enjoy it. Thumbs up

Posted on May 7, 2018 by Sander Berkouwer in Community, Microsoft MVP, Personal

0  

What’s New in Azure Active Directory for April 2018

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for April 2018:

What’s New

New federated apps available in Azure AD App gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In April 2018, Microsoft has added following 13 new apps in our App gallery with Federation support:

    

Test single sign-on configuration for SAML-based applications

Service category: Enterprise Apps
Product capability: SSO

When configuring SAML based SSO applications you are able to test the integration on the configuration page. If you encounter an error during sign-in, you can provide the error in the testing experience and Azure AD provides you with resolution steps to solve the specific issue.

Easy app configuration with metadata file or URL

Service category: Enterprise Apps
Product capability: SSO

On the Enterprise applications page, administrators can upload a SAML metadata file to configure SAML based sign-on for AAD Gallery and Non-Gallery application.

Additionally, you can use Azure AD application federation metadata URL to configure SSO with the targeted application.

  

Azure AD Terms of use now generally available

Service category: Terms of Use
Product capability: Compliance

Azure AD Terms of Use has moved from public preview to generally available (GA).

Azure AD Terms of Use now has per user reporting

Service category: Terms of Use
Product capability: Compliance

Administrators can now select a given Terms of Use (ToU) and see all the users that have consented to that Terms of Use (ToU) and what date and time it took place.

 

Azure AD Connect Health: Risky IP for AD FS extranet lockout protection

Service category: Other
Product capability: Monitoring & Reporting

Azure AD Connect Health now supports the ability to detect IP addresses that exceed a threshold of failed logins using username/password combinations on an hourly or daily basis. The capabilities provided by this feature are:

  • A comprehensive report showing IP address and the number of failed logins generated on an hourly/daily basis with a customizable threshold.
  • Email-based alerts showing when a specific IP address has exceeded the threshold of failed username/password logins on an hourly/daily basis.
  • A download option to do a detailed analysis of the data

Azure AD B2C Access Token are GA

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

You can now access web APIs secured by Azure AD B2C using access tokens. The feature is moving from public preview to GA. The UI experience to configure Azure AD B2C applications and web APIs has been improved, and other minor improvements were made.

 

Allow or block invitations to B2B users from specific organizations

Service category: B2B
Product capability: B2B/B2C

You can now specify which partner organizations you want to share and collaborate with in Azure AD B2B Collaboration. To do this, you can choose to create list of specific allow or deny domains. When a domain is blocked using these capabilities, employees can no longer send invitations to people in that domain.

This helps you to control access to your resources, while enabling a smooth experience for approved users.

This B2B Collaboration feature is available for all Azure Active Directory customers and can be used in conjunction with Azure AD Premium features like conditional access and identity protection for more granular control of when and how external business users sign in and gain access.

 

Grant B2B users in Azure AD access to your on-premises applications (public preview)

Service category: B2B
Product capability: B2B/B2C

As an organization that uses Azure Active Directory (Azure AD) B2B collaboration capabilities to invite guest users from partner organizations to your Azure AD, you can now provide these B2B users access to on-premises apps. These on-premises apps can use SAML-based authentication or Integrated Windows Authentication (IWA) with Kerberos constrained delegation (KCD).

 

What’s Changed

Get SSO integration tutorials from the Azure Marketplace

Service category: Other
Product capability: 3rd Party Integration

If an application that is listed in the Azure marketplace supports SAML based single sign-on (SSO), clicking Get it now provides you with the integration tutorial associated with that application.

 

Faster performance of Azure AD automatic user provisioning to SaaS applications

Service category: App Provisioning
Product capability: 3rd Party Integration

Previously, customers using the Azure Active Directory user provisioning connectors for SaaS applications (for example Salesforce, ServiceNow, and Box) could experience very slow performance if their Azure AD tenants contained over 100,000 combined users and groups, and they were using user and group assignments to determine which users should be provisioned.

On April 2nd, very significant performance enhancements were deployed to the Azure AD provisioning service that greatly reduce the amount of time needed to perform initial synchronizations between Azure Active Directory and target SaaS applications.

As a result, many customers that had initial synchronizations to apps that took many days or never completed, are now completing within a matter of minutes or hours.

