Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new and changed functionality for Azure Active Directory for December 2018:

What’s New

Administrators can require users to accept a Terms of use on each device

Service category: Terms of Use
Product capability: Governance

Administrators can now turn on the Require users to consent on every device option to require their users to accept the Terms of use on every device they’re using on the Azure AD tenant.

Administrators can configure a Terms of use to expire based on a recurring schedule

Service category: Terms of Use
Product capability: Governance

Administrators can now turn on the Expire consents option to make a Terms of use expire for all users, based on the specified recurring schedule. The schedule can be annually, bi-annually, quarterly, or monthly. After the Terms of use expires, users must reaccept.

Administrators can configure a Terms of use to expire based on each user’s schedule

Service category: Terms of Use
Product capability: Governance

Administrators can now specify a duration that user must reaccept a Terms of use. For example, administrators can specify that users must reaccept a Terms of use every 90 days.

What’s Fixed

Users removed from synchronization scope no longer switch to cloud-only accounts

Service category: User Management
Product capability: Directory

The team has fixed a bug in which the DirSyncEnabled flag of a user would be erroneously switched to False when the Active Directory Domain Services (AD DS) object was excluded from synchronization scope and then moved to the Recycle Bin in Azure AD on the following sync cycle. As a result of this fix, if the user is excluded from sync scope and afterwards restored from Azure AD Recycle Bin, the user account remains as synchronized from on-premises AD, as expected, and cannot be managed in the cloud since its source of authority (SoA) remains on-premises AD.

Prior to this fix, there was an issue when the DirSyncEnabled flag was switched to False. It gave the wrong impression that these accounts were converted to cloud-only objects and that the accounts could be managed in the cloud. However, the accounts still retained their source of authority (SoA) as on-premises and all synchronized properties (shadow attributes) coming from on-premises AD. This condition caused multiple issues in Azure AD and other cloud workloads (like Exchange Online) that expected to treat these accounts as synchronized from AD but were now behaving like cloud-only accounts.

At this time, the only way to truly convert a synchronized-from-AD account to cloud-only account is by disabling DirSync at the tenant level, which triggers a backend operation to transfer the source of authority (SoA). This type of SoA change requires (but is not limited to) cleaning all the on-premises related attributes (such as LastDirSyncTime and shadow attributes) and sending a signal to other cloud workloads to have its respective object converted to a cloud-only account too.

What’s Changed

Updates to the audit and sign-in logs schema through Azure Monitor Breaking Change

Service category: Reporting
Product capability: Monitoring & Reporting

The team is currently publishing both the Audit and Sign-in log streams through Azure Monitor, so admins can seamlessly integrate the log files with Security Incident and Event Monitoring (SIEM) tools or with Log Analytics.

Based on feedback, and in preparation for this feature’s general availability (GA)announcement, the team is making changes to the schema. These schema changes and its related documentation updates will happen by the first week of January.

Identity Protection improvements to the supervised machine learning model and the risk score engine

Service category: Identity Protection
Product capability: Risk Scores

Improvements to the Identity Protection-related user and sign-in risk assessment engine can help to improve user risk accuracy and coverage. Administrators may notice that user risk level is no longer directly linked to the risk level of specific detections, and that there’s an increase in the number and level of risky sign-in events.

Risk detections are now evaluated by the supervised machine learning model, which calculates user risk by using additional features of the user’s sign-ins and a pattern of detections. Based on this model, administrators might find users with high risk scores, even if detections associated with that user are of low or medium risk.

Administrators can reset their own password using the Microsoft Authenticator app (Public preview)

Service category: Self Service Password Reset
Product capability: User Authentication

Azure AD administrators can now reset their own password using the Microsoft Authenticator app notifications or a code from any mobile authenticator app or hardware token. To reset their own password, administrators will now be able to use two of the following methods:

Microsoft Authenticator app notification
Other mobile authenticator app / Hardware token code
Email
Phone call
Text message

The post What’s New in Azure Active Directory for December 2018 appeared first on The things that are better left unspoken.

There is no Windows Server 2019 Forest Functional Level (FFL) or Windows Server 2019 Domain Functional Level (DFL) in Microsoft Windows Server’s Active Directory Domain Services (AD DS).

Impact

The unavailability of the Windows Server 2019 Forest Functional Level (FFL) and Windows Server 2019 Domain Functional Level (DFL) has the following impact:

There are, apparently, no new features in Active Directory Domain Services in Windows Server 2019, that require a new Domain Functional Level.
There are, apparently, no new features in Active Directory Domain Services in Windows Server 2019, that require a new Forest Functional Level.
When upgrading or transitioning Active Directory from Windows Server 2016 to Windows Server 2019, the Domain Functional Level (DFL) and Forest Functional Level (FFL) do not have to be raised. This eliminates two steps of the process.
When upgrading or transitioning Active Directory from Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2 to Windows Server 2019, the Domain Functional Level (DFL) and Forest Functional Level (FFL) only need to be raised to Windows Server 2016.
There is no way to limit the ability for Active Directory admins (for domains in an Active Directory forest) to install Windows Server 2016-based Domain Controllers in an environment with Windows Server 2019-based Domain Controllers. However, since Windows Server 2012, there is a way to limit promotions of Domain Controllers altogether.

The unavailability of the Windows Server 2019 Forest Functional Level (FFL) and Windows Server 2019 Domain Functional Level (DFL), does not eliminate the step to update the Active Directory schema to version 88, using adprep.exe before Windows Server 2019-based Domain Controllers can be installed. However, since Windows Server 2012, this step may be part of the promotion process of the first Domain Controller.

About Active Directory Functional Levels

In previous versions of Active Directory, each Windows Server version was accompanied by a corresponding Forest Functional Level (FFL) and Domain Functional Level (DFL).

When upgrading Domain Controllers to newer versions of Windows Server or transitioning to Domain Controllers running newer versions of Windows Server, the functional levels would unlock new functionality on either the Active Directory forest or Active Directory domain level.

Raising functional levels

Only when all Domain Controllers for an Active Directory domain would run the newer version of Windows Server, could an Active Directory admin raise the Domain Functional Level (DFL) to the version corresponding with the version of Windows Server.

Only when all domains for an Active Directory forest would run the newer Domain Functional Level (DFL), could an Active Directory admin raise the Forest Functional Level (FFL) to the version corresponding with the version of the domains.

Lowering functional levels

Starting with the Windows Server 2008 levels, you can revert to lower Domain Functional Levels and Forest Functional Levels.

Note:
The lowest level to return to are the Windows Server 2008 Forest Functional Level (FFL) and the Windows Server 2008 Domain Functional Level (DFL).

Note:
Only when the Active Directory Forest Functional Level (FFL) is lowered to a lower version, can any Active Directory domains be lowered to a lower version of the Active Directory Domain Functional Level (DFL).

Note:
Only when the Active Directory Recycle Bin additional features is not implemented, can the Active Directory Forest Functional Level (FFL) be lowered from the Windows Server 2008 R2 to the Windows Server 2008 Forest Functional Level (FFL).

This paints the following picture:

About the Extensible Authentication Framework

Active Directory Federation Services (AD FS) offers the Extensible Authentication Framework (EAF). Leveraging this functionality, multi-factor authentication providers can hook their products into the authentication funnel.

Through an AD FS Agent, the authentication gets routed to the multi-factor authentication software, when an MFA claim is needed. Only when the multi-factor authentication software signals back that the multi-factor authentication was successful, will AD FS be able to successfully send a federation claim to the user.

About CensorNet and SMS PASSCODE

SMS PASSCODE is one of the oldest multi-factor authentication solutions in the market. Their solution, currently, offers one-time passwords (OTPs) in SMS text messages and through their SMS PASSCODE mobile app.

The architecture of the product is to use a centralized authentication server, hosting the information for authenticating. Users can be imported into this server from Active Directory and other sources. Fail-over servers can be implemented to reduce the dependency on one server. Agents, called Client Authentication Protections, offer functionality like RADIUS connectivity and, as I’ll point out in this blogpost, AD FS connectivity through the Extensible Authentication Framework (EAF).

