Setting up Hybrid Identity with AD FS through Azure AD Connect

Hybrid Identity

When Active Directory on-premises and Azure AD work together, it’s called Hybrid Identity. Hybrid Identity is relatively easy to setup, when you use the Express Settings for Azure AD Connect. However, setting up Hybrid Identity with Active Directory Federation Services (AD FS) is not that hard either.

I’ll show you how to achieve this goal in this blogpost.

 

Why choose AD FS?

Active Directory Federation Services (AD FS) used to be the only authentication method available, before password hash synchronization (PHS), pass-through authentication (PTA) and Azure AD Connect Cloud Sync became available.

Even today, AD FS offers a couple of advantages over the other authentication methods:

  • AD FS offers certificate authentication
  • AD FS offers Alternate Login ID functionality
  • AD FS offers the use of 3rd party multi-factor authentication for many of the popular multi-factor authentication providers.
  • Auditing AD FS is straight-forward and integrates with all major security incident and event management (SIEM) solutions.

The biggest reason organizations choose AD FS as the authentication method for Azure AD, of course, is they already have AD FS running with a bazillion apps integrated with it. Today, however,I’ll focus on the scenario where an admin wants to setup an initial AD FS farm.

 

Requirements

To complete the steps below, you’ll need to meet the following requirements:

  • You’ll need an account with Global administrator or Hybrid Identity administrator privileges in your Azure AD tenant. Use an account that is not configured with a UPN
  • You’ll need an account with membership to the Enterprise Admins group in your Active Directory.
  • You’ll need local administrator credentials on each of the below mentioned servers.
  • You’ll need a Windows Server installation with Desktop Experience (so not a Server Core installation) that is domain-joined to your Active Directory domain. This will become the server on which we install Azure AD Connect.
  • One proposed AD FS server. This server may run Server Core. This server needs to be domain-joined.
  • One proposed Web Application Proxy server. This server may run Server Core. This server can be domain-joined, but does not need to be. Microsoft’s guidance is to place this server on a perimeter network. If the Web Application Proxy server is not to be domain-joined, perform these additional steps.
  • The server that will run Azure AD Connect and the AD FS server needs access to the Domain Controller(s) for your Active Directory domain. Their network connections need to meet the network port requirements for Active Directory. These connections may not be NATed.
  • The server that will run Azure AD Connect needs to be able to reach the Azure AD URLs. Configure Azure AD Connect to use a proxy, if needed.
  • The proposed AD FS server needs to be able to communicate to Azure AD to exchange metadata. Configure https://nexus.microsoftonline-p.com as an allowed URL.
  • The Web Application Proxy server will need to be accessible from the Internet on ports TCP80, TCP443 and TCP49443. This servers needs to be able to access the AD FS server on port TCP443.
  • The Azure AD Connect server needs to be able to access the proposed AD FS server and the proposed Web Application Proxy using TCP5981.
  • You need to create an A or CNAME record in the internal DNS zone for your organization to point the AD FS farm name (for instance sts.domain.tld) to the proposed AD FS server.
  • You need to create an A or CNAME record in the external DNS zone for your organization to point the AD FS farm name to the external IP address of the proposed Web Application Proxy.
  • You need to have the DNS domain name that you want to federate with AD FS as a verified DNS domain name in Azure AD.
  • You need a valid TLS certificate with the DNS name of the AD FS farm (for instance sts.domain.tld), that includes the private key. The certificate needs to be saved as a *.pfx file.

 

Preparing the Azure AD Connect server

Assuming the Windows Server installation is prepared with all required information security measures, we can prepare it further for its purpose as Azure AD Connect server.

Note:
The steps in this part of the manual are based on Windows Server 2019. Several steps may appear differently on older and newer versions of Windows Server.

Perform these steps on the Windows Server that will run Azure AD Connect:

Disable the Internet Explorer Enhanced Security Configuration (IE ESC)

Internet Explorer Enhanced Security Configuration (IE ESC) is one of the default security features on Windows Server. However, we need to disable this feature to be able to:

  • Download Azure AD Connect.
  • Sign in to the previously created Azure AD tenant.

Perform the following steps:

  • Sign into the Windows Server that is to run Azure AD Connect.
  • Close the Server Manager pop-up informing you about Windows Admin Center.
  • In the left navigation pane of Server Manager, click Local Server.
  • In the Properties field for the server, click the link labeled IE Enhanced Security Configuration. It is located in the right column of properties.
    The Internet Explorer Enhanced Security Configuration pop-up appears.
  • Turn the feature Off for Administrators.
  • Click OK.

Enable the Active Directory Recycle Bin

It is convenient to have the Active Directory administration tools, so we’ll install them and then use them to enable the Active Directory Recycle Bin:

  • While still in Server Manager, click on Manage in the top gray navigation bar.
  • From the Manage menu, click Add Roles and Features.
    The Add Roles and Features Wizard appears.
  • Click the Next > button on the Before you begin screen.
  • Click the Next > button on the Select installation type screen.
  • Click the Next > button on the Select destination server screen.
  • Click the Next > button on the Select server roles screen.
  • On the Select features screen, scroll down the list of available features, until you reach the Remote Server Administration Tools.
  • Expand the Remote Server Administration Tools node.
  • Expand the Role Administration Tools node.
  • Select the AD DS and AD LDS Tools.
  • Click the Next > button.
  • Click the Install button on the Confirm installation selections screen.
  • When installation is done, click the Close button.
  • While still in Server Manager, click on Tools in the top gray navigation bar.Click the Active Directory Administrative Center from the Tools menu. It is at the top.
    The Active Directory Administrative Center window opens.
  • In the left navigation pane, click on your domain name.
  • In the right Tasks pane, click the Enable Recycle Bin… task.
    The Enable Recycle Bin Confirmation pop-up appears.
  • Click OK.
    Another pop-up appears.
  • Click OK.
  • Close the Active Directory Administrative Center window.

Download Azure AD Connect

Now, let’s download Azure AD Connect, so we can start creating some actual Hybrid Identity goodness:

  • Open Internet Explorer from the Start bar.
  • In the Internet Explorer 11 pop-up, click OK to use the recommended settings.
  • In the address bar of Internet Explorer, type download azure ad connect.
  • Press the Enter button. This will initiate a search with Bing.
  • Click the search result to the download link from Microsoft.
  • Click the Download link.
  • From the bottom of the Internet Explorer window, a blade appears with options for the download. Click Save.
    Azure AD Connect will now be downloaded.
  • Click Open Folder.
    A File Explorer window opens in the Downloads folder for the signed-in user.
  • Close Internet Explorer.

