On May 9, 2019, Heliview Congresses and Training organizes an Identity and Access Management Congress. I’m delivering a 25-minute session on distributed identities, using Microsoft technologies.

About Heliview Congresses and Training

Heliview Congresses and Training Dutch offers managers and senior specialists a stage to share and consume knowledge in their field of expertise. Additionally, personal networking is highly encouraged during their events throughout the Netherlands and Belgium.

Heliview Congresses and Training also offers training. For 2019 they have several topics on their schedule, including cyber resilience, data quality, IT outsourcing, data privacy and security awareness.

Heliview Congresses and Training was founded in 1983.

About the IAM Congress

The Identity & Access Management Congress is a yearly congress on Enterprise Identity and Access Management. The 2019 IAM Congress is the 14th edition.

The Identity & Access Management Congress offers an up to date overview and the underlying developments on Identity & Access Management. Identity and Access Management (IAM) provides the right people with the right access at the right time. Good enterprise IAM solutions are user-friendly, compliant, safe and allow for cost savings.

Heliview Congresses and Training organizes the 2019 Identity & Access Management Congress on May 9, 2019 at NBC in Nieuwegein, the Netherlands.

About my presentation

I’m presenting a 25-minute session on:

The Future of IAM according to Microsoft? Decentralized IDs

Break-out 1B, 11AM – 11:25AM

Microsoft is no longer the evil corporation out to world domination. Their current open source and cloud strategies, but also their recent legal battles, provide Microsoft with the title of European example of privacy and transparency.

As part of the ID2020 foundation, Microsoft aims to open standards that allow for identity that is secure by default: Decentralized Identities.

Decentralized Identities, from Microsoft’s point of view, empower people with complete control over their identities based on blockchain technology, the way they interact and what specific parts of their identities and verifiable claims they share. Of course, with complete control comes complete responsibility…

I’ll discuss the ins and outs of decentralized identities. As Microsoft Partner, SCCT has information and access to this new technology and offers a glimpse of the future of IAM to organizations, based on new standards.

Join us!

As an employee of an organization that contemplates the use of new Identity and Access Management (IAM) solutions, you can join the Heliview IAM Congress for free. Alternatively, you can buy a € 645 ticket, without 1 on 1 talks or questionnaire. This price tag also applies to advisors, consultants and students.

You can sign up here Dutch.

Further reading

Pictures of Heliview’s 2018 People-centric IT event  
I’m speaking at the 2018 Heliview People-centric IT Event  
Pictures of Heliview’s 2018 IAM Congress    
I’m speaking at the 2018 Heliview IAM Congress

The post I’m speaking at the 2019 Heliview IAM Congress appeared first on The things that are better left unspoken.

Last week, Microsoft released the long impending release of Azure AD Connect version 1.3.20.0 on the Azure AD Connect Version Release History page. Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

Highlights

The highlights for this release are two new Generally Available features: Exchange Mail Public Folders and the Unified Groups Writeback feature.

This release is not yet made available for Auto Upgrades of Azure AD Connect, but new installations and manual upgrades can be performed using the 1.3.20.0 release

What’s New

• Add support for Domain Refresh
• Exchange Mail Public Folders feature goes GA
• Improve wizard error handling for service failures
• Added warning link for old UI on connector properties page.
• The Unified Groups Writeback feature is now GA
• Improved SSPR error message when the DC is missing an LDAP control
• Added diagnostics for DCOM registry errors during install
• Improved tracing of PHS RPC errors
• Allow EA creds from a child domain
• Allow database name to be entered during install (default name ADSync)
• Upgrade to ADAL 3.19.8 to pick up a WS-Trust fix for Ping and add support for new Azure instances
• Modify Group Sync Rules to flow samAccountName, DomainNetbios and DomainFQDN to cloud – needed for claims
• Modified Default Sync Rule Handling – read more here.
• Added a new agent running as a windows service. This agent, named “Admin Agent”, enables deeper remote diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support case. This agent is not installed and enabled by default. For more information on how to install and enable the agent see What is the Azure AD Connect Admin Agent?.
• Updated the End User License Agreement (EULA)
• Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process.
• Added an Azure AD trust management task that provides two options: analyze/update trust and reset trust.
• Changed the AD FS Azure AD Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Azure AD domain updates).
• Changed the install new AD FS farm behavior so that it requires a .pfx certificate by removing the option of using a pre-installed certificate.
• Updated the install new AD FS farm workflow so that it only allows deploying 1 AD FS and 1 WAP server. All additional servers will be done after initial installation.

Whats Fixed

• Fixed the SQL reconnect logic for ADSync service
• Fixed to allow clean Install using an empty database in a SQL Server Always On Availability group
• Fixed PowerShell Permissions script to refine Group Writeback permissions
• Fixed VSS Errors with LocalDB
• Fixed misleading error message when object type is not in scope
• Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Azure AD Connect
• Fixed PHS bug on Staging Server when Connector Credentials are updated in the old UI
• Fixed some memory leaks
• Miscellaneous Autoupgrade fixes
• Miscellaneous fixes to Export and Unconfirmed Import Processing
• Fixed a bug with handling a backslash in Domain and OU filtering
• Fixed an issue where ADSync service takes more than 2 minutes to stop and causes a problem at upgrade time.

Version information

This is version 1.3.20.0 of Azure AD Connect.
The first release in the 1.3 branch for Azure AD Connect was signed off on on March 25th, 2019.It was made available for download on April 24th, 2019

Download

You can download Azure AD Connect here.
The download weighs 90,1 MB.

The post Azure AD Connect v1.3.20.0 offers the next level of identity synchronization appeared first on The things that are better left unspoken.

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for April 2019:

What’s New

Azure Active Directory (Azure AD) entitlement management is now available Public preview

Service category: Identity Governance
Product capability: Identity Governance

Azure AD entitlement management, now in public preview, helps customers to delegate management of access packages, which defines how employees and business partners can request access, who must approve, and how long they have access. Access packages can manage membership in Azure AD and Office 365 groups, role assignments in enterprise applications, and role assignments for SharePoint Online sites. Entitlement management requires Azure AD Premium P2 licenses.

Configure a naming policy for Office 365 groups in Azure AD portal Public preview

Service category: Group Management
Product capability: Collaboration

Administrators can now configure a naming policy for Office 365 groups, using the Azure AD portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization.