 

Self-service password reset from Windows 10 lock screen for hybrid Azure AD joined machines

Service category: Self Service Password Reset
Product capability: User Authentication

Microsoft has updated the Windows 10 Self-Service Password Reset (SSPR) feature to include support for machines that are hybrid Azure AD joined. This feature is available in Windows 10 RS4. Users who are enabled and registered for self-service password reset can utilize this feature to reset their password from the lock screen of a Windows 10 machine.

Posted on April 30, 2018 by Sander Berkouwer in Azure Active Directory, What's New

0  

I’m speaking at the 2018 Heliview IAM Congress

Heliview IAM

On May 17, 2017, Heliview Congresses and Training organizes an Identity and Access Management Congress. I’m delivering a 25-minute session on the password-less future, using Microsoft technologies.

 

About Heliview Congresses and Training

Heliview Congresses and Training Dutch offers managers and senior specialists a stage to share and consume knowledge in their field of expertise. Additionally, personal networking is highly encouraged during their events throughout the Netherlands and Belgium.

Heliview Congresses and Training also offers training. For 2018 they have several topics on their schedule, including cyber resilience, data quality, IT outsourcing, data privacy and security awareness.

Heliview Congresses and Training was founded in 1983.

    

About the IAM Congress

The Identity & Access Management Congress is a yearly congress on Enterprise Identity and Access Management. The 2018 IAM Congress is the 13th edition.

The Identity & Access Management Congress offers an up to date overview and the underlying developments on Identity & Access Management. Identity and Access Management (IAM) provides the right people with the right access at the right time. Good enterprise IAM solutions are user-friendly, compliant, safe and allow for cost savings.

Heliview Congresses and Training organizes the 2018 Identity & Access Management Congress on May 17, 2018 at NBC in Nieuwegein, the Netherlands.

 

About my presentation

I’m presenting a 25-minute session on:

Living a password-less life; dream or reality?

Break Out 2A, 11:20AM – 11:45AM

Passwords for authentication stem from the early days of IT, but we’re all concluding their use is out of date. Research shows us 81% of all digital breaches are related to weak and/or leaked credentials. 20% of the IT cost, made by organizations is spend on ways to help people with forgotten passwords.

At SCCT, we say:

End-users should not have to use passwords for their day to day work.

In this session, I show how we help organizations to get rid of passwords using open standards, Microsoft technologies and the Microsoft cloud.

 

Join us!

As an employee of an organization that contemplates the use of new Identity and Access Management (IAM) solutions, you can join the Heliview IAM Congress for free. Alternatively, you can buy a € 645 ticket, without 1 on 1 talks or questionnaire. This price tag also applies to advisors, consultants and students.

You can sign up here Dutch.

Posted on April 24, 2018 by Sander Berkouwer in Community, Microsoft MVP, Personal

0  

Pictures of WAZUG.nl Meetup 47

Yesterday, I presented on devices in the context of Azure Active Directory for the Dutch Azure User Group (WAZUG.nl) at Centric’s headquarters in Gouda, the Netherlands.

The Centric headquarters in Gouda (click for larger photo)Title Slide 'Devices and Azure AD: Who, what, where?' (click for original screenshot)

After working hours, we gathered at the dinner buffet, consisting of Chinese food from Restaurant Hong Kong. Straight after I arrived, I hooked up my device and showed the title slide on both screens.

After this meal and a short introduction by Centric, it was my task to share my knowledge on the five ways you can join devices and servers to Azure Active Directory, the impact of the (default) device settings in the Azure Portal, Windows Hello for Business as the first step towards a password-less future and my recommended practices.

Presenting the Title slide (click for larger photo, by Carlo Schaeffer)
Providing some backgrounf (picture by Carlo Schaeffer)Presenting for an audience (photo by Iwan Bel)

After a short break, Sebastiaan Brozius and Theo van Drimmelen from Solvinity presented on automatically deployed hybrid Dev/Test environments.

After that, we enjoyed drinks at the bar.

I had a lot of fun. Thumbs up 
Thank you!

Posted on April 20, 2018 by Sander Berkouwer in Azure Active Directory, Community, Microsoft MVP, Personal

0  

Windows Server 2016’s April 2018 Quality Update brings three Active Directory Domain Services fixes

Windows Server 2016

Windows Server 2016’s April 2018’s Cumulative Quality Update, bringing the OS version to 14393.2214, offers three fixes for issues you might be experiencing on Windows Server 2016-based Active Directory Domain Controllers.

 

About Windows Server 2016 Updates

Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016.  This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.