Copy the TLS certificate

The last requirement for the Azure AD Connect server is the TLS certificate. Copy its *.pfx file to a file location on the Windows Server that will run Azure AD Connect.

 

Configuring Azure AD Connect

The environment is now prepared. Let’s configure Hybrid Identity!

Note:
The steps in this part of the manual are based on Azure AD Connect version 1.5.45.0. Several steps may appear differently on newer versions of Azure AD Connect.

Perform these steps on the Windows Server that will run Azure AD Connect:

  • Double-click the AzureADConnect.msi file.
    The Microsoft Azure Active Directory Connect window appears:

Welcome to Azure AD Connect (click for original screenshot)

  • On the Welcome to Azure AD Connect screen, select the I agree to the license terms and privacy notice. option.
  • Click the Continue button.
  • On the Express Settings screen, click the Customize button:

Express Settings (click for original screenshot)

  • On the Install required components screen, click the Install button.
  • Wait while Azure AD Connect is installed. This may take several minutes.
  • On the User sign-in page, select Federation with AD FS as the sign-in method.
  • Click Next.
  • On the Connect to Azure AD screen, enter the Username and Password for the Azure AD account you created earlier. Type the complete username including the .onmicrosoft.com part:

Connect to Azure AD (click for original screenshot)

  • Click the Next button.
    Perform multi-factor authentication when prompted.
  • On the Connect your directories page, click the Add Directory button to add your Active Directory forest to the scope of Azure AD Connect. The forest name is automatically gathered from the domain membership of the Windows Server installation, but we need to specify the settings for the service account.
    The AD forest account dialog appears:

AD forest account (click for original screenshot)

  • Select the Create a new AD account option.
  • Specify the credentials of the Enterprise Admin account to allow Azure AD Connect to create the service account it needs to connect to Active Directory. The Enterprise Admin credentials are only used to create the account and are not cached or stored by Azure AD Connect.
  • Click OK.
  • The Active Directory Forest name now appears in the list of Configured directories.
  • Click Next.
  • On the Azure AD sign-in configuration screen, verify that the DNS domain name has the status Verified. Also accept the userPrincipalName attribute as the on-premises attribute to use as the Azure AD username.
  • Click the Next button.
  • Click the Next button on the Domain and OU filtering screen.
  • Click the Next button on the Uniquely identifying your users screen:

Uniquely identifying your users (click for original screenshot)

  • Click Next on the Filter users and devices screen.
  • Click Next on the Optional features screen.
  • On the Domain Administrator credentials screen, enter the Username and Password of an Active Directory account with memberships in the Domain Admins or Enterprise Admins group.
  • Click the Next button.

AD FS farm (click for original screenshot)

  • On the AD FS farm screen, choose the Configure a new AD FS Farm option.
  • Click the Browse button.
  • Navigate to the *.pfx file that you copied earlier.
  • Click Open.
    The Certificate password dialog appears.
  • Type the password for the *.pfx file.
  • Click OK.
  • Click Next.
  • On the AD FS server screen, click the Browse button.
    The Select Federation Server dialog window appears.
  • In the Select Federation Server dialog window, search for the AD FS server.
  • Select the proposed AD FS server from the search results.
  • Click OK.
  • On the AD FS server screen, click the Next button.
  • On the Web Application Proxy server screen, click the Browse button.
    The Select Web Application Proxy dialog window appears.
  • In the Select Web Application Proxy dialog window, search for the Web Application Proxy.
  • Select the proposed Web Application Proxy from the search results.
  • Click OK.
    On the Web Application Proxy server screen, click the Next button.

AD FS service account (click for original screenshot)

  • On the AD FS service account page, provide the credentials of an Enterprise Admin account in the following format.
  • Click the Next button.
  • On the Azure AD domain screen, use the pull down menu to select your AD domain.
  • Click Next.
  • On the Ready to configure screen, click the Install button:

Ready to configure (click for original screenshot)

  • On the Configuration complete screen, click the Next button.
  • On the Verify federation connectivity screen, enable the I have created DNS A records that allow clients to resolve my federation service from the extranet. option, too.
  • Click the Verify button.
  • On the Verify federation connectivity screen examine the outcome of the verification check.
  • Click Exit.

Concluding

With the above steps, after meeting the requirements, you can have an AD FS farm, allowing people in your organization to authenticate to Azure AD, running within half an hour.

0  

Azure AD Connect version 1.6.2.4 defaults to the v2 endpoint and adds support for Selective Password Hash Synchronization

Azure AD Connect

It’s time for a new version of Azure AD Connect to incorporate Microsoft’s lessons learned and distribute the fixes Microsoft made to the larger public. Last Friday, Microsoft released the first version in the 1.6 branch of Azure AD Connect: v1.6.2.4

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

 

Highlights

The headlines for this release are:

  • This release will be made available for download only.
  • The upgrade to this release will require a full synchronization due to synchronization rule changes.
  • This release defaults Azure AD Connect to the new v2 endpoint.

Note:
The v2 endpoint is not supported in the German national cloud, the Chinese national cloud and the US government cloud. To deploy Azure AD Connect with these clouds, follow these instructions.

 

What’s New

Microsoft made the following improvements:

Updated default sync rules to limit membership in written back groups to 50k members

Microsoft added new default synchronization rules for limiting membership count in the following synchronization rules:

  • Out to AD – Group Writeback Member Limit
  • Out to AAD – Group Writeup Member Limit
  • Out to AD – Group SOAInAAD – Exchange

These rule changes limit members in groups synchronized to Azure AD and written back groups to 50,000 members. Microsoft has also made provisions to handle situations where admins have previously customized the Out to AD – Group SOAInAAD – Exchange synchronized rule.

Support for Selective Password hash Synchronization

Azure AD Connect now supports Selective Password Hash Synchronization.
Formerly, Azure AD Connect would apply Password Hash Synchronization to all objects in scope for synchronization. In Azure AD Connect version 1.6, and up, a subset of users can be specifically included or excluded to having their password hashes synchronized to Azure AD. This feature is known as selective password hash synchronization.