You can configure naming policy for Office 365 groups in two different ways:

1. Define prefixes or suffixes, which are automatically added to a group name.
2. Upload a customized set of blocked words for your organization, which are not allowed in group names (for example, “CEO, Payroll, HR”).

Azure AD Activity logs are now available in Azure Monitor General availability

Service category: Reporting
Product capability: Monitoring & Reporting

To help address feedback about visualizations with the Azure AD Activity logs, Microsoft introduces a new Insights feature in Log Analytics. This feature helps administrators gain insights about Azure AD resources by using interactive templates, called Workbooks. These pre-built Workbooks can provide details for apps or users, and include:

• Sign-ins. Provides details for apps and users, including sign-in location, the in-use operating system or browser client and version, and the number of successful or failed sign-ins.
• Legacy authentication and conditional access. Provides details for apps and users using legacy authentication, including Multi-Factor Authentication usage triggered by conditional access policies, apps using conditional access policies, and so on.
• Sign-in failure analysis. Helps you to determine if sign-in errors are occurring due to a user action, policy issues, or your infrastructure.
• Custom reports. Admins can create new, or edit existing Workbooks to help customize the Insights feature for their organization.

New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In April 2019, we’ve added these 21 new apps with Federation support to the app gallery:

• SAP Fiori
• HRworks Single Sign-On
• Percolate
• MobiControl
• Citrix NetScaler
• Shibumi
• Benchling
• MileIQ
• PageDNA
• EduBrite LMS
• RStudio Connect
• AMMS
• Mitel Connect
• Alibaba Cloud (Role-based SSO)
• Certent Equity Management
• Sectigo Certificate Manager
• GreenOrbit
• Workgrid
• monday.com
• SurveyMonkey Enterprise
• Indiggo

New access reviews frequency option and multiple role selection

Service category: Access Reviews
Product capability: Identity Governance

New updates in Azure AD access reviews allow you to:

• Change the frequency of your access reviews to semi-annually, in addition to the previously existing options of weekly, monthly, quarterly, and annually.
• Select multiple Azure AD and Azure resource roles when creating a single access review. In this situation, all roles are set up with the same settings and all reviewers are notified at the same time.

Increased security using the app protection-based conditional access policy in Azure AD Public preview

Service category: Conditional Access
Product capability: Identity Security & Protection

App protection-based conditional access is now available by using the Require app protection policy. This new policy helps to increase your organization’s security by helping to prevent:

• Users gaining access to apps without a Microsoft Intune license.
• Users being unable to get a Microsoft Intune app protection policy.
• Users gaining access to apps without a configured Microsoft Intune app protection policy.

New support for Azure AD single sign-on and conditional access in Microsoft Edge Public preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Microsoft has enhanced the Azure AD support for Microsoft Edge, including providing new support for Azure AD single sign-on and conditional access. If you’ve previously used Microsoft Intune Managed Browser, you can now use Microsoft Edge instead.

What’s Changed

Azure AD Connect email alert system(s) are transitioning, sending new email sender information for some customers

Service category: AD Sync
Product capability: Platform

Azure AD Connect is in the process of transitioning our email alert system(s), potentially showing some customers a new email sender. To address this, administrators must add azure-noreply@microsoft.com to their organization’s whitelist or they won’t be able to continue receiving important alerts from your Office 365, Azure, or your Sync services.

UPN suffix changes are now successful between Federated domains in Azure AD Connect

Service category: AD Sync
Product capability: Platform

Administrators can now successfully change a user’s userPrincipalName suffix from one federated domain to another federated domain in Azure AD Connect. This fix means they should no longer experience the following error message during the synchronization cycle or receive a notification email stating:

FederatedDomainChangeError

Unable to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services.

The post What’s New in Azure Active Directory for April 2019 appeared first on The things that are better left unspoken.

The new Active Directory Administration Cookbook is now available.
[ Packt ] [ Amazon ] [ Tomlinsons ] [ Fnac ] [ Lehmanns ]

For the last seven months, I worked with Packt Publishing to write the fourteen chapters in this 620-page book, containing all the essential howtos  and their gotchas for managing both on-premises Active Directory and Azure AD.

It has been an honor to work with them.

About Packt Publishing

Founded in 2004, Packt Publishing is a print on demand publishing company based in Birmingham, UK and Mumbai, India. Many of its book offerings concern information technology or software. It offers print books as well as e-books in several formats.

It takes a village…

Writing a book is something that requires a lot of time and patience. I could not have pulled this off without the help of my family, my colleagues and the people at Packt Publishing. Brian Svidergol, who you might know as the author of the previous Active Directory cookbook, was a tremendous help throughout the process and a great technical reviewer. Without the help from all these great people, this book would never have taken place.

Further steps

My long term goal of people being able to be effective with Active Directory, without breaking the bank inches closer with the release of this book. I feel beginning AD admins may benefit the most from it, so I’m in talks to get copies of the book in their hands.

Enjoy!

The post Get your copy of the Active Directory Administration Cookbook today appeared first on The things that are better left unspoken.

I’m proud to announce that I’ll be presenting two sessions at this year’s NT Konferenca in Slovenia.

About NT Konferenca

NT Konferenca is the biggest Slovenian technological conference. Last year the event was visited by over 2.200 attendees and the event is not expecting any less this year!

The 24th NT Konferenca event takes place from May 21st to May 23rd 2019 in Grand Hotel Bernardin in Portorož, Slovenia.

NT Konferenca is not just about IT trends and solutions. It is also about the ways how to include them in everyday business processes and how to effectively use them in business challenges in order to reach objectives in a more rapid, time-efficient and affordable way.

About my sessions

I’ll be presenting two sessions on Tuesday May 21st, 2019:

Your Identity Roadmap to 2022

No-one wants to admit they made a costly mistake when they choose the wrong technology. Now, for identity, you don’t have to worry about that. In this session, we’ll tell you all about the products that are available, the strategies you can follow and the smart actions you can take. Today.

AD FS on Windows Server 2012 R2, MFA Server, Relying Party Trusts on your AD FS environment and implementations of Hybrid Identity based on Azure AD Connect…
If you have any of these or are in the planning stages, then this is a session for you!