 

Active Directory Domain Services fixes

Authentication Policy Auditing Mode blocks NTLM

The first fix addresses an issue that blocks failed NTLM authentications instead of only logging them when using an authentication policy with audit mode turned on. Netlogon.log may show the following:

SamLogon: Transitive Network logon of <domain>\<user> from <machine2> (via <machine1>) Returns 0xC0000413

SamLogon: Transitive Network logon of <domain>\<user> from <machine2> (via <machine1>) Entered

NlpVerifyAllowedToAuthenticate: AuthzAccessCheck failed for A2ATo 0x5. This can be due to the lack of claims and compound support in NTLM

 

Restoring invalid backlink attribute logic

The second fix addresses an issue that prevents you from modifying or restoring Active Directory objects that have invalid backlink attributes populated in their class. The error you receive is:

Error 0x207D An attempt was made to modify an object to include an attribute that is not legal for its class.

 

Running the Administrative Center with PowerShell Transcripting enabled

The third fix addresses an issue that prevents the Active Directory Administrative Center (dsac.exe) from running on a client that has PowerShell Transcripting enabled. The following error appears:

Cannot connect to any domain. Refresh or try again when connection is available.

The PowerShell transcript feature is an effective way to log, audit and trace back malicious code run through PowerShell on Domain Controllers. System-wide PowerShell Transcripting can be enabled through Group Policy, Desired State Configuration and through the Start-Transcript PowerShell Cmdlet.

 

Call to action

When you experience any one of these issues, you are invited to install Windows Server 2016’s April 2018’s Cumulative Quality Update (KB4093120) on your Active Directory Domain Controllers to resolve them.

Known Issues

There are no known issues with this update, to date.

Posted on April 18, 2018 by Sander Berkouwer in Active Directory, Security Updates

0  

Azure AD Connect version 1.1.751.0 was released as a hotfix last week

Azure AD Connect Splash Screen

Last week, Microsoft released Azure AD Connect version 1.1.751.0. This release of Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments to Azure Active Directory is a HotFix release.

This means it is not offered to organization running Azure AD Connect using the Automatic Upgrade functionality. Instead, it is available for download, only.

 

What’s Fixed

Azure AD Sync

An issue was corrected where automatic Azure instance discovery for China tenants was occasionally failing.

AD FS Management

There was a problem in the configuration retry logic that would result in an ArgumentException stating:

an item with the same key has already been added.

This would cause all retry operations to fail.

 

Version information

This is version 1.1.751.0 of Azure AD Connect.
It was signed off on on April 12, 2018.

 

Concluding

At first sight, making a version of Azure AD Connect available for download only would not make much sense. However, the two fixes apply to the initial configuration part of Azure AD Connect and, thus,  do not affect organizations currently running Azure AD Connect without problems (after configuration).

Surely, these fixes flow into next versions of Azure AD Connect that will be made available for automatic upgrades. There’s no hurry, though.

Posted on April 16, 2018 by Sander Berkouwer in Active Directory, Azure Active Directory, Tools I Use, What's New

0  

Azure Multi-Factor Authentication Server 8.0.0.3 is here

Microsoft Azure Multi-Factor Authentication

When looking back, I realized we’ve been working with Microsoft’s on-premises Azure Multi-Factor Authentication (MFA) Server version  7.3.0.3 for a year. This week, Microsoft released a new version of it’s on-premises authentication security product: version 8.0.0.3.

 

What’s New

Registration experience improvements on mobile

Using MFA Server’s mobile portal, end-users may register the authenticator app on their mobile device using a QR-code. This experience has been improved.

Improved interaction with AD Sync

Azure MFA Server leverages MFA Providers in Azure Active Directory. Azure AD Connect offers synchronization of user objects (and, in some scenarios, password hashes) from Active Directory to Azure Active Directory. To allow both products to work optimally together, several changes have been made to MFA Server.

Support for TLS 1.2 for LDAP, User Portal to Web Service SDK, and SChannel replication

As MFA Server communicates to back-end systems and allows communication to its Web Service SDK, it’s imperative to allow the strongest available encryption for data in transit. MFA Server 8 now offers TLS 1.2 support for:

  • Communication from MFA Server to LDAP stores
  • Communication to MFA Server’s User Portal and Web Service SDK
  • Communication with Active Directory Domain Controllers

Compliance with General Data Protection Regulation

MFA Server is now in compliance with Europe’s General Data Protection Regulation (GDPR). The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union.