Invoke-ADSyncSingleObjectSync

Azure AD Connect version 1.6.2.4 introduces the Invoke-ADSyncSingleObjectSync. Windows PowerShell cmdlet. Admins can use this single object sync Windows PowerShell cmdlet to troubleshoot Azure AD Connect sync configuration.

New version of the ADSyncTools PowerShell module

Azure AD Connect version 1.6.2.4 comes with a new version of the ADSyncTools PowerShell module. It offers several new and improved Windows PowerShell cmdlets:

  • Clear-ADSyncToolsMsDsConsistencyGuid
  • ConvertFrom-ADSyncToolsAadDistinguishedName
  • ConvertFrom-ADSyncToolsImmutableID
  • ConvertTo-ADSyncToolsAadDistinguishedName
  • ConvertTo-ADSyncToolsCloudAnchor
  • ConvertTo-ADSyncToolsImmutableID
  • Export-ADSyncToolsAadDisconnectors
  • Export-ADSyncToolsObjects
  • Export-ADSyncToolsRunHistory
  • Get-ADSyncToolsAadObject
  • Get-ADSyncToolsMsDsConsistencyGuid
  • Import-ADSyncToolsObjects
  • Import-ADSyncToolsRunHistory
  • Remove-ADSyncToolsAadObject
  • Search-ADSyncToolsADobject
  • Set-ADSyncToolsMsDsConsistencyGuid
  • Trace-ADSyncToolsADImport
  • Trace-ADSyncToolsLdapQuery

Updated error logging for token acquisition failures

When Azure AD Connect is unable to acquire tokens, it will now provide more information in its logs on the errors encountered. This helps admins troubleshoot these situations.

Updated 'Learn more' links

The Learn more links on Azure AD Connect’s configuration page now provide more detail on the linked information.

Removed Explicit column from CS Search page in the Old Sync UI

When you use the Metaverse Search feature in Azure AD Connect’s Synchronization Manager user interface, the explicit column is now removed.

Improved Group Writeback flow

Additional UI has been added to the Group Writeback flow to prompt admins for credentials or to configure their own permissions using the ADSyncConfig Windows PowerShell module, if credentials have not already been provided in an earlier step.

Auto-create MSA for the Service Account on a DC

A Managed Service Account (MSA) is now automatically created for the Azure AD Connect Synchronization service when you install Azure AD Connect on an Active Directory Domain Controller.

Group Writeback v2 can now be managed using Windows PowerShell

Microsoft has added the ability to set and get information for the Azure AD Connect’s Group Writeback feature with the version 2 endpoint in these existing cmdlets:

  • Set-ADSyncAADCompanyFeature
  • Get-ADSyncAADCompanyFeature

Added PowerShell cmdlets to query Azure AD Connect’s API version

Microsoft added two Windows PowerShell cmdlets to read the API version of the API used by Azure AD Connect (AWS):

  • Get-ADSyncAADConnectorImportApiVersion
  • Get-ADSyncAADConnectorExportApiVersion

Change tracking for synchronization rules

Changes made to Azure AD Connect’s synchronization rules are now tracked to assist admins in troubleshooting changes. The Get-ADSyncRuleAudit Windows PowerShell cmdlet can be used to retrieve tracked changes.

Improved password rotation for the AD Connector account

Microsoft updated the Add-ADSyncADDSConnectorAccount Windows PowerShell cmdlet in the the ADSyncConfig PowerShell module to allow a user in the ADSyncAdmins group to make changes to Azure AD Connect’s AD Connector account.

Azure AD Connect Health Agent version 3.1.83.0

The Azure AD Connect Health Agent for Sync version that ships with Azure AD Connect is upgraded to version 3.1.83.0. Read the Azure AD Connect Health Version History to find out what’s new in this version of the Azure AD Connect Health Agent for Sync.

 

What’s Fixed

Microsoft announces the following bugfixes for this version of Azure AD Connect:

Accessibility updates

Microsoft made the following accessibility updates to Azure AD Connect:

  • Microsoft updated the disabled foreground color to satisfy luminosity requirements on a white background.
  • Microsoft added additional conditions for the navigation tree to set the foreground text color to white when a disabled page is selected to satisfy luminosity requirements.
  • The screen reader now describes the graphical element that holds the list of Active Directory forests as Forests list instead of Forest List list.
  • Microsoft updated the screen reader output for some items in the Azure AD Connect wizard:
    • Updated button hover color to satisfy contrast requirements.
    • Updated Synchronization Service Manager title color to satisfy contrast requirements.

Miscellaneous bugfixes

  • Microsoft increased the granularity for the Set-ADSyncPasswordHashSyncPermissions PHS permissions script by updating the Windows PowerShell cmdlet to include an optional ADobjectDN parameter.
  • Microsoft fixed an issue with installing Azure AD Connect from an exported configuration when the exported configuration contains custom extension attributes. Microsoft added a condition to skip checking for extension attributes in the target schema while applying the synchronization rule.
  • Appropriate permissions are added upon installation of Azure AD Connect if the Group Writeback feature is enabled.
  • Microsoft fixed a duplicate default synchronization rule precedence on import.
  • Microsoft fixed an issue that caused a staging error during  delta imports with the v2 endpoints for a conflicting object that was repaired via the health portal.
  • Microsoft fixed an issue in the synchronization engine that caused objects in Connector Spaces to have an inconsistent link state.
  • Microsoft added import counters to the output of the Get-ADSyncConnectorStatistics Windows PowerShell cmdlet.
  • Microsoft fixed an unreachable domain de-selection issue in some corner cases when admins ran Azure AD Connect after initial configuration.
  • Microsoft modified the policy import and export to fail if custom synchronization rules have duplicate precedence
    values.

     

  • Microsoft fixed a bug in the domain selection logic.
  • Microsoft fixed an issue with build 1.5.18.0. This issue occurred if you use the mS-DS-ConsistencyGuid attribute as the source anchor attribute and have cloned the In from AD – Group Join rule.
  • Fresh Azure AD Connect installations will now use the Export Deletion Threshold stored in the cloud, if there is one available and there is not a different one passed in.
  • Microsoft fixed an issue where Azure AD Connect would not read displayName changes of hybrid-joined devices in Active Directory.