The Identity team at Microsoft is shaking up their product portfolio and it’s time to pay attention! On the outside it looks like IT Pros only gain choices, but the team will kill off some of these roads going forward. It’s time to make the right choices to avoid disappointments. From all the hints by the teams, all the marketing buzz and proper announcements, my team and I have distilled the bottom line. So, join this session to gain an overview of your organizations’ identity roadmaps for 2022.

From the trenches: Eight common mistakes with Hybrid Identity

Do you wish a seasoned expert would tell you all the mistakes to avoid before you begin your Hybrid Identity journey? Or do you need substantial, real-world proven tips for your current setup of Active Directory and Azure AD? Then this session is for you!

When you link your on-premises Active Directory Domain Services (AD DS) environment to Azure AD, you create Hybrid Identity. Colleagues depend on a reliable, yet cost effective deployment of the technologies and trustworthy processes… it’s our jobs as IT Pros to make it happen.

This session covers the eight most common mistakes I see in the field in organizations that have deployed Hybrid Identity. Learn from their mistakes, whether you’ve already deployed Hybrid Identity and want to make your implementation more robust or holding off deploying Hybrid Identity to not step into these pitfalls.

Join us!

Tickets are still available for NT Konferenca.
Register here and join me for these sessions.

The post I’m speaking at NT Konferenca 2019 appeared first on The things that are better left unspoken.

I’m proud to share that I’ll be presenting at Techorama Belgium for my third year in a row as an accepted speaker for Techorama Belgium 2019.

About Techorama

Techorama Belgium is a yearly international technology conference that takes place at Kinepolis Metropolis Antwerp. Techorama welcomes 1700 attendees, a healthy mix between developers, IT Professionals, Data Professionals and SharePoint professionals. Techorama’s commitment is to create a unique conference experience with quality content and the best speaker line-up.

Techorama Belgium 2019 is held from May 20, 2019 to May 22, 2019.

About my session

I’m presenting a 60-minute session as part of the Modern Workplace track:

Going Password-less on-premises, how hard can it be?

Wednesday May 22, 2019 4:30PM-5:30PM, Room 10

Password-less… Microsoft’s marketing machine makes a bold case for it… when you’re with your head in the clouds. But what’s the real story for hybrid scenarios? What’s the deal for pure on-premises environments?

Find out in this session how far you can take your password-less journey!

Microsoft has spun up its latest Identity-related marketing vehicle: password-less. With Azure AD, we’re seeing high adoption of features like Windows Hello for Business, Single Sign-On and even some FIDO2 adoption. However, when Hybrid Azure AD Join rears its ugly head, things get a bit more complicated… and don’t even get us started on going password-less on-premises!

Let’s get a closer look at Windows Hello for Business, authentication assurance, trust types and all the on-premises requirements to fulfil to get to this promise of a world with lesser passwords.

Join us!

Techorama Belgium 2019 has almost sold out. You can still buy one of the last tickets here. When you’re among the lucky people to have grabbed a ticket, join me for this session.

We’ll have a lot of fun!

Further reading

Pictures of Techorama Belgium 2018
I’m speaking at Techorama Belgium 2018
Pictures of Techorama 2017
I’m speaking at Techorama Belgium 2017

The post I’m speaking at Techorama Belgium 2019 appeared first on The things that are better left unspoken.

Last week, Heliview organized its annual Identity and Access Management (IAM) congress at the Nieuwegein Business Center.

To set up our booth, Carlo and I arrived early. We swiftly set it up and then enjoyed a cup of tea as the start of our day. This also allowed for some time to canvas the room.

At 11AM, I presented a 25-minute session on Decentralized Identities. I took questions after the session, while the next speaker set up. We also received a lot of positive feedback after the session.

During the day we had a lot of interesting conversations with both existing and potential customers. It strengthened their belief in the Microsoft cloud solution for providing and governing identity and access control leveraging Azure Active Directory.

After the closing keynote by Maria Genova, drinks were served. After 6PM, we tore down our booth and headed home. Content.

Thank you!

Thank you to Heliview for organizing yet another successful IAM congress and inviting me as a speaker once again, and to all the people attending, sitting in on my session and, of course, the people with whom we had interesting discussions.

The post Pictures of the 2019 Heliview IAM Congress appeared first on The things that are better left unspoken.

This blogpost details how to setup and configure Microsoft’s on-premises Azure Multi-factor Authentication (MFA) Server product in an existing environment.

It details how to install and configure the base components: The MFA Server, the Web Service SDK and the User Portal.

Before you begin

Before you begin, you should have access to the following information:

• The DNS domain name of your organization’s Active Directory Domain Services (AD DS) environment
• Credentials for an account that is a member of the Domain Admins group in Active Directory
• Credentials for an account that has the Global administrator role assigned in Azure AD

Of course, it’s a good idea to make a back-up of your Domain Controllers and test one of the backups in a separate networking environment to make sure you’re able to restore.

Overview

The implementation performed, resembles the Stretched deployment in terms of the supported Azure MFA Server deployment scenarios, discussed earlier:

Requirements

For this scenario, two Windows Server installations are needed:

1. MFA1 – This server becomes the Azure MFA Back-end Server (Master)
2. WEB1 – This server becomes the Azure MFA Web Server

These servers will have to have .NET Framework 4 installed and be made members of an existing Active Directory environment. For the purpose of this blogpost, two Windows Server 2016-based installations will be deployed.

Microsoft disabled the ability to create MFA Providers in Azure AD per September 1^st, 2018. If you haven’t registered an MFA Provider before this date, all user accounts in scope for MFA Server need to be synchronized from Active Directory to Azure AD. The easiest way to do this, is using Azure AD Connect with Express Settings. Afterward, Azure AD Premium (P1) licenses need to be assigned to them (or an overarching license that includes this license, like Azure AD Premium Premium (P2), or Microsoft 365 E3)

As part of basic information security, traffic to the MFA User Portal and to the MFA Web Service SDK is encrypted. For this purpose, we will need valid TLS certificates. Install corresponding TLS certificates in the Personal stores of the Local Machine on both MFA1 and WEB1.

Download MultiFactorAuthenticationServerSetup.exe from the MFA Server download page and place it on the disks of server MFA1.

Step 1: Install and configure MFA Server on MFA1

The Central MFA Server component communicates with the cloud-based MFA Point of Presence (PoP) to perform authentications and with on-premises systems like RADIUS clients and Domain Controllers.