The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU. GDPR is implemented per EU country and has different names in some of them

Accessibility improvements to User Portal, MFA Server management, and installation

To allow people with disabilities, like impairments, activity limitations, and participation restrictions, to use MFA Server, Microsoft has made several improvements to the User Portal, Management Console and Installation Wizard.

As Microsoft believes 25% of people live with disabilities, not just limited to speech, hearing or eyesight, but also autism and ADHD. these improvements are welcome, even though they might break your current branding strategy.

Miscellaneous bug fixes and improvements

Several more bug fixes and improvements have been made to MFA Server 8.

 

Known Issues

Windows Authentication for Remote Desktop Services (RDS) is not supported for Windows Server 2012 R2.

 

Upgrade considerations

You must upgrade MFA Server and Web Service SDK before upgrading the User Portal, Mobile Portal or AD FS adapter.
Read the guidance in the How to Upgrade section in this blogpost for more information.

 

Download

You can download Azure Multi-Factor Authentication Server 8.0.0 here.
The download weighs 182.2 MB.

 

Version information

This is version 8.0.0 of Azure Multi-Factor Authentication Server.
It was signed off on April 10, 2018.

Posted on April 12, 2018 by Sander Berkouwer in Azure, Multi-Factor Authentication, What's New

0  

I’m speaking at WAZUG.nl 47

Speaking at User Groups (picture by Rick van den Bosch)

On Thursday evening April 19, 2018 I’ll deliver a 55-minute presentation for the Dutch Windows Azure User Group (WAZUG) on Azure Active Directory device management.

About WAZUG.nl

WAZUG logo (cloud only)The Dutch Windows Azure User Group (WAZUG) was founded in 2010 by a group of enthusiasts to inform and inspire developers, architects and consultants for Microsoft’s cloud application platform: Azure.

WAZUG organizes events roughly every month. They invite speakers to talk about technology, but also about reference cases. It’s also an ideal way to meet like-minded people and network. Meetings, food and drinks are always free to attendees.

WAZUG, these days, is run by Iwan Bel, Erwyn van der Meer, Edward Bakker and Sjoerd van Roessel.

 

About WAZUG.nl 47

Meeting 47 is organized with the help of Centric, a Dutch IT services provider in terms of managed ICT services, IT solutions and software engineering. They invited us over at their headquarters in Gouda, the Netherlands.

In contrast to earlier WAZUG.nl meetings, WAZUG.nl 47 has an IT Pro focus.

The evening kicks off at 6PM with dinner. After a short welcoming ceremony, I’ll present for 55 minutes. After a short break, a second session is presented. After the second session, there’s room and time for drinks up until 9:15PM.

About my presentation

Between 6:35PM and 7:30PM, I’ll deliver a 55-minute session on Azure AD Devices:

Devices and Azure AD: who, what, where?

For a long time, device management within on-premises Active Directory was Microsoft’s strong point. Lately, Microsoft has been building out their possibilities in Azure Active Directory in terms of devices. Think about Single Sign-On (SSO), device join/registration and the ability to grant or deny access based on the device’s status and location.

In this session I’ll tell you everything there is to know about devices in Azure AD. I’ll discuss Azure AD Join, Conditional Access, Azure Multi-Factor Authentication, Azure Identity Protection and Windows Hello. Of course, I’ll share my recommended practices for all these technologies.

 

Join us!

Join us for free.
If you haven’t yet, sign up to the Dutch Windows Azure User Group using a Microsoft account, and then register for this WAZUG event.

Posted on April 11, 2018 by Sander Berkouwer in Community, Microsoft MVP, Personal

0  

Pictures of the 2018 Amsterdam Microsoft Tech Summit last week

Last Wednesday and Thursday, Microsoft organized a Tech Summit event in the Amsterdam RAI. I was invited as a booth expert and a speaker.

As one of the last Tech Summit events in a long row of events, my experience with the organization for the Tech Summit was top notch. It started on Tuesday already.

On Tuesday, Microsoft arranged for a speaker check-in between 4 PM and 6 PM. We were all invited to the speaker room, check out our rooms, the booth, the theater, discuss slides and pick up our badges and T-shirts.

The Tech Summit Billboard at Entrance C of the Amsterdam RAI (picture by Microsoft Netlerlands)Tech Summit flags marking the way to Entrance C (photo by Microsoft Netherlands)

Wednesday morning I arrived at the Amsterdam RAI at around 7:30 AM. It was a cloudy day. The perfect weather for an indoor event…

Smile and wave boys. Smile and wave.