 

Version information

This is version 1.6.2.4 of Azure AD Connect.
The first release in the 1.6 branch for Azure AD Connect was made available for download on March 19, 2021.

2  

New versions of ADFind and ADMod are now available

ADFind v01.55.00

Joe Richards has published new versions of his independent ADFind and ADMod tools. Long before Windows Server came with Windows PowerShell, Joe published the first versions of these tools. Now, the latest versions are here for you to enjoy.

About Joe Richards

Joe Richards currently works as Enterprise Technical Expert CyberSecurity InfoSec Identity and Directory at Walmart. Before he started at Walmart roughly four years ago, Joe worked at Hewlett Packard Enterprise (HPE) for twelve years as a consultant, and before as a technical specialist at Ford Motor Company.

Joe Richards is a former Directory Services Microsoft Most Valuable Profession (DS MVP). I know Joe as the most knowledgeable guy on Active Directory automation.

About ADFind 1.55.00

ADFind is a command-line Active Directory query tool. It is a mixture of ldapsearch, search.vbs, ldp, dsquery, and dsget tools with a ton of other cool features thrown in for good measure.

Running ADFind merely requires the privilege to run local script on the workstation used to query Active Directory, although some actions, like querying the Deleted Items container and the STATS control options, require specific privileges.

ADFind version 01.55.00 supersedes version 01.54.00 (released January 19th, 2021).
It includes many bugfixes and introduces 20 new switches. It is compiled using Visual Studio 2019.

About ADMod 1.22.00

ADMod is a command-line Active Directory modification tool. It is the natural extension to AdFind. It was written to provide functionality not provided by dsmod, dsmove  and dsrm.exe.

ADMod version 01.22.00 supersedes version 01.21.00. (released January 15th, 2021).
It includes many bugfixes and introduces 28 new switches. It is compiled using Visual Studio 2019.

Warranty and license

There is no warranty on ADFind and ADMod. The utilities may work perfectly, they may do nothing, they may burn up your computer, they may scratch the paint on your car. Generally they work very well at the things they are supposed to do and they have done so for thousands if not hundreds of thousands of people around the world. But a utility working ten thousand times for one thousand other people doesn't mean it will work even once for you.

You are licensed the right to use the software on your own or your organization's computer systems. You are not licensed to distribute this software to other companies or users. The other users and companies can download it on their own just like you did. If you absolutely need the right to distribute joeware utilities please contact Joe directly to get information on possible distribution licensing costs and guidelines. There will not automatically be a cost; it depends on the specific details of the distribution but if you are a for-profit organization, seems only fair to pay Joe if you need to use his utilities for your product.

Further reading

AdFind (joeware.net) 
AdMod (joeware.net)  
AdFind and AdMod Production Releases   
AdFind command examples

0  

How Hot Patch for Windows Server Azure Edition helps secure Domain Controllers

Windows Server

At Microsoft Ignite 2021 Spring Edition, Microsoft introduces the Public Preview of Hot Patching for Windows Server Azure Edition.

About hot patching for Windows Server Azure Edition

Microsoft announced new capabilities at Microsoft Ignite 2021 Spring edition for Azure Automanage to simplify operations for Windows Server-based virtual machines (VMs). Azure Automanage helps organizations to reduce day-to-day management tasks with automated operations across the entire lifecycle of VMs in Azure Infrastructure-as-a-Service.

One of these new capabilities, labeled Hot Patching helps organizations to enable rebootless security patching for new Windows Server VMs. These new enhancements allow for the deployment of security patches in seconds, helping protect servers against critical threats.

Hot Patching vs. Monthly Patching

Windows Server gets monthly cumulative updates. It’s our job as systems administrators to apply these updates as quickly as possible to prevent our systems from being compromised. At the same time we need to keep an ear to the ground to prevent installing rogue updates that negatively impact the availability of (the services on) our systems. This all stands in the way of predictable maintenance windows.

With hot patching, security updates are installed automatically to Windows Server 2019 Datacenter editions running as virtual machines in Azure Infrastructure-as-a-Service. The in-memory processes are patched. This is how the patches are installed without reboots. Updates are installed as soon as they arrive, to limit the time the system is exposed to the addressed vulnerabilities.

However, every three months, a hot-patched Windows Server installation needs to realign with the baseline. This is where a predictable quarterly maintenance window comes in.

Redundancy vs. downtime

Of course, when your organization has deployed an active-active multi-region service already, an admin can simply reboot systems without impacting the offered service.  However, building an infrastructure that allows for the capacity to patch adequately, requires a significant additional investment, adds complexity and thus costs.

To prevent rogue updates, patching half of the active-active capacity, then switching over the service to the other half of the capacity even further sinks costs into unneeded capacity and complexity.

Hot patching for Domain Controllers

Active Directory is a peculiar service from many points of views. Multiple Domain Controllers offer an active-active service, but some things fall outside the multi-master model that enables all Domain Controllers to offer all their services.

Functionality like the Flexible Single Master Operations (FSMO) roles, DNS server addresses configured through DHCP and long-lived LDAP connections make the case for Hot Patching of Windows Servers acting as Domain Controllers.

As Active Directory is at the heart of every Microsoft-oriented networking infrastructure, patching the Windows Server installations running as Domain Controllers gets the highest priority during maintenance windows.

I feel hot patching for Domain Controllers is a good way to get Domain Controllers patched fast and adequately. It may not be beneficial to all organizations, all scenarios and all environments.

Further reading

Patching alone is not enough: Investigate your exposure windows  
Hotpatch for Windows Server Azure Edition (preview) 
Azure Automanage

0  

Two alternative ways to get started with Azure Active Directory

Azure Active Directory

Microsoft offers a page that describes how to setup an Azure Active Directory tenant.
However, I feel this way isn’t always the most obvious way to start with Azure Active Directory.

In this blogpost, I’ll explain two alternative ways you can get started with your own Azure AD tenant, what you need per registration method and what the downsides are for each method.

  

Use a Microsoft Offer

Microsoft has several offers that you can take advantage of without needing to wave a credit card, be associated to a Microsoft Partner or even have a Microsoft account.

The below link is a good example of such a Microsoft offer:

https://signup.microsoft.com/create-account/signup?products=cfq7ttc0k59j:0009

Note:
This particular offer creates a brand new Azure AD tenant and includes 25 30-day Office 365 E3 licenses.