Perform the following steps to install and configure Microsoft’s on-premises Azure Multi-factor Authentication (MFA) Server product on Windows Server MFA1:

1. Sign into Windows Server MFA1, using an account that is a member of the Domain Admins group and assigned local administrative privileges on the server.
2. Open File Explorer.
3. Navigate to the folder where you’ve placed the Azure MFA Server installation files:
                  
   
                  
4. Double-click MultiFactorAuthenticationServerSetup.exe.
5. In the Open File – Security Warning pop-up window, click Run.
                  
   
                  
6. In the Multi-Factor Authentication Server pop-up window (depicted above), click Install to install the Visual C++ “14” Runtime Libraries.
7. For Microsoft Visual C++ 2017 Redistributable (x86), select the I agree to the license terms and conditions option and click Install afterward. Click Close when setup is successful.
8. Repeat the above step for the x64 package.
   The Multi-factor Authentication Server screen will appear.
   (This may take a while…)
9. On the License Agreement page, select the I Agree option.
10. Click Next >.
                   
    
                   
11. On the Select Installation Folder page (see above), click Next >.
12. On the Installation Complete page, click Finish.
                   
    
                   
    The Multi-Factor Authentication Server management user interface appears, as depicted above.
13. The first thing to configure is the activation of the MFA Server, as the Activate screen is shown. Here, we have to enter activation credentials. On server MFA1, or on an Internet-connected workstation, perform the following actions to create the activation credentials:
1. Open a web browser and navigate to the Azure Portal.
2. Sign in with an account that has the Global administrator role assigned.
   Perform Azure-based multi-factor authentication, when prompted.
3. In the left navigation menu, click Azure Active Directory.
4. In the Azure AD navigation menu, scroll down to the Security section.
5. Click MFA.
6. In the scenario where an MFA Provider is present:
1. In the Multi-Factor Authentication navigation menu, click Providers.
2. Select a provider in the list of MFA providers to open its settings.
3. In the navigation menu for the MFA Provider, click Server Settings.
4. In the MFA Provider’s Server Settings, follow the Generate link.
7. In the scenario of Hybrid Identity:
1. In the Multi-Factor Authentication navigation menu, click Server settings.
2. Follow the Generate link.
14. Copy the generated activation credentials into the Multi-Factor Authentication Server management user interface.
15. Click Activate within 10 minutes of generating the credentials, as the credentials automatically expire after this time period.
              
    
                
16. In the Multi-Factor Authentication Server pop-up window (depicted above), click Yes to enable and configure replication by running the Multi-Server Configuration Wizard.
                  
    
                     
    The Multi-Server Configuration Wizard appears (see the above screenshot).
17. On the Enable Replication Between Servers, click Next >.
18. On the Secure Communication page, unselect the Certificates option.
19. Click Next >.
                  
    
                     
20. On the Active Directory page, click Next >.
                          
    
                          
21. On the Multi-Server Configuration Complete page, click Finish.

The server will reboot.

Step 2: Configure AD Sync on MFA1

The central MFA Server component uses its own database to store information on user objects. The best approach in a Microsoft-oriented environment is to configure automatic synchronization of user objects from Active Directory to MFA Server’s phonefactor.pfdata database.

After installation and reboot, perform these steps on Windows Server MFA1 to configure Active Directory synchronization:

1. Sign into Windows Server MFA1, using an account that is a member of the Domain Admins group and assigned local administrative privileges on the server.
2. Open the Multi-Factor Authentication Server management user interface from the Start Menu.
3. In the left icon pane, select Directory Integration.
4. Navigate to the Synchronization tab:
               
   
                
5. On the Synchronization tab, enable the Enable synchronization with Active Directory option. Additionally, enable the Remove users no longer in Active Directory option.

Step 3: Configure the Web Service SDK on MFA1

To allow other MFA Server components, like the MFA User Portal and the MFA AD FS Adapter, to communicate with the central MFA Server component, install and configure Internet Information Services (IIS) and the Web Service Software Development Kit (SDK) on Windows Server MFA1:

1. Open an elevated PowerShell window, and execute the following line of PowerShell:
                         
   Install-WindowsFeature Web-WebServer,Web-Http-Redirect,
   Web-Basic-Auth,Web-Asp-Net45,Web-Metabase -IncludeManagementTools
                           
2. Close the PowerShell window.
3. Open the Multi-Factor Authentication Server management user interface from the Start Menu.
4. In the left icon pane, select Web Service SDK.
                  
   
               
5. Click the Install Web Service SDK… button.
                       
   
                   
   The Multi-Factor Authentication Web Service SDK window appears (see above).
6. On the Select Installation Address click Next >.
7. On the Installation Complete page, click Close.
8. Close the Multi-Factor Authentication Server management user interface.

Step 4: Create the Web Service SDK service account and configure the service

To accommodate authentication to the Web Service SDK, a service account is needed, that is also a member of the PhoneFactor Admins group. Then, the Web Service SDK Application Pool needs to be configured with this service account.

Perform these steps on a Domain Controller, a domain-joined Windows Server with the Active Directory Domain Services Remote Server Administration Tools (RSAT) or a domain-joined Windows installation with the Remote Server Administration Tools (RSAT) installed:

1. Use an account that is a member of the Domain Admins group, or has delegated permissions to create user objects in Active Directory.
2. Open the Active Directory Administrative Center from the Start Menu.
3. At the top of the left navigation menu, switch to Tree view.
4. Navigate to the Users container.
5. In an empty space, right-click and select New, then User from the context menu.
                    
   
                      
   The Create User: window appears, as depicted above.
6. Type a Full name: and User SamAccountName: for the service account.
7. Type the password for the service account twice.
8. Select the Other password options option, and select Password never expires.
9. Select the Protect from accidental deletion option.
10. Scroll down to the Member Of section.
11. Click the Add… button.
              
    
                   
    The Select Groups pop-up window appears (see above).
12. Type the PhoneFactor Admins group.
13. Click Check Names.
14. Click OK.
15. Click OK to create the service account.
16. Sign out.

Perform the following steps on Windows Server MFA1:

1. Sign into Windows Server MFA1, using an account that is a member of the local administrators group.
2. Open the Internet Information Services (IIS) Manager from the Start Menu.
3. In the left navigation menu of IIS Manager, expand the Sites node.
4. Select the Default Web Site.
5. In the Actions pane to the right, click Bindings….
                    