I joined the other experts at the booth around 8 AM, until the keynote started at around 9:30 AM. By then, we had answered a handful of questions on Exchange, Azure Active Directory, Teams and Skype for Business already! I met with one of this blog’s biggest fans and spent most of my day at the Experts booth on Wednesday, before heading home at 7 PM.

Thursday morning, I arrived at 7 AM. This was the day I was to present a 60-minute session on GDPR (AVG) in terms of Microsoft 365 from 10:45 and 11:45. I studied the slides and demos Microsoft provided me. It was a really nice slide deck that began with explaining the background for GDPR, then to introduce Microsoft Compliance Manager, followed by explaining some of the more difficult moving parts of Microsoft 365, including Conditional Access, Azure AD Identity Protection, Azure Information Protection and Office 365 Advanced Threat Protection. Alas, the slide deck didn’t include eDiscovery, for which I apologized to the audience beforehand.

Accerating your GDPR Compliance with Microsoft 365 (picture by Ralph Eckhard)An almost full room for GDPR (picture by Censom)
Introducing Compliance Manager (picture by Daan Verheij)Presenting on GDPR (picture by Tony Thijs)

Room Elicium 2 was packed with people, mostly technical people I recognized, although the session was advertised as a session for decision makers.

After a short break for lunch, I was scheduled for a second presentation. This time I was in for even more fun with one of my own favorite presentations in a nice informal setting; Talking for 15 minutes on the silly stuff people do when it comes to AD FS and Hybrid Identity.

Title slide for the 'Four most common mistakes with AD FS and Hybrid Identity' theater session (shared by Anna Chu)Presenting my experiences with AD FS and Hybrid Identity (picture by Jeffrey Vermeulen)
Quite a crowd for the theater session (picture by Michel de Rooij)

The feedback I received from the people that were actually able to follow the presentation in the busy expo area was overwhelmingly positive:

Thank you, John van Zetten!

It’s always nice to hear when people enjoyed learning things I present on.

After the session I joined Jeff Woolsey again at the Experts Booth, where we discussed GDPR and baselines with one of the Netherlands’ largest healthcare insurers. Another interesting question came from an organization that would currently create user administrator accounts in Azure AD for partner admins, so they could create user objects for their partner users to access the app. They figured this saved them a lot of money on user administration. Apparently, no-one had introduced them to Azure AD B2B, yet.

 

Thank you!

A big ‘Thank You!’ to all Microsoft Tech Summit attendees, sponsors, speakers and staff for making the past week such an enjoyable experience!

I had a lot of fun and I hope you did, too!

Posted on April 3, 2018 by Sander Berkouwer in Community, Microsoft MVP, Personal

1  

What’s New in Azure Active Directory for March 2018

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for March 2018:

 

What’s New

Twitter and GitHub identity providers in Azure AD B2C

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

You can now add Twitter or GitHub as an identity provider in Azure AD B2C. Twitter is moving from public preview to General Availability (GA). GitHub is being released in public preview.

 

Restrict browser access using Intune Managed Browser with Azure AD application-based conditional access for iOS and Android

Service category: Conditional Access
Product capability: Identity Security & Protection

The Intune Managed Browser SSO is now in preview. Employees can use single sign-on across native clients (like Microsoft Outlook) and the Intune Managed Browser for all Azure AD-connected apps.

Intune Managed Browser Conditional Access Support is now in preview. Admins can now require employees to use the Intune Managed browser using application-based conditional access policies.

 

App Proxy Cmdlets in Powershell GA Module

Service category: App Proxy
Product capability: Access Control

The Application Proxy PowerShell Cmdlets are now part of the generally available (GA) Azure Active Directory Powershell Module.

  

Office 365 native clients are supported by Seamless SSO using a non-interactive protocol

Service category: Authentications (Logins)
Product capability: User Authentication

People using Office 365 native clients get a silent sign-on experience using Seamless SSO. This support is provided by the addition of WS-Trust (a non-interactive protocol) to Azure Active Directory.

This applies to Office installation versions 16.0.8730.xxxx and above, so basically people in organizations using the targeted Semi-Annual Channel since January 17, 2018 or Monthly Channel releases of Office since March 13, 2018.