Requirements:

  • You need an email address.

What you need to know

  • After the  trial period, the Azure AD tenant remains fully functional.
  • You can add trials for Azure AD Premium P2 and/or EMS E5 to the tenant to extend the functionality of the Azure AD tenant, just as you can with any other tenant.

Use the above link to register your Azure AD tenant.

  

Use a Microsoft Demo Experience

Microsoft offers pre-provisioned environments for several purposes to IT professionals and developers that need an Azure AD tenant to run tests on through its Customer Transformation Experiences (CTX) initiative.

Requirements:

  • You need to be registered with a Microsoft Partner organization

What you need to know

  • You can create up to five 90-day experiences and one 1-year experience.
  • Experiences can last up to 1 year. Licenses that are part of the experience are valid for the same period as the experience.
  • Experiences last up to 1 year. After this time period, the environment is irrevocably removed. There are no extensions.

Use the following steps to register a Microsoft Demo environment:

  • Navigate your browser to the Modern Workplace Digital Experiences website.
  • At the sign-in screen, sign in with an account that is registered with a Microsoft Partner organization.
  • Accept the Microsoft Platform policies by selecting the option to agree to the policies and then click the Accept and Continue button.
  • In the top bar, select the My Environments tab.
  • In the My Environments page, click the Create Tenant button.

My Environments in the Modern Workplace Digital Experiences website (click for original screenshot)

  • Select 1 year as the period for step 2.
  • Select the geographic location you want to environment provisioned in for step 3.
  • For step 4 choose the Microsoft 365 Enterprise Demo Content environment, by clicking the Create Tenant button in its area.
    The Terms of Use modal window appears.
  • Select the By processing you agree to the Microsoft Platform policies option and click the Accept and Continue button.

Your environment will be provisioned. After provisioning you will be redirected to the overview page for the experience you created. Here you will find the credentials for the admin account and all other information you might need to get started and keep going.

When you select the My Environments tab in the top bar, you now see your environment listed.

0  

Ten things you should know about Azure AD Connect Cloud Sync

Roughly a year ago, I wrote a blogpost on the ten things you need to know about Azure AD Connect Cloud Provisioning. At that time, the agent was in public preview. Today, I want to talk about the renamed product: Azure AD Connect Cloud Sync, because I feel there’s a couple of things you should know, now that Microsoft announced the feature at Microsoft Ignite 2021 Spring Edition.

About Azure AD Connect Cloud Sync

Azure AD Connect Cloud Sync, previously known as Azure AD Connect Cloud Provisioning is a new Microsoft service for synchronization of users, groups and contacts to Azure AD.

In contrast to Azure AD Connect, the database, rules and engine are not placed on a Windows Server installation on-premises, but within the Azure Active Directory infrastructure. An on-premises agent setup offers a lightweight, fast to deploy and easy to manage solution to connect Active Directory to Azure AD.

Ten things you need to know

Azure AD Connect Cloud Sync sounds like a nice solution, but in reality, there are a couple of things you’ll want to know before deploying it to address your organizations’ needs:

Azure AD Connect Cloud Sync is generally available

Azure AD Connect Cloud Sync is generally available. You can deploy it in production and Microsoft supports issues you might have with this new service.

There shouldn’t be anything in your organization’s way to pursue the adoption to the Azure AD Connect Cloud Sync model.

Azure AD Connect Cloud Sync offers Domain Controller priority

Azure AD Connect, the on-premises synchronization engine, integrates with Active Directory sites and services and uses DCLocator to decide on Domain Controllers to use.

Azure AD Cloud Sync, on the other hand, offers domain controller priority. From the Azure AD Connect Cloud Sync interface, that is part of the Azure (AD) Portal, you can pick and prioritize Domain Controllers to use.

Azure AD Connect Cloud Sync offers true group filtering

Azure AD Connect, the on-premises synchronization engine, offers a feature to pilot the use of Azure AD through its Group Filtering feature. Objects that have a direct membership to the single group specified on the Group Filtering page of the Azure AD Connect configuration wizard are the only objects in scope for synchronization.

Azure AD Connect Cloud Sync offers true Group Filtering. From the Azure AD Connect Cloud Sync interface, that is part of the Azure (AD) Portal, you can specify the groups whose members you want to be in scope for synchronization.

Granted, by customizing synchronization rules in Azure AD Connect, you can achieve filtering based on other attributes, like the userPrincipalName suffix. Both methods leave for flexibility in deciding the object scope.

Azure AD Connect Cloud Sync doesn’t support on-premises LDAP directories

Azure AD Connect, the on-premises synchronization engine, offers support for LDAPv3-compatible directories. Azure AD Cloud Sync does not.

Azure AD Connect Cloud Sync doesn’t support device objects

You cannot synchronize device objects using Azure AD Connect Cloud Sync. This also means that you cannot use the Hybrid Azure AD Join feature with Azure AD Connect Cloud Sync.

If you want to configure devices for Hybrid Azure AD Join, deploy Azure AD Connect as an on-premises synchronization solution.

Azure AD Connect Cloud Sync doesn’t support password, device or group writeback and doesn’t support Exchange Hybrid

Azure AD Connect, the on-premises synchronization engine, offers many writeback features. It supports writeback of passwords, devices and groups from Azure AD to Active Directory.

Azure AD Connect Cloud Sync does not. It also doesn’t support the mS-DS-ConsistencyGUID as the source anchor. Instead, it currently defaults to the objectGUID attribute to relate objects end-to-end.

Without any of the writeback features from Azure AD Connect, you might also suspect that Azure AD Connect Cloud Sync doesn’t support Exchange Hybrid scenarios. You’d be right.

Azure AD Connect Cloud Sync doesn’t support directory extensions

Azure AD Connect offers synchronizations of contents for attributes that originate in 3rd-party schema extensions. You can configure this feature by enabling the Directory extension attribute sync feature on the Optional Features page of Azure AD Connect’s configuration wizard.

Azure AD Connect Cloud Sync doesn’t support directory extensions.

Azure AD Connect Cloud Sync doesn’t support Azure AD Connect Health

Azure AD Connect Health is a service that reports on the availability and configuration  of Azure AD Connect installations, AD FS servers, Web Application Proxies and Domain Controllers.