   
                                
6. In the Site Bindings pop-up window, click Add…
                    
   
                    
7. In the Add Site Binding add a binding for https. Select the appropriate TLS certificate and click OK.
8. Back in the Site Binding window, click Close.
9. In the left navigation menu of IIS Manager, expand the Application Pools node.
10. In the main pane, select the MultiFactorAuthWebServiceSDK application pool.
11. In the Actions pane on the right, click Advanced Settings…
12. From the list of settings, under Process Model, select Identity.
13. Click the button with the three dots to the right of ApplicationPoolIdentity.
    
    The Application Pool Identity window appears.
14. Select Custom account.
    
    Click Set….
               
    
                 
    The Set Credentials pop-up window appears (see above).
15. Enter the User name: of the Web Service SDK service account in the format DOMAIN\ServiceAccount.
16. Enter the password for the service account twice.
17. Click OK.
18. Click OK.
19. Click OK.
20. Close Internet Information Services (IIS) Manager.

The Web Service SDK is now available via the following url: https://mfa1.domain.tld/multifactorauthwebservicesdk/

Step 5: Install the User Portal on WEB1

The MFA Server User Portal allows administrators, delegated service desk personnel and end-users to modify MFA settings and preferences. The User Portal will be installed on a separate Windows Server-based web server: WEB1.

Perform the following steps on Windows Server MFA1 to get the Multi-Factor Authentication Server User Portal Installer to Windows Server WEB1:

1. Open File Explorer.
2. Navigate to the installation folder of MFA Server. By default, this location is:
   C:\Program Files\Multi-Factor Authentication Server\
               
   
                
3. Copy MultiFactorAuthenticationUserPortalSetup64.msi.
4. Paste the Multi-Factor Authentication Server User Portal Installer on the disk of Windows Server WEB1.
5. Close File Explorer.
6. Sign out.

Perform these steps to install MFA Server’s User Portal on Windows Server WEB1:

1. Sign into Windows Server WEB1, using an account that is a member of the local administrators group.
2. Open an elevated PowerShell window, and execute the
   following line of
   PowerShell:
                         
   Install-WindowsFeature Web-WebServer,Web-Asp-Net45,Web-Metabase -IncludeManagementTools
                           
3. Close the PowerShell window.
4. Open File Explorer.
5. Navigate to the folder where you’ve placed the Multi-Factor Authentication Server User Portal Installer
   file:
                    
   
                       
6. Double-click MultiFactorAuthenticationUserPortalSetup64.msi.
                
   
                    
   The Multi-Factor Authentication User Portal appears (see above).
7. On the Select Installation Address page, click Next >.
8. On the Installation Complete page, click Close.
9. Open the Internet Information Services (IIS) Manager from
   the Start Menu.
10. In the left navigation menu of IIS Manager, expand
    the Sites node.
11. Select the Default Web Site.
12. In the Actions pane to the right, click
    Bindings….
13. In the Site Bindings pop-up window, click Add…
14. In the Add Site Binding add a binding for https. Select the appropriate TLS certificate and click OK.
15. Back in the Site Binding window, click Close.
16. Close Internet Information Services (IIS) Manager.
17. Switch to the File Explorer window.
18. Navigate to the file location with the User Portal files. By default, this location is:
    C:\inetpub\wwwroot\MultiFactorAuth
                    
    
                      
19. Open Web.Config in Notepad.
                   
    
                     
20. In the appSettings section, make four changes:
1. On line 9, change the value for USE_WEB_SERVICE_SDK from “false” to “true“.
2. On line 10, add the domain name and username for the service account that runs the application pool of the Web Service SDK, i.e. DOMAIN/Svc_MFASDK.
3. On line 11, add the password.
4. On line 60, in the ApplicationSettings section, change https://www.contoso.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx
   to the url of the Web Service SDK, i.e. https://mfa1.domain.tld/multifactorauthwebservicesdk/PfWsSDK.asmx
21. From Notepad’s File menu, select Save.
22. From Notepad’s File menu, select Exit.
23. Close File Explorer.
24. Sign out.

The MFA User Portal is now available via the following url:
https://web1.domain.tld/multifactorauth

Concluding

Having written how to install and configure MFA Server 6.3 on 4Sysops.com four years go, I’m amazed how much easier it is today to install Microsoft’s on-premises Azure Multi-Factor Authentication (MFA) Server, today.

Related blogposts

Supported Azure MFA Server Deployment Scenarios and their pros and cons 
Connecting to Azure MFA Server’s Web Service SDK using certificate authentication  
Choosing the right Azure MFA authentication methods    
Azure Multi-Factor Authentication Server 8.0.1.1 was released

The post HOWTO: Install Azure Multi-Factor Authentication (MFA) Server 8.0.1.1 appeared first on The things that are better left unspoken.

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

Today, let’s talk about plagiarism, because throughout the process of creating content for my book I was heavily accused of this…

The situation

Let me first point out, why my publisher decided to contact me to write the Active Directory Administration Cookbook. This blog, and my thirteen-year tenure, provided the publishing board with sufficient confidence that I could write a book on Active Directory and Azure AD.

Indeed, this blog contains a lot of information and HowTo’s on how to perform certain tasks in the worlds of Active Directory and Azure Active Directory…

The definition of plagiarism

Here’s the definition of plagiarism from dictionary.com:

noun

1. an act or instance of using or closely imitating the language and thoughts of another author without authorization and the representation of that author’s work as one’s own, as by not crediting the original author: It is said that he plagiarized Thoreau’s plagiarism of a line written by Montaigne.
2. a piece of writing or other work reflecting such unauthorized use or imitation: “These two manuscripts are clearly plagiarisms,” the editor said, tossing them angrily on the floor.

Imagine my surprise

I was happily writing chapters for my book and meeting my deadlines. In the meantime, my content editor would go through the content I produced and provide feedback.

One of the pieces of feedback I received for Chapter 1, literally, was:

I just ran the plagiarism tool to check the originality of the chapter. Around 20% content of the chapter has been found to be taken from your blog: https://dirteam.com/sander/

 

Please note that we cannot include any content in the book that’s freely available online even when it’s from the author’s own blog or website. There’s a number of problems here, the main issues being:

• Original content: If our content appears elsewhere for free, many customers would be disinclined to spend money on our products.
• Value: For those who do buy the book, they could feel that they’re not getting adequate value for money once they discover they could have already found this content elsewhere. This might drive them to leave poor reviews, and they might even interpret the unoriginal content as malicious plagiarism.