   

Users get a silent sign-on experience, with Seamless SSO, if an application sends sign-in requests to Azure AD’s tenanted endpoints

Service category: Authentications (Logins)
Product capability: User Authentication

People get a silent sign-on experience, with Seamless SSO, if an application (for example, https://contoso.sharepoint.com) sends sign-in requests to Azure AD’s tenanted endpoints – that is, https://login.microsoftonline.com/contoso.com/ or https://login.microsoftonline.com/<tenant_ID>/ – instead of Azure AD’s common endpoint (https://login.microsoftonline.com/common/).

 

Adding Optional Claims to your apps tokens (public preview)

Service category: Authentications (Logins)
Product capability: User Authentication

Your Azure AD app can now request custom or optional claims in JWTs or SAML tokens. These are claims about the user or tenant that are not included by default in the token, due to size or applicability constraints. This is currently in public preview for Azure AD apps on the v1.0 and v2.0 endpoints. See the documentation for information on what claims can be added and how to edit your application manifest to request them.

 

Azure AD supports PKCE for more secure OAuth flow

Service category: Authentications (Logins)
Product capability: User Authentication

Azure AD docs have been updated to note support for Proof Key for Code Exchange (PKCE) as described in RFC7636, which allows for more secure communication during the OAuth 2.0 Authorization Code grant flow. Both S256 and plaintext code_challenges are supported on the v1.0 and v2.0 endpoints.

 

New Federated Apps available in Azure AD App gallery

In March 2018, the Active Directory team has added following 15 new apps in the Azure Active Directory App gallery with Federation support:

 

PIM for Azure Resources is generally available (GA)

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

If you are using Azure AD Privileged Identity Management (PIM) for directory roles, you can now use PIM’s time-bound access and assignment capabilities for Azure Resource roles such as Subscriptions, Resource Groups, Virtual Machines, and any other resource supported by Azure Resource Manager. Enforce Multi-Factor Authentication when activating roles Just-In-Time, and schedule activations in coordination with approved change windows.

In addition, this release adds enhancements not available during public preview including an updated UI, approval workflows, and the ability to extend roles expiring soon and renew expired roles.

 

Support for provisioning all user attribute values available in the Workday Get_Workers API

Service category: App Provisioning
Product capability: 3rd Party Integration

The public preview of inbound provisioning from Workday to Active Directory and Azure AD now supports the ability to extract and provisioning of all attribute values available in the Workday Get_Workers API. This adds supports for hundreds of additional standard and custom attributes beyond the ones shipped with the initial version of the Workday inbound provisioning connector.

  

Changing group membership from dynamic to static, and vice versa

Service category: Group Management
Product capability: Collaboration

It is now possible to change how membership is managed in a group. This is useful when you want to keep the same group name and ID in the system, so any existing references to the group are still valid; creating a new group would require updating those references. We’ve updated the Azure AD Admin center to add support for this functionality. Now, customers can convert existing groups from dynamic membership to assigned membership and vice-versa. The existing PowerShell Cmdlets are also still available.

What’s Changed

Improved sign-out behavior with Seamless SSO

Service category: Authentications (Logins)
Product capability: User Authentication

Previously, even if users explicitly signed out of an application secured by Azure AD, they would be automatically signed back in using Seamless SSO if they were trying to access an Azure AD application again within their corpnet from their domain joined devices. With this change, sign out is supported. This allows users to choose the same or different Azure AD account to sign back in with, instead of being automatically signed in using Seamless SSO.

   

Application Proxy Connector Version 1.5.402.0

Service category: App Proxy
Product capability: Identity Security & Protection

Application Proxy Connector Version 1.5.402.0 is gradually being rolled out. This new connector version includes the following changes:

  • The connector now sets domain level cookies instead of cookies on the sub-domain level. This ensures a smoother SSO experience and avoids redundant authentication prompts.
  • Support for chunked encoding requests
  • Improved connector health monitoring
  • Several bug fixes and stability improvements

   

What’s Fixed

Certificate expire notification

Service category: Enterprise Apps
Product capability: SSO

Azure Active Directory sends a notification when a certificate for a gallery or non-gallery application is about to expire.

Some organizations did not receive notifications for enterprise applications, configured for SAML-based single sign-on. This issue was resolved. Azure Active Directory sends notification for certificates expiring in 7, 30 and 60 days. You are able to see this event in the audit logs.

Posted on April 2, 2018 by Sander Berkouwer in Azure Active Directory, What's New

1