Prerequisites

Before following the below steps, make sure you meet the following prerequisites:

Implement the central CensorNet SMS PASSCODE server. Copy the installation file for the server component to a file location that is accessible to the AD FS Server(s). Make sure users accounts are configured with appropriate authentication information.
Log on to the AD FS Server(s) with an account that has privileges to manage Active Directory Federation Services. Make sure you run the last steps of this HowTo on the AD FS Server that is the primary server, when the AD FS Farm leverages the Windows Internal Database (WID) as the AD FS configuration database.
Make sure the AD FS Servers are able to communicate with the centralized CensorNet SMS PASSCODE server over TCP port 8988. Web Application Proxies don’t need a connection to the server, though.
After installation and configuration of the SMS PASSCODE Client Authentication Protection for AD FS, the AD FS Servers need to be restarted. Make sure to plan this type of actions outside working hours, or have a fully redundant AD FS implementation.

How to install and configure the agent

Follow these steps to install and configure the CensorNet SMS PASSCODE Client Authentication Protection for AD FS:

Log on to the AD FS server.
Locate the CensorNet SMS PASSCODE installation file.
Double-click the SmsPasscode-2018-x64.exe installation file to start installing.
In the Welcome to the InstallShield Wizard for SMS PASSCODE screen of the SMS PASSCODE 2018 installer, click Next >.
In the License Agreement screen, select the option I accept the terms in the license agreement. Click Next >.
In the Installation Scope screen, only select the option to Install Authentication Client Protection and click Next >. The other option installs the central server component.
In the Destination Folder screen, click Next >. to accept the default installation location: C:\Program Files\SMS PASSCODE\.
In the Authentication Clients screen, only select the AD FS Protection option.
Click Next >.
In the Configuration Tool pop-up, click OK to acknowledge that all settings need to be checked and that installation continues after the configuration tool is closed.
In the SMS PASSCODE – Configuration Tool, on the Network tab, specify the shared secret to communicate with the central server, twice. Click Save.
Navigate to the Backend Hosts tab.
On the Backend Hosts tab, remove the hostname of the AD FS Server (default) and enter the hostname of the central CensorNet server Click Save when done..
Click Test Connection. Click Close in the resulting screen.
Click Close to close the SMS PASSCODE – Configuration Tool.
Back in the SMS PASSCODE 2018 installation screen, wait for the installer to complete.
In the InstallShield Wizard Completed screen, click Finish.

Perform the above steps on every AD FS Server in the AD FS Farm, before continuing with the steps below.

How to enable Multi-factor Authentication through SMS PASSCODE

Follow these steps to enable Multi-factor Authentication through SMS PASSCODE:

Log on to the (primary) AD FS server.
Open the AD FS Management tool.
In the left navigation pane, select Authentication Policies.
In the right task pane, click on Edit Global Multi-factor Authentication… link.
Select the SMS PASSCODE Authentication as additional authentication method.
To enable authentication for all external authentication, also select Extranet. Alternatively, specify multi-factor authentication per Relying Party Trust (RPT).
Click OK.

There is no need to configure additional settings, when the centralized CensorNet SMS PASSCODE server is configured with the default authentication policy, to allow Any.

Concluding

Using the the Extensible Authentication Framework (EAF) in Active Directory Federation Services (AD FS) makes enabling multi-factor authentication a breeze.

The post HOWTO: Install CensorNet’s SMS PASSCODE AD FS Agent appeared first on The things that are better left unspoken.

Windows Server

Windows Server 2019’s January 2019 Cumulative Quality Update, bringing the OS version to 17763.292 , offers a fix for the issue you might be experiencing on your Windows Server 2016 and Windows Server 2019-based Domain Controllers.

About Windows Server 2019 Updates

Microsoft issues two major updates each month for Windows Server 2019, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2019. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2019. This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.

The issue

As we first encountered, reported the issue and then covered it here, we have all the details on this issue.

The issue is with Windows Server 2016 and Windows Server 2019-based installations, that you want to promote for a new domain in an existing forest, that has the Active Directory Recycle Bin enabled.

In this situation, creation of the domain fails.

Active Directory Domain Services Configuration Wizard

When you use the Active Directory Domain Services Configuration Wizard, it offers the following information:

An error occurred while trying to configure this machine as a Domain Controller

The operation failed because:
Active Directory Domain Services could not replicate the directory partition CN=Schema,CN=Configuration, DC=domain,DC=tld from the remote Active Directory Domain Controller FullyQualifiedDCName.

“The replication operation encountered a database error.”

PowerShell

When you use the Install-ADDSDomain PowerShell cmdlet, you receive the following error:

Install-ADDSDomain : The operation failed because:
Active Directory Domain Services could not replicate the directory partition CN=Schema,CN=Configuration, DC=domain,DC=tld from the remote Active Directory Domain Controller FullyQualifiedDCName.

“The replication operation encountered a database error.”

DCPromo Log

In dcpromo.log on the failed Domain Controller you find the following lines, indicating the error:

[INFO] DsRolepInstallDs returned 1356

The cause

This issue is caused by the Active Directory Recycle Bin optional feature being enabled and having update KB4464330 for Windows Server 2019 installed.

If the Active Directory Recycle Bin optional feature is not enabled yet, the Active Directory Domain Services Configuration Wizard and Install-ADDSDomain are successful, as you’d expect.

The solution

Back in October, when Windows Server 2019 wasn’t released yet, our advice was to uninstall KB4464330 for Windows Server 2019. Now, the solution is to install KB4476976.

When you experience the above issue, you are invited to install Windows Server 2019’s January 2019 Cumulative Quality Update (KB4476976) on your Active Directory Domain Controllers to resolve them. Test the update to avoid any issues with this update.

Note:
Interestingly, the issue in Windows Server 2016 was resolved in Windows Server 2016’s November 2018 Cumulative Quality Update. Two months ago…

The post Windows Server 2019’s January 2019 Quality Update fixes the issue with Domain Controller Promotions for new domains appeared first on The things that are better left unspoken.

Veeam Availability`Suite 9.5 Update 3a

Veeam has made its Availability Suite 9.5 Update 4 available, after it was released to manufacturers (RTM) on December 28th, 2018.

This update addresses several minor issues. However, it also add support for the latest and greatest that Veeam Vanguards and Veeam admins work with… and that’s cool!

Veeam Backup & Replication

Veeam Backup & Replication 9.5 Update 4 offers many new functions, including effectively unlimited scale-out backup repositories (SOBRs) and a new archive tier

Platform support

Veeam Backup & Replication 9.5 Update 4 brings support for:

Microsoft Windows Server 2019
Microdoft Hyper-V Server 2019
Microsoft Windows Server, version 1809
Microsoft Windows 10, version 1809 “October Update”
Microsoft Windows Server Core installations (via Managed by Backup Server jobs)
Microsoft Exchange Server Database Availability Groups (DAGs, via Managed by Backup Server jobs)
Microsoft Exchange Server 2019
Microsoft SharePoint Server 2019
VMware vSphere 6.7 Update 1
VMware vCloud Director 9.5

Secure Restore

Veeam Backup & Replication 9.5 Update 4 introduces Secure Restore. This feature allows organizations to perform an anti-malware scan on the backups they wish to restore, through 3rd party anti-virus integrations.

Microsoft’s Windows Defender, ESET and Symantec Protection Engine are supported out of the box, but any anti-malware solution can be used, when it supports command-line triggering.

Staged Restore

Veeam Backup & Replication 9.5 Update 4 introduces Staged Restore. This feature runs a restored machine directly from the backup file in an isolated data lab environment, for pre-processing, such as the removal of personal data from an application’s database or mask data using solutions as Ekobit BizDataX, before moving the post-processed machine state into the production environment.

Support for Write-Once Media (WORM)

Many enterprise organizations require the use of write-once media. Veeam Backup & Replication 9.5 Update 4 now offers support for this scenario by offering dedicated Worm Media Pools.

Cloud Tier

Veeam Cloud Tier is a new storage tier within the scale-out backup repository (SOBR) — the Capacity Tier — with unlimited capacity for long-term data retention by using native, cost-effective object storage integrations with Amazon S3, Azure Blob Storage, IBM Cloud Object Storage, as well as numerous S3-compatible service providers and on-premises storage solutions.

Here’s the full story on what’s cool in Veeam Backup & Replication 9.5 Update 4.