There are two solutions to this:

1. take down the blog post
2. Rewrite the content from scratch

The easiest solution would be the former, though either is acceptable. Please refer the attached plagiarism report for your reference.

This person actually wanted me to choose between two evils; take down the blogposts that are available for free here, while not even remotely resembling the type of content in the book, or adopt a different writing style and keep that up throughout the book so to distinguish my previous writing from the writing in the book…

In the end…

Of course, I didn’t delete blog posts.

Editors will use ‘plagiarism’ tools to check content. According to the definition, what I did wasn’t plagiarism. I adopted an improved writing style that is more clear and concise than the one I used here. You may have noticed elements of the new style in recent blogposts, already. With a growth mindset, I embraced the feedback and tried to apply it in a constructive manner.

In the end, the entire Chapter 1 is available for you to read on the website of the publisher, if you use the Preview Online button on their website.

Picture by Twitter trends 2019, used under CC BY 2.0 license. Adjusted in size.

Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

The post Experiences with Being Published, Part 1: Accusations of Plagiarism appeared first on The things that are better left unspoken.

Hot on the heels of Azure AD Connect version 1.3.20.0, Microsoft released version 1.3.21.0 earlier this week to address an elevation of privilege vulnerability.

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

About the vulnerability  

The vulnerability, known as CVE-2019-1000, could allow an attacker to execute two Windows PowerShell cmdlets in the context of a privileged account, and perform privileged actions.

To exploit this, an attacker would need to authenticate to the Azure AD Connect server. The two cmdlets can be executed remotely only if remote access is enabled on the Azure AD Connect server.

This security update address the issue by disabling these cmdlets.

About the fix

The vulnerability is fixed in version 1.3.21.0 of Azure AD Connect.
This release of Azure AD Connect was signed off on on May 14th, 2019 and made available for download on that same date.

Download

You can download version 1.3.21.0 of Azure AD Connect here.
The download weighs 90,1 MB.

The post Azure AD Connect version 1.3.21.0 fixes an elevation of privilege vulnerability (CVE-2019-1000) appeared first on The things that are better left unspoken.

Lat week, on Wednesday May 22, I delivered a 60-minute presentation at Techorama Belgium 2019.

After a day of travel and, luckily, lunch at home, I arrived at the Antwerpen Kinepolis at 3PM. As the presentation was scheduled for 4:30PM, I was right on track to begin creating the slide deck for one of my favorite topics in Identity.

As I made my way to the speaker room, I ran into several people I know. I spoke to Vitorrio Bertocci, Michael van Horenbeeck and Aleksandar Nikolic while getting the ready-made slides into the Techorama PowerPoint template.

I started my session at 4:30PM and made the conscious decision, together with the audience, to stop 5 minutes prior to the end time, so people would have a chance to get a nice seat for the Closing Keynote with astronaut André Kuipers. As we had ample time to discuss going password-less on-premises, there was even time for a little Q&A during the session.

After the session, I headed straight home to enjoy a meal with my family. The upside of an event just around the corner of the Dutch border, means it’s only a 90-minute drive back home.

Thank you!

Thank you to the Techorama organization for organizing yet another successful event and inviting me as a speaker once again, and to all the people attending, sitting in on my session and, of course, the people with whom I had interesting discussions.

The post Pictures of Techorama Belgium 2019 appeared first on The things that are better left unspoken.

Microsoft’s Azure AD Connect version 1.3.20 was quickly superseded by version 1.3.21.0 to fix an elevation of privilege vulnerability, but it appears to exhibit unexpected behavior for some organization running it.

The situation

You have an Active Directory Domain Services (AD DS) environment, and you synchronize objects to an Azure AD tenant, leveraging Azure AD Connect, Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory. You have licensed Azure AD Premium and leverage Azure AD Connect Health to manage the Hybrid Identity implementation.

You have recently upgraded Azure AD Connect to version 1.3.21.0

You determine the version of Azure AD Connect in the Office 365 Portal:

1. You navigate a browser to the Office 365 Portal.
2. You sign in with an account that has administrative privileges. You perform multi-factor authentication, when prompted.
3. In the top left menu, you click on the waffle menu and select Admin from the menu.
4. In the left navigation menu of the Microsoft 365 admin center, you click on Azure Active Directory in the Admin centers section.
   The Azure Active Directory admin center opens in a new tab or window.
5. In the left navigation menu, click on Azure Active Directory.
6. In Azure Active Directory’s secondary navigation menu, click Azure AD Connect.
7. In Azure AD Connect’s main window follow the link to Azure AD Connect Health.
8. In Azure AD Connect’s secondary navigation menu, click Sync services.
9. In the main window, click the Azure AD tenant name to drill into its properties.
10. In the tenant’s Azure AD Connect Health pane, click Azure Active Directory Connect Servers.
11. In the Server List pane, click the name of the Windows Server on which you recently upgraded Azure AD Connect.
12. In the server’s blade, click the Properties tile.

The issue

The Office 365 portal does not reflect the updated version, even though Azure AD Connect upgraded successfully.

The solution

This behavior is unexpected.

To resolve this you need to import the AdSync module and then run the
Set-ADSyncDirSyncConfiguration Windows PowerShell cmdlet on the Windows Server running Azure AD Connect.

Perform these steps to resolve the issue on each of the Azure AD Connect installations in use:

1. Sign into the Windows Server running Azure AD Connect.
2. Open an elevated Windows PowerShell window.
3. Run the following line of Windows PowerShell:
          
   Import-Module ADSync
      
4. Next, run the following line of Windows PowerShell:
            
   Set-ADSyncDirSyncConfiguration -AnchorAttribute “”
               
5. Close the Windows PowerShell window.
6. Sign out.

Perform the above steps on each Windows Server running Azure AD Connect in your environment, when one or more Staging Mode Azure AD Connect installations are present.

Concluding

While the above issue is a cosmetic issue for most organizations, it might be an important issue for organizations that monitor the health of their Azure AD Connect installations through the Office 365 and Azure AD portal. In the latter case, it’s nice to know how to fix it.