Alas, just like pass-through authentication (PTA) agents, Azure AD Connect Cloud Sync agents lack integration with Azure AD Connect Health. The Azure AD Portal will show you perfect green checks when the agent is able to communicate with the Azure AD infrastructure. However, the green check you see doesn’t mean the agent is able to communicate with Domain Controllers…

Azure AD Connect Cloud Sync’s agent model offers high availability

Azure AD Connect, the on-premises synchronization engine, acts as a single point of failure for synchronization of objects. Staging Mode servers can alleviate some of the pain points, but ultimately, the Azure AD Connect model relies on a single synchronization engine for object and attribute integrity.

With Azure AD Connect Cloud sync, the cloud-based engine takes care of all the object and attribute integrity issues, regardless of the number of Azure AD Connect Cloud Sync agents running or the number of locations where you run these agents from.

You can enjoy high availability without deploying load balancers or any other fancy technology.

Azure AD Connect Cloud Sync agents don;t have a database

Azure AD Connect, the on-premises synchronization engine, uses a Microsoft SQL Server database to store its metaverse and connector spaces in.

Azure AD Connect Cloud Sync’s agents don’t have a database. This means you don’t need to take hosts with these agents in special considerations from a backup point of view. A simple crash-consistent backup will do.

Concluding

For all organizations that have deployed Azure AD Connect using the Use express settings button in Azure AD Connect’s configuration wizard, Azure AD Connect Cloud Sync is a model that they might enjoy additional benefits from.

For organizations further on the Hybrid Identity path, who may or may not have embraced Exchange Hybrid, Hybrid Azure AD Join or are collapsing Active Directory forests using the mS-DS-ConsistencyGUID as their source anchor, this might not be the best time to convert to the Cloud Sync model, yet.

0  

Two improvements in VMware vSphere 7.0 Update 2 are welcome news for Microsoft-oriented Identity-focused admins

This week, VMware released vSphere 7.0 Update 2 on its 6-month release schedule for its vSphere product. It is available to download right away, both through VMware Customer Connect and from within vSphere Lifecycle Manager itself.

What’s New

In case you missed it, the key focus areas in which VMware is making investments in vSphere 7.0 Update 2 are:

  • Deliver AI & Developer Ready Infrastructure
  • Boost Infrastructure and Data Security
  • Simplify Operations

The latest vSphere 7.0 Update 2 release further highlights vSphere as the industry’s leading compute virtualization platform that transforms bare metal server, CPU, and GPU-based hardware into virtual machines and containers. vSphere optimizes performance, increases availability, tightens security, and streamlines maintenance to create an agile, efficient, resilient, and intrinsically secure infrastructure platform to support existing workloads and next-gen applications.

The release blogpost on its vSphere Blog provides all the additional information you need.

What 7.0 Update 2 means to me

As a Microsoft-oriented Identity-focused admin managing virtualized Domain Controllers on top of VMware vSphere, two improvements really stand out to me:

It’s Easier to get up and running with VM Encryption and vTPM

I’ve shared how to protect virtual Domain Controllers on vSphere with VM Encryption earlier. To get this going requires a KMIP 1.1-compliant Key Management Server (KMS) like Hytrust’s KeyControl.

With vSphere 7.0 Update 2, VMware introduces the vSphere Native Key Provider. This mechanism exists fully within vSphere to enable data-at-rest protections like vSAN Encryption, VM Encryption, and vTPM out of the box, making it a lot easier to take advantage of these security features.

VMware Tools Enhancements

Ultimately, in Active Directory Domain Services, the hardware clock of Domain Controllers rules out replication conflicts. Previously, I’ve shared how to Manage Active Directory Time Synchronization on VMware vSphere and how to Configure Accurate Time in Active Directory.

VMware Tools enhancements in vSphere 7.0 Update 2, includes Precision Clock drivers for Windows Time Service, enabling easy use of the Precision Time Protocol for situations where you need even more precise time.

Get going with vSphere 7.0 Update 2

Download vSphere 7 Update 2 through VMware Customer Connect to get going or download it from within vSphere Lifecycle Manager itself.

Further reading

Protecting virtual Domain Controllers on vSphere with VM Encryption 
Managing Active Directory Time Synchronization on VMware vSphere 
HOWTO: Configure Accurate Time in Active Directory 
VMware vSphere 7.0 Update 1 introduces an interface for advanced time synchronization configuration

0  

The March 2021 Cumulative Update addresses seven Windows Server DNS vulnerabilities

Windows Server

Today, for its March 2021 Patch Tuesday, Microsoft released a security update that addresses seven vulnerabilities in DNS Servers running Windows Server:

About the vulnerabilities

The vulnerabilities are described as followed:

  

CVE-2021-26877 Windows DNS Server Remote Code Execution Vulnerability Critical

A remote code execution vulnerability, identified as CVE-2021-26877, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 9.8/8.5.

The vulnerability was discovered by Microsoft Platform Security & Vulnerability Research.

CVE-2021-26893 Windows DNS Server Remote Code Execution Vulnerability Critical

A remote code execution vulnerability, identified as CVE-2021-26893, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 9.8/8.5.

The vulnerability was discovered by Nicolas Joly of Microsoft.

Windows Server installations dating back to Windows Server 2008, that are configured as DNS servers with dynamic updates are at risk from this vulnerability. Both Server Core and Full installations of Windows Server are affected. The recently released Windows Server version 20H2 is also vulnerable.

CVE-2021-26894 Windows DNS Server Remote Code Execution Vulnerability Critical

A remote code execution vulnerability, identified as CVE-2021-26894, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 9.8/8.5.

The vulnerability was discovered by Nicolas Joly of Microsoft.

CVE-2021-26895 Windows DNS Server Remote Code Execution Vulnerability Critical

A remote code execution vulnerability, identified as CVE-2021-26895, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 9.8/8.5.

The vulnerability was discovered by Nicolas Joly of Microsoft.

 

CVE-2021-26896 Windows DNS Server Denial of Service Vulnerability

A denial of service vulnerability, identified as CVE-2021-26896, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could disrupt DNS services. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 7.5/6.5.

CVE-2021-26897 Windows DNS Server Remote Code Execution Vulnerability Critical

A remote code execution vulnerability, identified as CVE-2021-26897, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 9.8/8.5.

CVE-2021-27063 Windows DNS Server Denial of Service Vulnerability

A denial of service vulnerability, identified as CVE-2021-27063, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could disrupt DNS services. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 7.5/6.5.