Veeam Agents

All new versions of the Veeam Agents now offer health checks and deleted agent retention. In addition to that, Veeam Agents now offer two backup job types:

Managed by Agent
Managed by Backup Server

Veeam Agent for Windows 3.0

The Veeam Agent for Windows version 3 adds support for:

Microsoft Windows Server 2019
Microsoft Windows Server, version 1809
Microsoft Windows 10, version 1809 “October Update”
Microsoft Windows Server Core installations
Microsoft Exchange Server Database Availability Groups (DAGs)
Microsoft Exchange Server 2019
Microsoft SharePoint Server 2019

Note:
Server Core installations and Exchange Server Database Availability Groups are only available through Managed by Backup Server jobs

In addition to the extended platform support, version 3 of the Veeam Agent for Windows also now supports multiple jobs, network throttling, file level restore enhancements, and integration with Windows’ Action Center.

Click here for everything that’s cool in Veeam Agent for Microsoft Windows 3.0.

Veeam Agent for Linux 3.0

Version 2 of Veeam’s Agent for Linux was the first version of the product to be manageable through Veeam Availability Suite. This allows you to streamline the discovery, deployment and centralized management of these agents.

Now, with version 3 of the Veeam Agent for Linux, support is added for the following distributions:

RedHat Enterprise Linux 7.6 6.10
Oracle Linux (RHCK) 7.6 6.10
SUSE Linux Enterprise Edition (SLES) 15
SUSE Linux Enterprise Edition (SLES) 12 Service Pack 4
CentOS 7.6 6.10
Debian 8.11
Debian 9.5
Debian 9.6
Ubuntu 18.10
openSUSE Leap 15
Fedora 29

Click here for everything that’s cool in Veeam Agent for Linux 3.0.

Veeam Backup for Office 365

Veeam Backup for Microsoft Office 365 v2 has been updated with Cumulative Patch KB2809 that updates the build version to 2.0.0.814. Next to optimizations in SharePoint Online and OneDrive for Business, this update, offers:

Compatibility support for Backup and Replication 9.5 Update 4, including the new versions of Veeam Explorer for Microsoft Exchange and Veeam Explorer for Microsoft SharePoint
Compatibility support for Veeam Cloud Connect 9.5 Update 4

Veeam Availability for AWS

Veeam Availability for AWS is a separate solution within the Veeam Availability Platform, but it is enabled by multiple components, one of which is being delivered in the Veeam Availability Suite 9.5 Upgrade 4 release: the External Repository feature in Veeam Backup & Replication 9.5 Update 4. This feature allows to move backup data from the cloud to on-premises. However, this feature can only be leveraged when Veeam Availability for AWS is purchased.

With Veeam Availability for AWS, Veeam leverages the AWS-purpose-built functionality of N2WS Cloud Protection Manager as part of the platform to:

Protect both AWS-based workloads and on-premises workloads
Consolidate all backup data in a single repository with consistent auditing, reporting and alerting
Enable Veeam Backup & Replication to be used to backup and restore both workloads and create cloud mobility from a single user interface.

Veeam Cloud Connect

Veeam Cloud Connect has been revamped. Veeam Cloud Service Providers (VCSPs) can now align better with VMware vCloud Director on top of the functionality for VMware vCenter and Microsoft Hyper-V.

Tenant to tape

Veeam Cloud Connect now offers Tenant to Tape. This way, Veeam Cloud Connect Service Providers can offer Tape-as-a-Service to their customers to provide an additional tier of protections.

This feature requires backups made with Veeam Backup & Replication 9.5 Update 4, or up, since it won’t work with older backup files.

Veeam Availability Orchestrator

Version 2 of the Veeam Availability Orchestrator expands on the functionality of Version 1, by offering Restore Plans, enhanced reporting and RTO/RPO tracking in localized languages, Site Scopes for roles and permissions, and Virtual Machine Console Access right from the Orchestrator Web User Interface.

Veeam ONE

Veeam ONE version 9.5 Update 4 offers a new Business View, Veeam Intelligent Diagnostics (VID), Remediation Actions and App-level Monitoring.

Additionally, monitoring of Veeam Agents is dramatically improved in this version of Veeam ONE, offering more direct views on the status and backup locations of agents.

Click here to see all of What’s New in Veeam ONE 9.5 Update 4.

Concluding

Veeam Availability Suite 9.5 Update 4 offers new features for admins of networking infrastructure to cope with the high demands organizations face in terms of regulatory compliance and data.

Veeam Availability Suite 9.5 Update 4 should be on your update list, despite Veeam announced Veeam Availability Suite 10 for next year.

The post Veeam Availability Suite 9.5 Update 4 is now available. Here’s how cool it is. appeared first on The things that are better left unspoken.

Azure Active Directory

What’s New

New Azure AD Application Proxy cookie settings

Service category: App Proxy
Product capability: Access Control

The identity team at Microsoft introduced three new cookie settings, available for apps that are published through Application Proxy:

Use HTTP-Only cookie.
Sets the HTTPOnly flag on your Application Proxy access and session cookies. Turning on this setting provides additional security benefits, such as helping to prevent copying or modifying of cookies through client-side scripting. Microsoft recommends you turn on this flag (choose Yes) for the added benefits.
Use secure cookie.
Sets the Secure flag on your Application Proxy access and session cookies. Turning on this setting provides additional security benefits, by making sure cookies are only transmitted over TLS secure channels, such as HTTPS. Microsoft recommends you turn on this flag (choose Yes) for the added benefits.
Use persistent cookie.
Prevents access cookies from expiring when the web browser is closed. These cookies last for the lifetime of the access token. However, the cookies are reset if the expiration time is reached or if the user manually deletes the cookie. Microsoft recommends you keep the default setting No, only turning on the setting for older apps that don’t share cookies between processes.

For more information about the new cookies, see Cookie settings for accessing on-premises applications in Azure Active Directory.

New Federated Apps available in Azure AD app gallery

In January 2019, Microsoft has added these new apps with Federation support to the app gallery:

App Lock feature for the Microsoft Authenticator app on iOS and Android devices

Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

To keep your one-time passcodes, app information, and app settings more secure, you can turn on the App Lock feature in the Microsoft Authenticator app. Turning on App Lock means you’ll be asked to authenticate using your PIN or biometric every time you open the Microsoft Authenticator app.

For more information, see the Microsoft Authenticator app FAQ.

Enhanced Azure AD Privileged Identity Management (PIM) export capabilities

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Privileged Identity Management (PIM) administrators can now export all active and eligible role assignments for a specific resource, which includes role assignments for all child resources. Previously, it was difficult for administrators to get a complete list of role assignments for a subscription and they had to export role assignments for each specific resource.

For more information, see View activity and audit history for Azure resource roles in PIM.

What’s Changed

New Azure AD Identity Protection enhancements Public preview

Service category: Identity Protection
Product capability: Identity Security & Protection

Microsoft is excited to announce that it has added the following enhancements to the Azure AD Identity Protection public preview offering, including:

An updated and more integrated user interface
Additional APIs
Improved risk assessment through machine learning
Product-wide alignment across risky users and risky sign-ins

For more information about the enhancements, see What is Azure Active Directory Identity Protection (refreshed)? to learn more and to share your thoughts through the in-product prompts.

Users removed from synchronization scope no longer switch to cloud-only accounts

Service category: User Management
Product capability: Directory

Microsoft has heard and understood our frustration because of this fix. Therefore, Microsoft has reverted this change until such time that they can make the fix easier for admins to implement in organizations.

The post What’s New in Azure Active Directory for January 2019 appeared first on The things that are better left unspoken.

Yesterday, I received an e-mail from Rick Vanover from Veeam congratulating me with being selected for the 2019 Veeam Vanguard Program by the Veeam Vanguard team.

For me, it means I successfully renewed my previous three Veeam Vanguard Awards, dating back to 2016. I still remain one of the three Dutch Veeam Vanguards.

I feel honored.

About Veeam Vanguards

The Vanguard program is led by the Veeam Technical Product Marketing & Evangelism team and supported by the entire company. It’s a program around the community of Veeam experts that truly get Veeam’s message, understand Veeam’s products and are Veeam’s closest peers in IT.

Veeam Vanguard represent Veeam’s brand to the highest level in many of the different technology communities. These individuals are chosen for their acumen, engagement and style in their activities on and offline.

The full list of Veeam Vanguards will be available shortly here.

About Windows Server 2016 Updates

Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016. This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.

Fixed issues

RPT Updates fail with error MSIS7615

KB4487006 addresses an issue that causes updates to a Relying Party Trust (RPT) to fail when using PowerShell or the Active Directory Federation Services (AD FS) Management Tools. This issue occurs if you configure a RPT to use an online federation metadata URL that publishes more than one PassiveRequestorEndpoint.