Further reading

Azure AD Connect 1.3.21.0 fixes an elevation of privilege vulnerability (CVE-2019-1000) 
Azure AD Connect 1.3.20.0 offers the next level of identity synchronization  
Azure AD Connect 1.2.70.0 updates the non-standard connectors 
Azure AD Connect 1.2.69.0 fixes an issue with Device Write-Back 
Azure AD Connect 1.2.68.0 fixes an issue with the MSOnline PowerShell Module 
Azure AD Connect 1.2.67.0 fixes an issue with Password Writeback
Azure AD Connect moves to TLS 1.2-only with version 1.2.65.0

The post KnowledgeBase: Azure AD Connect upgrade is not reflected in the Office 365 Portal appeared first on The things that are better left unspoken.

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

Let’s talk about the tool I had to use and you, when you work together with a publisher, might need to use, too.

TypeCloud

My publisher uses a WordPress-based, web-based solution, called TypeCloud. My deadlines required me to provide my content in this tool. From the start, I worried about my productivity, but I was in for a bigger surprise.

At the start of the project, I thought I had ample time to meet my deadlines, as I was scheduled to spend roughly 35 hours on planes in a couple of weeks,  However, an online platform to work with means you can’t access it, when you don’t have an Internet connection… Resolving comments, impossible.

As this tool is WordPress-based, it uses WordPress’ one page lay-out with the classic editor. When writing chapters of 50 pages, this lay-out is extremely tiresome. When comparing this experience with Microsoft Word, where I would have five pages open side by side on a 38-inch widescreen monitor, it made no sense at all.

So, I decided to write my chapters offline in Microsoft Word and copy the contents over to TypeCloud, when done.

Not so fast…

The first thing I figured out was, that TypeCloud doesn’t really like Edge, Internet Explorer, Chrome or FireFox. Google’s Chrome seemed the only browser that kinda worked… However, even when using Chrome, though, when copying over text from Word to TypeCloud, lay-out got lost and heading levels 1 and 2 got converted to paragraphs. Several formatting options were only available in TypeCloud and needed to be adjusted manually. Screenshots needed to be uploaded manually and then linked to from TypeCloud. Also, I would better not mess with tables, because the browser would just freeze up.

Each chapter, next to creating the content, I struggled with TypeCloud for another six hours to get the content into the tool my publisher uses.

If it worked at all…

If it worked, I could meet my deadlines with a lot of frustration. But of course… there were outages and periods of time where the tool didn’t work 100%. I couldn’t meet one of my deadlines, because TypeCloud was down one weekend. Another weekend, I had trouble uploading screenshots, leading to remarks from the editor complaining about the lack of screenshots…

We’re all struggling

The publisher’s aim is to have one system where every letter for every book is stored with absolute integrity. That’s why their employees have to work with it, too. Some of them have even created enhancements to get sufficiently productive to meet their deadlines.

As there was no mention of TypeCloud in the contract, prospective writers should ask about tooling to use, before signing. It could just prevent wrecking fourteen Sunday nights.

Picture by Kunkelstein, used under CC BY-NC 2.0 license. Adjusted in size.

Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

The post Experiences with Being Published, Part 2: Tools, Tools, Tools appeared first on The things that are better left unspoken.

Advertised as the biggest Microsoft IT Pro event in the Netherlands, Experts Live Netherlands will take place Tuesday June 6th, 2018 at Conference Center 1931 in Den Bosch. It’s a privilege to share the stage again with my buddy Raymond.

About Experts Live

Experts Live is an independent platform for IT Professionals on Microsoft solutions. A platform for and by the community. Almost every year, Experts Live organizes its knowledge event in the Netherlands. Started as an idea from a small group of Dutch Microsoft MVPs, Experts Live has become the largest Microsoft community event in the Netherlands, with over a thousand visitors.

Both national and international speakers update the visitors in one day on the latest Microsoft technologies. Subsequently, through the years, many famous and notorious speakers delivered sessions on the Experts Live events.

This year, for the first time Experts Live is hosted at Conference Center 1931 in Den Bosch, and scheduled for Thursday June 6th, 2019. The event offers over 40 break-out sessions, an opening panel discussion and drinks afterward.

About my session

I’ll deliver a 60-minute session in the Microsoft 365 track, together with Raymond Comvalius:

Going password-less on-premises, how hard can it be?

11:30AM – 12:30PM, Room Limousin 2, level 400

Password-less… Microsoft’s marketing machine makes a bold case for it. When you’re with your head in the clouds. What’s the real story for hybrid scenarios? What’s the deal for pure on-premises environments?

Find out in this session how far you can take your password-less journey!
Microsoft has spun up its latest Identity-related marketing vehicle: password-less. With Azure AD, we’re seeing high adoption of features like Windows Hello for Business, Single Sign-On and even some FIDO2 adoption.

However, when Hybrid Azure AD Join rears its ugly head, things get a bit more complicated… and don’t even get us started on going password-less on-premises!
Let’s get a closer look at Windows Hello for Business, authentication assurance, trust types and all the on-premises requirements to fulfil to get to this promise of a world with lesser passwords.

Join us!

Experts Live Netherlands hasn’t sold out yet, but there’s only a handful of tickets left. Snag yours before it’s too late Dutch and join us!

The post I’m speaking at Experts Live Netherlands 2019 appeared first on The things that are better left unspoken.

Two weeks ago, I travelled to Portorož in Slovenia to deliver two 60-minute sessions at NT Konferenca.

I started early at one of my regular customers at 06:45 on Monday morning. After eight hours of work, I decided to drive to Schiphol airport. As I already saw notices of delays, I decided to take it easy and check in to KLM’s Crown Lounge for dinner.

With 90 minutes delay, we arrived at Paris Charles de Gaulle airport, where I promptly missed my connecting flight to Ljubljana. No worries, because Air France had no trouble booking me into a flight to Venice instead. After arriving there and a 2-hour cab ride, I arrived at the Grand Hotel in Portorož at 01:30. With nothing to see, I decided to go to bed.

The next morning I decided to go for a walk around the premises. Although the sun wasn’t out, Portorož showed its beautiful potential and history.

After my walk, I checked out the entrance and decided to register.

At 11:30, it was time for me to present my first presentation. In room Adria 2, we discussed the way organization may transition from on-premises identity to cloud-only identity and how some choices are not the brightest choices to make. That was fun.