Affected Operating Systems

Windows Server installations dating back to Windows Server 2008, that are configured as DNS servers with dynamic updates are at risk from this vulnerability. Both Server Core and Full installations of Windows Server are affected. The recently released Windows Server version 20H2 is also vulnerable.

Mitigations

Enabling Secure Zone Updates constrains the potential sources of attacks on the above vulnerabilities, but does not completely prevent it. For example, a malicious insider could attack a secure zone update DNS server from a domain-joined computer. Hence, enabling Secure Zone Updates provides only a partial mitigation.

This vulnerability impacts any DNS server, both standalone DNS primary authoritative servers and DNS servers that are integrated with Active Directory. The surrounding configuration can limit possible vectors and sources for the attack, but proper mitigation requires this month’s security update patch.

Call to Action

I urge you to install the necessary security updates on Windows Server installations, running as (Active Directory Domain Controllers and) DNS servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as (Active Directory Domain Controllers and) DNS Servers, in the production environment.

FURTHER READING

Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-24078) 
Windows DNS Server RCE Vulnerability (SIGred, Wormable, Critical, CVE-2020-1350) DNS Server Heap Overflow Vulnerability could allow RCE (Critical, CVE-2018-8626)
Vulnerability in DNS Server could allow RCE (Critical, CVE-2016-3227)
Security Update for DNS Server to Address RCE (Critical, CVE-2015-6125)

2  

A Recap of Identity-related Announcements from Microsoft Ignite 2021 Spring Edition

Microsoft Ignite 2020

Another Microsoft Ignite event comes to a close. Microsoft’s latest Ignite event was organized as a free digital event between Tuesday March 2nd and Thursday March 4th, 2021, labeled the 2021 Spring Edition.

During Microsoft Ignite 2021 Spring Edition, Microsoft made the following Identity-related announcements, next to the announcements on their monthly recurring release notes for Azure AD:

Passwordless Authentication General Availability

Passwordless authentication in Azure AD is now generally available. People at organizations that activate passwordless authentication will no longer need to use passwords to sign into the network. Instead, they can sign in with a look or tap using Windows Hello for Business, Microsoft Authenticator app or compatible FIDO2 security keys.

Azure AD also now enables configuration of policies for different users, groups and types of credentials, and provides reporting and APIs.

Header-based authentication in Azure AD Application Proxy General Availability

General availability of support for header-based authentication in Azure AD Application Proxy enable organizations to move header-based authentication apps from systems like SiteMinder and Oracle Access Manager, and natively connect them to Azure AD. This enables organizations to apply consistent Conditional Access policies to all apps, allowing remote workers to connect more securely.

AWS Single Sign-on in the App Gallery General Availability

AWS Single Sign-On (SSO), a cloud-based service that simplifies SSO access across multiple Amazon Web Services (AWS) accounts and resources, is now pre-integrated in the Azure Active Directory (Azure AD) app gallery.

Organizations can now quickly configure single sign-on and user provisioning to AWS SSO using the Azure AD App Gallery. People in the organization can then sign into AWS SSO using their Azure AD credentials to access all their assigned AWS resources.

Azure AD External Identities Coming Soon

Azure AD External Identities is a set of capabilities that enable organizations to secure and manage access for customers and partners. Azure AD External Identities will be generally available beginning this month.

Organizations can protect their business to business (B2B) and business to consumer (B2C) apps and users with adaptive, machine learning-driven security with Azure AD Identity Protection, plus flexible low-code/no-code customization and controls over the user experience.

Application Template API Coming Soon

The Application Template API will be generally available this month. The Application Template API in Microsoft Graph allows admins and developers to programmatically manage applications in the Azure AD app gallery. This API allows admins and developers to list, search, update or create applications in the Azure AD app gallery via an API.

Admin Consent Workflow Coming Soon

The Admin Consent Workflow will be generally available this month. The Admin Consent Workflow gives admins a secure way to grant access to applications for users who require approval. When users try to access an application that requires admin consent, they can now send a request to admins during the sign-in flow.

AD Federation Services (AD FS) activity and insights report Coming Soon

The AD Federation Services (FS) activity and insights report, available in the Azure portal, lets admins quickly identify which applications are capable of being upgraded to Azure AD. It assesses all AD FS applications for compatibility with Azure AD, checks for any issues and provides guidance on preparing individual applications for migration to Azure AD.

New secure hybrid access integrations Coming Soon

Several new secure hybrid access integrations enable admins to connect and protect their legacy applications, such as non-HTTP, LDAP and SSH apps, to Azure AD. Expanded partnerships include Silverfort, Datawiza, Perimeter 81 and Strata.

These integrations help organizations to unify their identity management with Azure Active Directory (Azure AD), which can reduce costs of managing multiple identity providers, strengthen security and provide people with seamless access to all apps.

Temporary Access Pass Public Preview

Temporary Access Pass, a time-limited code used for setup and recovery of a passwordless credential, has been released to public preview. With Temporary Access Pass, new people in your organization receive a one-time password to log in and register their account and then register a passwordless credential, such as the Authenticator app, to use going forward. Temporary Access Pass can also be used to replace a lost credential or recover an account.

Azure AD App Proxy Geo Routing Public Preview

Azure AD App Proxy Geo Routing is now available in public preview. This feature allows organizations to designate which region their Azure AD App Proxy service connector group should use so that they can choose the same region their application is in with the service connector, improving performance and reducing the latency to the App Proxy service.

Azure Key Vault Managed HSM Public Preview

Azure Key Vault Managed Hardware Security Module (HSM) offers a fully managed, highly available, single-tenant key management service with FIPS 140-2 Level 3 validated hardware security modules (HSMs).

Cosmos DB Role-based Access Control Public Preview

Role-based Access Control (RBAC) for Cosmos DB provides organizations with enhanced security for data in Azure. The introduction of RBAC to Cosmos DB with Azure Active Directory (Azure AD) integration enables organizations to assign roles to users and applications, which provides a granular, well-defined way to control data access from users and applications. Organizations can determine the identity used to perform a database operation by retrieving the information in diagnostic logs.

Azure AD verifiable credentials Coming Soon

Azure AD verifiable credentials will be available in public preview in April 2021. This capability enables organizations to issue digital claims about identity attributes based on open standards. Individuals can manage credentials in the Microsoft Authenticator app and developers will be able to request and verify credentials via an application software development kit (SDK).