The error is:

MSIS7615: The trusted endpoints specified in a relying party trust must be unique for that relying party trust.

Azure Password Protection Error

KB4487006 addresses an issue that displays a specific error message for external complexity password changes, because of Azure Password Protection policies.

Azure AD Password Protection for Windows Server Active Directory is used to prevent weak passwords being used in the organization using Active Directory Domain Services.

Call to Action

When you experience the above issue, you are invited to install Windows Server 2016’s February 2019 Cumulative Quality Update (KB4487006) on your Active Directory Federation Services (AD FS) servers and Window-based endpoints to resolve them. Test the update to avoid any issues with this update.

Known issues

For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.

The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

Internet Explorer 11 may have authentication issues.

The post Windows Server 2016’s February 2019 Quality Update fixes two Hybrid Identity issues appeared first on The things that are better left unspoken.

Windows Server 2019’s February 2019 Cumulative Quality Update, bringing the OS version to 17763316 , offers a fix for two authentication issues.

About Windows Server 2019 Updates

Microsoft issues two major updates each month for Windows Server 2019, as outlined in the Patching with Windows Server 2016 blogpost.

Fixed issues

LMCompatibilityLevel

KB4487044 addresses an issue that fails to set the LmCompatibilityLevel value correctly. LmCompatibilityLevel specifies the authentication mode and session security.

Windows Hello for Business

KB4487044 addresses an issue that causes the Windows Hello for Business Hybrid Key Trust deployment sign-in to fail if Windows Server 2019-based Domain Controllers are used for authentication.

The error is:

That option is temporarily unavailable. For now, please use a different method to sign in.

This issue is caused when Active Directory Domain Services (AD DS) activity tracing is enabled. In this scenario, a Local Security Authority Subsystem Service (LSASS) exception may occur in the Windows 2019-based Domain Controller when processing a user’s sign in.

Call to Action

When you experience the above issue, you are invited to install Windows Server 2019’s February 2019 Cumulative Quality Update (KB4487044) on your Active Directory Domain Controllers to resolve them. Test the update to avoid any issues with this update.

Known issues

After installing this update, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

After installing this update, Internet Explorer may fail to load images with a backslash (\) in their relative source path and may have authentication issues.

Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.

The post Windows Server 2019’s February 2019 Quality Update fixes two authentication issues appeared first on The things that are better left unspoken.

Veeam Backup & Replication In Veeam Backup and Replication 9.5 versions prior to Update 4, the password for the Microsoft Azure account used by the Direct Restore to Azure functionality can be found in the log in plain text.

Veeam Backup and Replication is used by a lot of organizations worldwide to create and restore backups of systems, applications and services. Its Direct Restore to Azure functionality absolutely rocks for both backups and migrations to Azure Infrastructure as a Service (IaaS). Alas, there is a security issue that might diminish your fantastic experience with this feature…

The situation

You want to assign the user account in Microsoft Azure Infrastructure as a Service (IaaS) for Veeam Backup & Replication’s Direct Restore to Azure functionality with the minimum of privileges in the Azure tenant.

You follow the steps outlined in Veeam KnowledgeBase article 2702:

You first create a user object in Microsoft Azure Active Directory.
You run the below Windows PowerShell script to create a custom role in Microsoft Azure with minimal privileges:

$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()

$role.Name = ‘Veeam Restore Operator’

$role.Description = ‘Permissions for Veeam Direct Restore to Microsoft Azure’

$role.IsCustom = $true

$permissions = @(
‘Microsoft.Storage/storageAccounts/listkeys/action’,
‘Microsoft.Storage/storageAccounts/read’,
‘Microsoft.Network/locations/checkDnsNameAvailability/read’,
‘Microsoft.Network/virtualNetworks/read’,
‘Microsoft.Network/virtualNetworks/subnets/join/action’,
‘Microsoft.Network/publicIPAddresses/read’,
‘Microsoft.Network/publicIPAddresses/write’,
‘Microsoft.Network/publicIPAddresses/delete’,
‘Microsoft.Network/publicIPAddresses/join/action’,
‘Microsoft.Network/networkInterfaces/read’,
‘Microsoft.Network/networkInterfaces/write’,
‘Microsoft.Network/networkInterfaces/delete’,
‘Microsoft.Network/networkInterfaces/join/action’,
‘Microsoft.Network/networkSecurityGroups/read’,
‘Microsoft.Network/networkSecurityGroups/write’,
‘Microsoft.Network/networkSecurityGroups/delete’,
‘Microsoft.Network/networkSecurityGroups/join/action’,
‘Microsoft.Compute/locations/vmSizes/read’,
‘Microsoft.Compute/locations/usages/read’,
‘Microsoft.Compute/virtualMachines/read’,
‘Microsoft.Compute/virtualMachines/write’,
‘Microsoft.Compute/virtualMachines/delete’,
‘Microsoft.Compute/virtualMachines/start/action’,
‘Microsoft.Compute/virtualMachines/deallocate/action’,
‘Microsoft.Compute/virtualMachines/instanceView/read’,
‘Microsoft.Compute/virtualMachines/extensions/read’,
‘Microsoft.Compute/virtualMachines/extensions/write’,
‘Microsoft.Resources/checkResourceName/action’,
‘Microsoft.Resources/subscriptions/resourceGroups/read’,
‘Microsoft.Resources/subscriptions/resourceGroups/write’,
‘Microsoft.Resources/subscriptions/locations/read’

)

$role.Actions = $permissions

$role.NotActions = (Get-AzureRmRoleDefinition -Name ‘Virtual Machine Contributor’).NotActions

$subs = ‘/subscriptions/00000000-0000-0000-0000-000000000000’

$role.AssignableScopes = $subs

New-AzureRmRoleDefinition -Role $role

Then, you register the newly created user object and role in Veeam Backup & Replication using the following command in an elevated Command Prompt window on the Windows Server installation running Veeam Backup & Replication:

cd C:\Program Files\Veeam\Backup and Replication\Backup

Veeam.backup.manager.exe REGISTERAZUREACCOUNT

The account is then ready for use.

The issue

When you assign the user account in Microsoft Azure Infrastructure as a Service (IaaS) for Veeam Backup & Replication’s Direct Restore to Azure functionality with the minimum of privileges in the Azure tenant, using the steps outlined in Veeam KnowledgeBase article 2702, the password for the Microsoft Azure account can be found in the C:\ProgramData\Veeam\Backup\VeeamBackupManager.log file in plain text.

This issue affects Veeam Backup & Replication 9.5 versions prior to Update 4.
The issue is described in Veeam KnowledgeBase article 2886.

The solution

The issue was addressed in Veeam Backup & Replication 9.5 Update 4.

Veeam Backup & Replication 9.5 Update 4 was released in January 2019. The Direct Restore to Azure functionality was made available in March 2016. The guidance to assign the user account in Microsoft Azure Infrastructure as a Service (IaaS) for Veeam Backup & Replication’s Direct Restore to Azure functionality with the minimum of privileges in the Azure tenant was first released in August 2018.

Call to Action

Please upgrade to Veeam Backup & Replication 9.5 Update 4.

If your organization has configured the account for Direct Restore using the guidance in Veeam KnowledgeBase article 2702, or intends to do so on Veeam Backup & Replication 9.5 versions prior to Update 4, apply the necessary security measures for the log file.

If your organization’s security principles allow you to edit or remove the log file, do so.

Only outbound connections

When using Pass-through Authentication (PTA), the servers in your datacenter(s) will not have to be opened up from the Internet through firewalls. Each PTA Agent, sets up an outbound connection to the Azure Service Bus and don’t even need to be placed in a perimeter network.

However, based on ISO/IEC 17799, some organizations have seen reasons to implement standards that don’t allow systems to setup outbound connections to insecure networks, like the Internet, For these organizations, the way PTA works might be problematic.

While on the subject of legal compliance… ISO/IEC 17799 requires session time-outs as part of section 11.5.6. As the documentation states that PTA Agents make persistent outbound HTTPS connections, this control might also prove bothersome.

Minimum three PTA Agents

Of course, Pass-through Authentication (PTA) is the alternative to Active Directory Federation Services (AD FS).

That’s great, because any serious AD FS deployment would require five servers in the datacenter; 2 AD FS Servers, 2 Web Application Proxies en an Azure AD Connect installation. Ideally, the AD FS Servers are placed in different datacenters with an accompanying Web Application Proxy. This may be scoped down by placing AD FS on Domain Controllers, only requiring three new boxes.

Microsoft recommends a minimum of three PTA Agents in your environment. The Azure AD Connect installation that is used to configure PTA, by default, becomes the first PTA Agent. That’s 3 servers for AD FS vs. 3 servers for AD FS? Well, PTA Agents can also be placed on Domain Controllers, so it’s 1 server vs. 3 servers, actually.

There is such a thing as oversizing your PTA deployment too. As authentication requests are placed on the Azure Service Bus with encryption destined for each PTA Agent, having more PTA Agents equals more encryption overhead and a busy service bus…

Authentication may be highly available… synchronization not so much

When an organization deploys multiple PTA Agents, authentication requests are distributed amongst the PTA Agents. Each PTA Agent is capable of authenticating users independently of the other PTA Agent, as long as it has a connection to a functioning Domain Controller and to the Azure Service Bus.

However, Azure AD Connect still is a single point of failure to the solution. When Azure AD Connect doesn’t function (properly):

objects are not synchronized
attributes are not synchronized
the Authentication Method cannot be changed to PTA or Password Hash Sync (PHS) or to include Seamless Single Sign-on (S3O)
(but it can be changed to AD FS through Windows PowerShell)

This may result in authentication and authorization failures.

Azure AD Premium licenses are required for Azure AD Smart Lock-out

Active Directory Federation Services (AD FS) offers Extranet Lock-out. In recent versions of Windows Server, it even offers Extranet Smart Lock-out. However, Pass-through Authentication (PTA) doesn’t offer lock-outs natively. Yes, Microsoft’s Machine Learning (ML) might detect malicious authentication attempts and block them, but by that time accounts in Active Directory Domain Services may already be locked-out, when organizations use strict settings in (fine-grained) password and account lock-out policies.

When the Azure AD Smart Lock-out feature is to be used, each account that is used with Pass-through Authentication requires an Azure AD Premium license. These licenses may be acquired separately, or as part of the EMS E3 license or Microsoft 365 E3 license.

There is no Azure AD Connect Health for PTA Agents

When contemplating Azure AD Premium, Azure AD Connect Health might also be of interest. Azure AD Connect Health offers integrated monitoring of Microsoft’s Hybrid Identity stack. We install the Azure AD Connect Health agents for monitoring on the following systems:

Azure AD Connect installations;
AD FS Servers;
Web Application Proxies, and;
Domain Controllers.

Alas, PTA Agents cannot be monitored with Azure AD Connect Health. This means notifications are not sent when PTA Agents are in trouble and root cause analyses are manual and require access to logs and local tools on the Windows Server installations running PTA Agents.

However, the PTA Agents are visible in the Azure AD Portal with their external IP addresses:

Sign into the Azure Portal with an account that has the Global Admin role.
Perform multi-factor authentication and Privileged Identity Management (PIM), when required.
In the Azure Portal, select Azure Active Directory in the left navigation pane.
Select Azure AD Connect in Azure AD’s navigation pane.
On the Azure AD Connect pane, click the text Pass-through Authentication.
Review the PTA Agents and their external IP addresses in the Pass-through Authentication pane.

Monitoring the connections to Domain Controllers

When checking PTA Agents in the Azure Portal, you might think that authentication to Azure AD is working flawlessly for your organization, when you see nothing but green check marks.

However, these checkmarks merely indicate that a PTA Agent is authenticated and connected to the Azure Service Bus. It does not mean that it is actually capable of authenticating users. When its connection to a Domain Controller is lost, for some reason, the check mark is there in the Azure Portal, but authentications won’t be possible.

The solution might be to implement Azure AD Connect Health for Active Directory Domain Services (AD DS) and monitor the Domain Controllers that way. Please note that this requires 25 Azure AD Premium licenses in the tenant per Domain Controller, on top of the single license needed for Azure AD Connect Health for the Azure AD Connect installation itself.

No certificate-based authentication

Pass-through Authentication (PTA) offers many features. Combined with Seamless Single Sign-on (S3O), it allows for authenticating end-users towards Azure AD-integrated resources.

However, several features that organizations might need are not offered with PTA and S3O. The most glaring feature that is missing has to be certificate-based authentication. If an organization requires certificate-based authentication, AD FS should be on their to-do list.

Forget about self-managed third-party MFA

Many organizations have already deployed multi-factor authentication (MFA) solutions on-premises in the past few years. The previously mentioned ISO/IEC 17799 standard plays a role in that for some organizations. These investments may become technical debt when Pass-through Authentication (PTA) is deployed. End-users require the organization-managed MFA solution to access on-premises resources, but require one of the four Azure AD-managed MFA solutions (Azure MFA, Trusona, DUO and/or RSA) to access cloud resources. From their point of view, this means that when their mobile number and/or their mobile device changes, they have to change settings and/or register twice. With kids these days switching phones and numbers each year, this becomes a force to recognize.

Roll-over the password for AzureADSSOAcc

We rarely see a Pass-through Authentication (PTA) implementation without Seamless Single Sign-On (S3O) enabled as an authentication method, too. When you enable S3O, an computer account is created: AzureADSSOAcc. It is created in the Computers container, by default.

It is important to frequently roll over the Kerberos decryption key of this computer account (which represents Azure AD) created in your on-premises AD forest. Azure AD Connect does not notify of this caveat. And to do so, is complicated and cannot be automated without adding credentials of an account with the Global Admin role, configured without MFA, to the script.

Don’t disable TLS 1.0 (yet)

Since version 1.2.65 of Azure AD Connect (October 25th, 2018), it supports all other protocols being disabled and only TLS 1.2 being enabled on the machine where Azure AD Connect is installed.

However, when PTA is used as the authentication method and the PTA Agent is installed on the same Windows Server installation as Azure AD Connect, by default, the PTA Agent will not be able to communicate with Azure, when TLS 1.0 is disabled.

It appears the PTA Agent still requires TLS 1.0, for now.

The post Ten things you need to know about Pass-through Authentication appeared first on The things that are better left unspoken.

What’s New

Configurable Azure AD SAML token encryption Public preview

Service category: Enterprise Apps
Product capability: SSO

Admins can now configure any supported Security Assertion Markup Language (SAML)-based app to receive encrypted tokens. When configured and used with an app, Azure AD encrypts the emitted SAML assertions using a public key obtained from a certificate stored in Azure AD.

Create an access review for groups or apps

Service category: Access Reviews
Product capability: Governance

Admins can now include multiple groups or apps in a single Azure AD access review for group membership or app assignment. Access reviews with multiple groups or apps are set up using the same settings and all included reviewers are notified at the same time.

New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2019, Microsoft has added these 27 new apps with Federation support to the app gallery:

Choose specific page element versions provided by Azure AD B2C

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Admins can now choose a specific version of the page elements provided by Azure AD B2C. By selecting a specific version, admins can test their updates before they appear on a page and can get predictable behavior. Additionally, admins can now opt in to enforce specific page versions to allow JavaScript customizations. To turn this feature on, go to the Properties page in the user flows (previously known as: built-in policies).

Configurable end-user password requirements for B2C

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Admins can now specifically set up their organization’s password complexity for end-users, instead of having to use their native Azure AD password policy. From the Properties blade of the user flows (previously known as: built-in policies), admins can choose a password complexity of Simple or Strong, or you can create a Custom set of requirements.

New default templates for custom branded authentication experiences

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Admins can use the new default templates, located on the Page layouts blade of the user flows (previously known as: built-in policies), to create a custom branded authentication experience for users.

What’s Changed

Enhanced combined MFA/SSPR registration

Service category: Self-service Password Reset
Product capability: User Authentication

In response to customer feedback, Microsoft has enhanced the combined Multi-factor Authentication (MFA) and Self-service Password Reset (SSPR) registration preview experience, helping users to more quickly register their security info for both MFA and SSPR.

Over the next few weeks, Microsoft will be removing the ability for admins to turn on the old combined MFA/SSPR registration preview experience for tenants that don’t already have it turned on.

Regardless of whether admins have previously turned on the old combined MFA/SSPR registration preview experience for users or not, the old experience will be turned off at a future date. Because of that, Microsoft strongly suggests that admins move to the new, enhanced experience as soon as possible.

Updated policy management experience for user flows

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Microsoft has updated the policy creation and management process for user flows (previously known as: built-in policies) easier. This new experience is now the default for all Azure AD tenants.