Conditional Access authentication context Coming Soon

Azure AD Conditional Access Authentication Context is coming soon to public preview. Azure AD Conditional Access enables organizations to configure and fine-tune their access policies with factors such as user, device, location and real-time risk information to control what a specific user can access, as well as when and how they can access it.

By enabling more granular security at the app level, authentication context lets organizations move away from one-size-fits-all controls and adopt more balanced policies that appropriately protect important information without unduly restricting access to less-sensitive content.

0  

What's New in Azure Active Directory for February 2021

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for February 2021:

What’s Planned

Email one-time passcode authentication on by default

Service category: B2B
Product capability: B2B/B2C

Starting October 31, 2021, Azure AD email one-time passcode authentication will become the default method for inviting accounts and tenants for B2B collaboration scenarios. At this time, Microsoft will no longer allow the redemption of invitations using unmanaged Azure Active Directory accounts.

Unrequested but consented permissions will no longer be added to tokens if they would trigger Conditional Access

Service category: Authentications (Logins)
Product capability: Platform

Currently, applications using dynamic permissions are given all of the permissions they're consented to access. This includes applications that are unrequested and even if they trigger conditional access. For example, this can cause an app requesting only user.read that also has consent for files.read to be forced to pass the Conditional Access assigned for the files.read permission.

To reduce the number of unnecessary Conditional Access prompts, Azure AD is changing the way that unrequested scopes are provided to applications. Apps will only trigger conditional access for permission they explicitly request.

What’s New

Authentication Policy Administrator built-in role General availability

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

People with this privileged Azure AD role can configure the authentication methods policy, tenant-wide MFA settings, and password protection policy. This role grants permission to manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list.

Domain Name Administrator built-in role General availability

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

People with this privileged Azure AD role can manage (read, add, verify, update, and delete) domain names. They can also read directory information about users, groups, and applications, as these objects have domain dependencies.

For on-premises environments, people with this role can configure domain names for federation so that associated users are always authenticated on-premises. These users can then sign into Azure AD-based services with their on-premises passwords via single sign-on. Federation settings need to be synchronized via Azure AD Connect, so users also have permissions to manage Azure AD Connect.

User collections on My Apps General availability

Service category: My Apps
Product capability: End User Experiences

People can now create their own groupings of apps on the My Apps app launcher. They can also reorder and hide collections shared with them by their administrator.

Autofill in Authenticator General availability

Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

Microsoft Authenticator provides multi-factor authentication (MFA) and account management capabilities, and now also will autofill passwords on sites and apps people visit on their mobile devices running iOS or Android.

To use autofill on Authenticator, people need to add their personal Microsoft account to Authenticator and use it to synchronize their passwords. Work or school accounts cannot be used to synchronize passwords at this time.

Invite internal users to B2B collaboration General availability

Service category: B2B
Product capability: B2B/B2C

Organizations can now invite internal guests to use B2B collaboration instead of sending an invitation to an existing internal account. This allows organizations to keep that user's object ID, userPrincipalName, group memberships, and app assignments.

Use a Temporary Access Pass to register Passwordless credentials Public Preview

Service category: Multi-factor authentication (MFA)
Product capability: Identity Security & Protection

Temporary Access Pass is a time-limited passcode that serves as strong credentials and allows onboarding of passwordless credentials and recovery when a person has lost or forgotten their strong authentication factor (for example, FIDO2 security key or Microsoft Authenticator app) and needs to sign in to register new strong authentication methods.

Keep me signed in (KMSI) in next generation of user flows Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

The next generation of B2C user flows now supports the keep me signed in (KMSI) functionality that allows customers to extend the session lifetime for the people of their web and native applications by using a persistent cookie. This feature keeps the session active even when the person closes and reopens the browser, and is revoked when the person signs out.

External Identities Self-Service Sign-up in AAD using Microsoft accounts Public Preview

Service category: B2B
Product capability: B2B/B2C

External people will now be able to use Microsoft Accounts (MSAs) to sign in to Azure AD first party and line of business (LOB) apps.

Reset redemption status for a guest user Public Preview

Service category: B2B
Product capability: B2B/B2C

Organizations can now reinvite existing external guests to reset their redemption status, which allows the guest user account to remain without them losing any access.

/synchronization (provisioning) APIs now support application permissions Public Preview

Service category: App Provisioning
Product capability: Identity Lifecycle Management

Customers can now use application.readwrite.ownedby as an application permission to call the synchronization APIs. This is only supported for provisioning from Azure AD out into third-party applications (for example, AWS, Data Bricks, etc.). It is currently not supported for HR-provisioning (Workday / Successfactors) or Azure AD Connect Cloud Sync.

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2021, Microsoft has added following new applications in the Azure AD App gallery with Federation support:

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

What’s Changed

10 Azure Active Directory roles now renamed

Ten Azure AD built-in roles have been renamed so that they're aligned across the Microsoft 365 admin center, Azure AD portal, and Microsoft Graph.

New Company Branding in MFA/SSPR Combined Registration

Service category: User Experience and Management
Product capability: End User Experiences

In the past, company logos weren't used on Azure Active Directory sign-in pages. Company branding is now located to the top left of MFA/SSPR Combined Registration. Company branding is also included on My Sign-Ins and the Security Info page.

Second level manager can be set as alternate approver

Service category: User Access Management
Product capability: Entitlement Management

An extra option when admins select approvers is now available in Entitlement Management. If you select Manager as approver for the First Approver field, they will have another option, Second level manager as alternate approver, available to choose in the alternate approver field. If admins select this option, they need to add a fallback approver to forward the request to in case the system can't find the second level manager.

Authentication Methods Activity Dashboard

Service category: Reporting
Product capability: Monitoring & Reporting

The refreshed Authentication Methods Activity dashboard gives admins an overview of authentication method registration and usage activity in their tenant(s). The report summarizes the number of users registered for each method, and also which methods are used during sign-in and password reset.

What’s Deprecated

Refresh and session token lifetimes configurability in Configurable Token Lifetime (CTL) are retired

Service category: Other
Product capability: User Authentication

Refresh and session token lifetimes configurability in CTL are retired. Azure AD no longer honors refresh and session token configuration in existing policies.

0