Admins can provide additional feedback and suggestions by using the smile or frown icons in the Send us feedback area at the top of the portal screen.

The post What’s New in Azure Active Directory for February 2019 appeared first on The things that are better left unspoken.

VMware vExpert 2019 Award Announcement

I’m proud to announce I am a 2019 VMware vExpert.

Deji Akomolafe’s invitation to join the stage with him for VMworld early last year sparked my interest in VMware’s product. After presenting several sessions at both 2018 VMworld events with Matt Liebowitz and Deji, I walked away with much more knowledge of how Active Directory Domain Services (AD DS) and VMware vSphere interact. This was a huge benefit to me… but it didn’t stop there.

Deji invited me into the vSphere (pun intended), but it was Matt who encouraged me to apply for the vExpert Program. Today, I received an e-mail from the vExpert Program telling me I made the cut as a 2019 VMware vExpert.

Thank you!

About the VMware vExpert Program

The VMware vExpert Program is VMware’s global evangelism and advocacy program. The program is designed to put VMware’s marketing resources towards advocacy efforts.

The vExpert award is for individuals, not companies, and last for one year. Employees of both customers and partners can receive the vExpert award. View a list of all VMware vExperts in the vExpert Directory, including mine.

About WinDays

WinDays is the leading Croatian business and technology conference, celebrating its 19th anniversary this year. The conference brings together more than 2,000 attendees from Croatia and the region, as well as the most prestigious international and regional speakers and lecturers from the world of business and technology.

WinDays 19 is held from 2nd till 5th April 2019 in Šibenik and is divided into two sections: WinDays19 Business Conference, held on 2nd and 3rd April, and WinDays19 Technology Conference, which will be held from 3rd till 5th April 2019.

About my session

I will be delivering one 45-minute session as part of WinDays 19 Technology:

Hardening Hybrid Identity in the real world

Thursday April 4 2019 4PM – 4:45PM, Room Sibenik 5, level 400

As organizations rely heavily on Active Directory and embrace Azure AD, proper configurations of their setups becomes more important: as Azure AD is often built upon Active Directory, you need a solid base. As Azure AD offers more functionality, it too should be tuned.

To avoid the tyranny of the default settings, in some situations, we’ll look at properly securing on-premises Active Directory Domain Services environments and hardening Azure AD tenants to match their levels of security.

Will I see you there? Knipogende emoticon

Related blogposts

Pictures of WinDays 17
Pictures of WinDays 16 in Porec, Croatia
Pictures of WinDays XV

The post I’m speaking at WinDays 19 appeared first on The things that are better left unspoken.

Currently, there’s four Windows PowerShell modules to manage settings and objects in Microsoft’s Azure Active Directory:

MSOnline
AzureAD
AzureADPreview
AzureAD.Standard.Preview

MSOnline

The MSOnline Module, with its *-MSOL* cmdlets, was the first Windows PowerShell Module for Azure Active Directory. It started life as a PowerShell Module to manage all Microsoft Online Services, hence the name. Microsoft refers to this module as version 1.0.

The cmdlets in the MSOnline PowerShell Module use its own non-public-callable API. Currently, the MSOnline module is the most complete module for CRUD of common objects in the directory.

AzureAD

The AzureAD Module, with its *-AzureAD* cmdlets, was introduced on November 17th, 2016. Its full name is Azure Active Directory PowerShell for Graph, which gives away the reasoning behind the existence of this PowerShell module next to the MSOnline module: The AzureAD PowerShell module started life as a result of the vision that all the CRUD functionality should be available through public APIs. The Graph API was the API chosen. Microsoft refers to this module as version 2.0. Its current version is version 2.0.2.4.

The AzureAD module, and its dependencies, can be installed and updated using PowerShellGet from the PowerShell Gallery. It requires PowerShell 3.0 or above.

To install the AzureAD Module run Install-Module AzureAD

In comparison to other PowerShell modules, the AzureAD Module is updated by running Install-Module again. Other PowerShell modules use Update-Module…

Starting in 2017, Microsoft has been offering new Azure AD-oriented cmdlets for functionality in the AzureAD module only. Cmdlets to manage the Azure AD App Proxy, for instance, are not available in the MSOnline module.

For all intents and purposes, the AzureAD module can be seen as the Generally Available (GA) module. It should be the module admins should use for management in production environment. However, some functionality is only available in the MSOnline module and Microsoft Support might ask to run Get-MSOL* cmdlets in certain scenarios. Luckily, the MSOnline and AzureAD modules can be installed side-by-side.

AzureADPreview

The AzureADPreview module is offered as an installable module, and is the module offered in the Azure Cloud Shell. Microsoft refers to it as version 2.0-preview. Its version, today, is version 2.0.2.5, published October 3, 2018.

The AzureADPreview module, and its dependencies, can be installed and updated using PowerShellGet from the PowerShell Gallery. It requires PowerShell 3.0 or above.

To install the AzureADPreview Module run Install-Module AzureADPreview

The AzureADPreview module, today, is different to the AzureAD module in that it references the beta Graph API..

On one system, the AzureAD and AzureADPreview modules cannot be installed side-by-side, but both modules can individually co-exist with the MSOnline module.

AzureAD.Standard.Preview

The AzureAD.Standard.Preview module, or in full: the Azure Active Directory .Net Standard Preview Module is a Private Preview release of Azure Active Directory .NetStandard Module, available in PSGallery Internal only.

Its current version is version 0.1.599.7, published on August 30th, 2018.

The post The state of Azure AD PowerShell today appeared first on The things that are better left unspoken.

Veeam Backup for Microsoft Office 365

Today’s release of version 3.0.0.422 of Veeam Backup for Office 365 (VBO) offers many new features and benefits, but none as significant as the ability to use multi-factor authentication for the admin account when configuring and reconfiguring VBO.

Let me explain why.

Azure AD Privileged access, today

Microsoft is working hard to further harden Azure Active Directory tenants, so the roughly 18 million organization depending on it, don’t get disappointed by Azure AD-based security breaches and don’t have to worry about attacks on their infrastructure.

One of the newest technologies Microsoft is developing is Baseline Policies. Using baseline policies, fields of attention will be addressed automatically and continually. The first baseline policy, which is now in public preview, is the Baseline Policy: Require MFA for admins.

Currently, this baseline policy is in public preview and non-enforced. However, Microsoft is planning to turn this baseline policy on, automatically, in the near future.

About the Baseline Policy: Require MFA for admins (Preview)

The Baseline Policy: Require MFA for admins (Preview) in Azure AD requires multi-factor authentication for the following directory roles:

Global administrators (also known as Company administrators)
This role permits access to all administrative features across Azure AD and Office 365. This is the most powerful role.
SharePoint administrators
This role permits access to the SharePoint online admin center. This includes the ability to create, delete, and assign permissions to site collections and manage OneDrive for Business.
Exchange administrators
This role permits management of Exchange Online. This includes the ability to grant Send As and Send on Behalf permissions to users for other user’s mailboxes.
Conditional Access administrators
This role grants the ability to manage Azure Active Directory conditional access settings. To deploy Exchange ActiveSync conditional access policy in Azure, the user must also be a Global Administrator.
Security administrators
This role grants the ability to read security and audit information, and to manage the Privileged Identity Management service and the Identity Protection Center (requires Azure AD Premium P2).

These roles have a high potential to be misused. To verify the authentication for users with these roles within your tenant, additional authentication is required in the form of Azure Multi-Factor Authentication (Azure MFA)

Veeam Backup for Office 365 and the Baseline Policy

Veeam Backup for Office 365 version 2 requires a service account with the SharePoint administrators role. This service account is impacted by the Baseline Policy: Require MFA for admins (Preview) and the service account keeps popping up at organizations that use VBO and use my script to assess the impact that the new Baseline Policy for Admins in Azure AD might have. Up till today, they had no other option than to disable the Baseline Policy, or to exclude the VBO service account.

That stops today.

Call to action

If your organization uses Veeam Backup for Office 365, please upgrade to Veeam Backup for Office 365. Lightning speed backups, data protection reports and flexible retention options are also thrown in the mix, but in my opinion the multi-factor authentication support and the fact that Veeam Backup for Microsoft Office 365 v3.0.0.422 now connects to Office 365 securely by leveraging a custom application in Azure AD along with an MFA-enabled service account with its app password to create secure backups is the best reason to upgrade.

Security first!

Known issues when upgrading

Please be aware of the following upgrade notes:

Upgrade from the beta version of the application is not supported.
After upgrading from version 1.5 or 2.0 to 3.0, the nearest scheduled job run is displayed in the console as performing a Full sync, though actually it performs Incremental sync. The amount of transferred data, however, will show that only changes are being synchronized during that job session.
If you have edited the Config.xml file for Veeam Backup for Microsoft Office 365 manually, these modifications will not be preserved after the upgrade. You may need to make new custom settings (if necessary).

What’s Planned

Updates to condition evaluation by Exchange ActiveSync (EAS) Breaking change

Service category: Conditional Access
Product capability: Access Control

Microsoft is in the process of updating how Exchange ActiveSync (EAS) evaluates the following conditions:

User location, based on country, region, or IP address
Sign-in risk
Device platform

If, as an admin, you’ve previously used these conditions in your Conditional Access policies, be aware that the condition behavior might change. For example, if you previously used the user location condition in a policy, you might find the policy now being skipped based on the location of your end-users.

What’s New

Identity Experience Framework and custom policy support in Azure Active Directory B2C Generally Available

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Admins can now create custom policies in Azure AD B2C, including the following tasks, which are supported at-scale and under Microsoft’s Azure Service Level Agreement (SLA):

Create and upload custom authentication user journeys by using custom policies.
Describe user journeys step-by-step as exchanges between claims providers.
Define conditional branching in user journeys.
Transform and map claims for use in real-time decisions and communications.
Use REST API-enabled services in custom authentication user journeys. For example, with email providers, CRMs, and proprietary authorization systems.
Federate with identity providers who are compliant with the OpenIDConnect protocol. For example, with multi-tenant Azure AD, social account providers, or two-factor verification providers.

New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In March 2019, Microsoft has added these 14 new apps with Federation support to the Azure AD App Gallery:

New Zscaler and Atlassian provisioning connectors in the Azure AD gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Automate creating, updating, and deleting user accounts for the following apps with the new provisioning connectors from the Azure AD Gallery:

Restore and manage deleted Office 365 groups in the Azure AD portal

Service category: Group Management
Product capability: Collaboration

Admins can now view and manage deleted Office 365 groups from the Azure AD portal. This change helps them to see which groups are available to restore, along with letting them permanently delete any groups that aren’t needed by the organization.

Single sign-on for Azure AD SAML-secured on-premises apps through the Azure AD Application Proxy public preview

Service category: App Proxy
Product capability: Access Control

Admins can now provide a single sign-on (SSO) experience for on-premises, SAML-authenticated apps, along with remote access to these apps through the Azure AD Application Proxy.

Client apps in request loops will be interrupted to improve reliability and user experience

Service category: Authentications (Logins)
Product capability: User Authentication

Client apps can incorrectly issue hundreds of the same login requests over a short period of time. These requests, whether they’re successful or not, all contribute to a poor user experience and heightened workloads for the IDP, increasing latency for all users and reducing the availability of the Identity Provider (IdP).

What’s Changed

New Audit Logs user experience now available

Service category: Reporting
Product capability: Monitoring & Reporting

Microsoft has created a new Azure AD Audit logs page to help improve both readability and how admins search for information. To see the new Audit logs page, select Audit logs in the Activity section of Azure AD.

New warnings and guidance to help prevent accidental administrator lockout from misconfigured Conditional Access policies

Service category: Conditional Access
Product capability: Identity Security & Protection

To help prevent administrators from accidentally locking themselves out of their own tenants through misconfigured Conditional Access policies, Microsoft has created new warnings and updated guidance in the Azure portal.

Improved end-user Terms of use experiences on mobile devices

Service category: Terms of Use
Product capability: Governance

Microsoft has updated their existing Terms of Use (ToU) experiences to help improve how admins review and consent to Terms of Use on a mobile device. End-users can now zoom in and out, go back, download the information, and select hyperlinks.

New Azure AD Activity logs download experience available

Service category: Reporting
Product capability: Monitoring & Reporting

Admins can now download large amounts of activity logs directly from the Azure portal. This update lets them:

Download up to 250,000 rows.
Get notified after the download completes.
Customize the file name.
Determine the output format, either JSON or CSV.

The post What’s New in Azure Active Directory for March 2019 appeared first on The things that are better left unspoken.

Windows Server

In a domain that is configured to use the File Replication Service, the SYSVOL folder is not shared after you in-place upgrade a Windows Server 2019-based Domain Controller from an earlier version of Windows. Until this directory is shared, Domain Controllers do not respond to DCLOCATOR requests for LDAP, Kerberos, and other Domain Controller workloads.

The situation

In a domain that uses the legacy File Replication Service(NTFRS) for the Active Directory System Volume (SYSVOL), you in-place upgrade a Domain Controller to Windows Server 2019.

The issue

When you try to migrate the domain to Distributed File System (DFS) Replication, the following issues occur:

All Windows Server 2019-based Domain Controllers in the domain stop sharing the SYSVOL folder and stop responding to DCLOCATOR requests.
All Windows Server 2019-based Domain Controllers in the domain have the following event log errors:

Event ID 8013 with source DFS Replication
Event ID 8028 with source DFS Replication

When you run dfsrmig.exe /GetMigrationState, this command generates the following output for all Windows Server 2019 Domain Controllers:

The following domain controllers have not reached Global state (‘Prepared’): Domain Controller (Local Migration State) – DC Type ===================================================
<Computer name> (‘Start’) – Writable DC Migration has not yet reached a consistent state on all domain controllers. State information might be stale due to Active Directory Domain Services latency.

The cause

The File Replication Service (FRS) was deprecated in Windows Server 2008 R2 and is included in later operating system releases for backwards compatibility only.

Starting in Windows Server 2019, promoting new Domain Controllers requires DFS Replication (DFSR) to replicate the contents of the SYSVOL share. If you try to promote a Windows Server 2019-based computer in a domain that still using FRS for SYSVOL replication, the following error occurs:

Verification of prerequisites for Domain Controller promotion failed. The specified domain domain.tld is still using the File Replication Service (FRS) to replicate the SYSVOL share. FRS is deprecated. The server being promoted does not support FRS and cannot be promoted as a replica into the specified domain. You MUST migrate the specified domain to use DFS Replication using the DFSRMIG command before continuing. For more information, see https://go.microsoft.com/fwlink/?linkid=849270

However, in-place upgrading a Windows Server 2012 R2 or Windows Server 2016-based Domain Controller to Windows Server 2019 does not enforce this block.

When you then run dfsrmig.exe /SetGlobalState to migrate SYSVOL replication to DFSR, all upgraded Windows Server 2019 Domain Controllers are stuck in the Start phase and cannot complete the transition to the Prepared or later phases. Therefore, the SYSVOL and NETLOGON folders for the Domain Controllers are no longer shared, and the Domain Controllers stop responding to location questions from clients in the domain.

The solution

There are several workarounds for this issue, depending on which migration global state you specified earlier.

Issue occurs in the Preparing or Redirecting phase

If you have already run dfsrmig.exe /SetGlobalState 1 or dfsrmig.exe /SetGlobalState 2 previously, run the following command as a Domain Admin:

dfsrmig.exe /SetGlobalState 0
Wait for Active Directory replication to propagate throughout the domain, and for the state of Windows Server 2019 Domain Controllers to revert to the Start phase.
Verify that SYSVOL is shared on those Domain Controllers and that SYSVOL is replicating as usual again by using NTFRS.
Make sure that at least one Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016-based Domain Controller exists in that domain. Verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source Domain Controllers and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 Domain Controllers in the next step. For more information, see Troubleshooting Active Directory Replication Problems.
Demote all Windows Server 2019-based Domain Controllers to member servers.
This is a temporary step.
Migrate SYSVOL to DFSR normally on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016 Domain Controllers.
Re-promote the Windows Server 2019-based member servers to Domain Controllers.

Issue occurs in the Eliminating phase

The FRS elimination phase cannot be rolled back by using dfsrmig.exe. If have already specified FRS elimination, you can use either of the following workarounds.

Option 1

If you still have one or more Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016-based Domain Controllers in that domain, verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source Domain Controllers and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 Domain Controllers in the next step. For more information, see Troubleshooting Active Directory Replication Problems.

Demote all Windows Server 2019-based Domain Controllers.
This is a temporary step.
Migrate SYSVOL to DFSR as usual on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016 Domain Controllers.
Re-promote the Windows Server 2019-based member servers to Domain Controllers.

Option 2

If all Domain Controllers in the domain are running Windows Server 2019, perform these steps:

Open AdsiEdit (AdsiEdit.msc)
In the AdsiEdit tool, change the following distinguished name value and attribute on the PDC Emulator:

CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=tld
msDFSR-Flags = 0
Wait for Active Directory replication to propagate throughout the domain.
On all Windows Server 2019 DCs, change the DWORD type registry value Local State to 0:
Registry Setting: Local State
Registry Path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating SysVols
Registry Value: 0
Data Type: REG_DWORD
On all Windows Server 2019 Domain Controllers, restart the following services by running the following lines of Windows PowerShell:
Restart-Service NetLogon
Restart-Service DFSR
Verify that SYSVOL has shared on those Domain Controllers and that SYSVOL is replicating as usual again by using FRS.
Promote one or more Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016-based Domain Controller in that domain. Verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source Domain Controllers and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 Domain Controllers in the next step. For more information, see Troubleshooting Active Directory Replication Problems.
Demote all Windows Server 2019-based Domain Controllers to member servers.
This is a temporary step.
Migrate SYSVOL to DFSR as usual on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016-based Domain Controllers.
Re-promote the Windows Server 2019-based member servers to Domain Controllers.
Optional: Demote the Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016-based Domain Controllers that you added in step 7.

Concluding

NTFRS is an old technology, but many organizations still seem to cling onto it. It’s not hard to migrate, but it just needs to be done. We’ve been putting this tasks on agendas of Active Directory admins for a while now, but regret seeing that this slight code defect means admins that haven’t performed this action yet, may now start experiencing troubles.

Troubleshooting NTFRS without burflags? Wow. Hot smile

Three webinars

1. Active Directory 101: Install and Configure AD Domain Services

Tuesday April 23 2019 1PM EDT / 7PM CEST

This webinar covers the first section of the Exam 70-742. We’re focusing on effective installation and administration of Active Directory. Apart from step-by-step training, the session also explores the potential pitfalls of AD configuration and the ways to ensure reinforced security of your IT environment.

Watch this webinar to explore:

How to install and configure domain controllers
Best practices in creation of AD users and computers
How to effectively approach AD groups and Organizational Unit (OU) management
Netwrix Auditor’s reporting functionality to help you mitigate cyber risks and enforce good IT hygiene

2. Active Directory 101: Manage and maintain AD Domain Services

Thursday April 25 2019 1PM EDT / 7PM CEST

Once the Active Directory Domain Controllers are configured and groups are set in place, it’s time to explore the options you have for monitoring AD changes. Watch this webinar to prepare for the second section of Exam 70-742, dedicated to continuous management of Active Directory.

During this session, you will learn:

Main techniques to configure service authentication and account policies
Top methods to maintain Active Directory
How to configure Active Directory in a complex enterprise environment
How to determine which changes in your environment merit inspection with Netwrix Auditor

3. Active Directory 101: Create and Manage Group Policy

Tuesday April 30 2019 1PM EDT / 7PM CEST

Proper Group Policy setup and management can ensure continuous uninterrupted functionality of any organization. This session covers the third section of Exam 70-742 about Group Policy management and explains how Group Policy auditing can mitigate the risk of security breaches and compliance failures.

By the end of this session, you will know:

How to create and manage Group Policy Objects
Top methods to configure Group Policy processing, settings and preferences
How to deliver complete visibility into all security and configuration changes in Group Policy

Join me!

Advance your career as a systems administrator and start aiming to attend the live sessions, or get access by the recordings if you cannot join online.

Note:
These webinars are offered free of charge, thanks to the sponsoring by Netwrix. By signing up for these webinars you agree to their privacy policy.

About Netwrix

Netwrix logo Netwrix is a private IT security software company. They offer IT auditing solutions for systems and applications across your IT infrastructure. Netwrix specializes in change, configuration and access auditing software with its Netwrix Auditor solution. Netwrix is a partner of Microsoft, VMware, EMC, NetApp and HP ArcSight.

If you’ve worked in highly-secure highly-regulated IT environments, you’re probably familiar with the Netwrix brand, because their Active Directory auditing solution is one of the best out there.

The post I’m presenting my Active Directory 101 course with Netwrix again appeared first on The things that are better left unspoken.

WinDays

In the first week of April, I traveled to Šibenik to deliver a session at WinDays 19 Technology.

My trip started with a flight from Amsterdam Schiphol Airport to Zagreb’s new Franjo Tuđman Airport. I had reserved a car and drove it to Amadria Park in Šibenik, where I arrived around 8PM.

My Hertz Rental Car Croatia's A1 highway near Zadar

I ran into Sasa Kranjac, Goran Žarinac, Catalin Gheorghiu, Rastko Đorđević and André Melancia on my way in, but decided to get a meal before going to the WinDays party. We eventually arrived at the party, but left after one drink… Well, at least I did.

The next morning, I went to pick up the bag, explore the rooms and just mingle with the attendees of the WinDays Conference. I sat down in a quiet corner and prepared my slides and demos, while doing some work for a customer.

Before my session, I decided to clear my head. Walk around the resort for an hour, and saw Marin Frankovic with a couple of his former colleagues. I joined them for a couple of minutes, before heading off to room Šibenik 5 at the Convention Center.

After my presentation, we went for diner, I met with Adis Jugo and some other speakers and we had great conversations. I went to bed early, because I needed to leave early on Friday morning to Zagreb Airport.

I left at 4 AM. I got at Zagreb Airport at 8 AM and got on the plane to Paris Charles de Gaulle Airport. After breakfast in Paris, another plane took me to Amsterdam. I did some more work for a customer before I had dinner with my family and closed off the week.

Thank you!

Thank your for inviting me as a WinDays speaker once again, and to all the people attending, sitting in on my session and, of course, the people who stuck around after these sessions for the interesting discussions.

The post Pictures of WinDays 19 appeared first on The things that are better left unspoken.

What’s New

Administrators can require users to accept a Terms of use on each device

Administrators can configure a Terms of use to expire based on a recurring schedule

Administrators can configure a Terms of use to expire based on each user’s schedule

What’s Fixed

Users removed from synchronization scope no longer switch to cloud-only accounts

What’s Changed

Updates to the audit and sign-in logs schema through Azure Monitor Breaking Change

Identity Protection improvements to the supervised machine learning model and the risk score engine

Administrators can reset their own password using the Microsoft Authenticator app (Public preview)

Impact

About Active Directory Functional Levels

Raising functional levels

Lowering functional levels

Further reading

About the Extensible Authentication Framework

About CensorNet and SMS PASSCODE

Prerequisites

How to install and configure the agent

How to enable Multi-factor Authentication through SMS PASSCODE

Concluding

About Windows Server 2019 Updates

The issue

Active Directory Domain Services Configuration Wizard

PowerShell

DCPromo Log

The cause

The solution

Veeam Backup & Replication

Platform support

Secure Restore

Staged Restore

Support for Write-Once Media (WORM)

Cloud Tier

Veeam Agents

Veeam Agent for Windows 3.0

Veeam Agent for Linux 3.0

Veeam Backup for Office 365

Veeam Availability for AWS

Veeam Cloud Connect

Tenant to tape

Veeam Availability Orchestrator

Veeam ONE

Concluding

What’s New

New Azure AD Application Proxy cookie settings

New Federated Apps available in Azure AD app gallery

App Lock feature for the Microsoft Authenticator app on iOS and Android devices

Enhanced Azure AD Privileged Identity Management (PIM) export capabilities

What’s Changed

New Azure AD Identity Protection enhancements Public preview

Users removed from synchronization scope no longer switch to cloud-only accounts

About Veeam Vanguards

Further reading

About Windows Server 2016 Updates

Fixed issues

RPT Updates fail with error MSIS7615

Azure Password Protection Error

Call to Action

Known issues

About Windows Server 2019 Updates

Fixed issues

LMCompatibilityLevel

Windows Hello for Business

Call to Action

Known issues

The situation

The issue

The solution

Call to Action

Further reading

Only outbound connections

Minimum three PTA Agents

Authentication may be highly available… synchronization not so much

Azure AD Premium licenses are required for Azure AD Smart Lock-out

There is no Azure AD Connect Health for PTA Agents

Monitoring the connections to Domain Controllers

No certificate-based authentication

Forget about self-managed third-party MFA

Roll-over the password for AzureADSSOAcc