After the presentation, I met up with the other speakers for lunch and for some coffee on the patio of the Grand Hotel.

At 16:30, I presented my second session on the eight common mistakes organizations make with Hybrid Identity, Active Directory Federation Services (AD FS) and Azure AD Connect. Good fun!

After the session, everyone gathered in front of the Grand Hotel to enjoy beer and network with other attendees, for NTK’s Beer 2 Beer event.

In the evening, we went for the ‘Hot and Heavy by St. Louis Band’ down the road in Portorož. We enjoyed food and drinks. I decided to take it easy, drink water and go to bed early.

At 03:00 my alarm went off to alert me of the cab ride that was scheduled for me at 03:30 to Ljubljana airport and back to the Netherlands…

Thank you!

Thank you to the NT Konferenca organization for organizing yet another successful event and inviting me as a speaker, to all my Balkan community friends and, of course, to all the people attending, sitting in on my sessions and, of course, the people with whom I had interesting discussions.

The post Pictures of NT Konferenca 2019 appeared first on The things that are better left unspoken.

There are several methods to create the Relying Party Trust (RPT) between Active Directory Federation Services (AD FS) and Azure Active Directory automatically:

• Using Azure AD Connect with the Use an existing AD FS farm option or the Configure a new AD FS farm option, when configuring Federation with AD FS as the authentication method.
• Using the Convert-MsolDomainToFederated Windows PowerShell cmdlet from the MSOnline PowerShell Module.

However, sometimes you can’t use the above methods. In this case, the only logical conclusion is to create the Relying Party Trust manually. But how do you create then exact same functionality as when you use the above method… or in the case of the Convert-MsolDomainToFederated cmdlet method, the full functionality?

I wrote this blogpost, after I’ve successfully switched the custom DNS domain name in Azure Active Directory to AD FS on a remote workstation, but wasn’t privileged to install the MSOnline PowerShell Module on an AD FS server, connect remotely to it, or create Relying Party Trusts. I had to provide the changes I needed to a more privileged person. I have full confidence you can come up with your own reasons…

This blogpost details the steps, relying solely on cmdlets from the ADFS PowerShell module. It’s a four-step procedure:

1. Creating the Relying Party Trust
2. Configuring the Relying Party Trust beyond defaults
3. Setting the claims issuance authorization rule
4. Setting the claims issuance transformation rules

Important!
The settings for the Relying Party Trust that is created with the below steps are an identical copy of the Relying Party Trust created with Azure AD Connect version 1.3.21.0. These settings may change over time. While all effort was aimed at providing the best information, it may no longer be accurate.

Creating the Relying Party Trust

Perform these steps to create the Relying Party Trust (RPT):

1. Sign in to an AD FS Server with local administrator privileges. When the AD FS farm leverages the Windows Internal Database (WID) replication method, sign in to the primary AD FS server, as it is the only AD FS server that has read/write access to the ADFSConfiguration database.
2. Open an elevated Windows PowerShell screen.
3. Enter the following lines of PowerShell:

Import-Module ADFS

Add-AdfsRelyingPartyTrust
-Name “Microsoft Office 365 Identity Platform” –MetadataUrl “https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml”

Configuring the Relying Party Trust beyond defaults

With the above steps, many of the settings are configured perfectly for the Relying Party Trust. However, we need to set three more settings to make it perfect.

The first setting defines the additional WS-Fed Endpoints for the RPT. The other two settings enable monitoring of the RPT and automatic updating.

Enter the following lines of PowerShell, below the earlier ones to configure the settings:

$AdditionalWSFedEndpoint = @(
  “https://ccs.login.microsoftonline.com/ccs/login.srf”
  “https://ccs-sdf.login.microsoftonline.com/ccs/login.srf”
  “https://stamp2.login.microsoftonline.com/login.srf”
  )

Set-AdfsRelyingPartyTrust -TargetName “Microsoft Office 365 Identity Platform”
-AdditionalWSFedEndpoint $AdditionalWSFedEndpoint

-AutoUpdateEnabled $true
-MonitoringEnabled $true

Setting the claims issuance authorization rule

One of the other features of the Microsoft Office 365 Identity Platform RPT, is the default claims issuance authorization rule.

Let’s add it to the RPT by entering the following lines of PowerShell, below the earlier ones:

Set-AdfsRelyingPartyTrust -Targetname “Microsoft Office 365 Identity Platform” -IssuanceAuthorizationRules ‘ => issue(Type = “http://schemas.microsoft.com/authorization/claims/permit”, Value = “true”);’

Setting the claims issuance transformation rules

Now, all that’s left is to configure the claims issuance transformation rules. As this is the core of the magic of the Relying Party Trust, changes most often of all the RPT characteristics and requires custom rules in multi-domain scenario’s, I’m opting to create these rules using the Claims Generator on adfshelp.microsoft.com.

Perform these steps on any Internet-connected system:

1. Open a browser.
2. Navigate to adfshelp.microsoft.com.
3. On the main page, click Online Tools.
4. On the Online Tools Overview page, click the Azure AD RPT Claim Rules tile.
5. Follow the steps to generate the claims issuance transformation rules applicable to your organization.
6. After you’ve completed all the steps, the claims issuance transformation rules are presented as a PowerShell script, and as raw text.
7. Copy the contents of the PowerShell script into a file.
8. Transfer the file to the AD FS server.

Run the PowerShell script on the AD FS server, next.
After it’s done, it will create a Backup of the previously created claims issuance transformation rules. This file will be empty, as no claims issuance rules would have previously been configured. Close Windows PowerShell and log off, when done.

Concluding

It’s surprising how default the Microsoft Office 365 Identity Platform Relying Party Trust is, when you think about it…

Also, the documentation on the Add-AdfsRelyingPartyTrust PowerShell cmdlet is wrong at stating that the –Identifier parameter is required; when using either the –MetadataFile or –MetadataUrl parameter, it certainly isn’t.

Hat Tip

My colleague Barbara Forbes helped me with the Windows PowerShell antics for this blog post. I asked her help, because she uttered the immortal words ‘Surely some-one has figured this out already…’

The post Creating the ‘Microsoft Office 365 Identity Platform’ Relying Party Trust manually appeared first on The things that are better left unspoken.

Last month, my Active Directory Administration Cookbook was released by Packt.       To celebrate, my employer is hosting a Launch Party at our office in Leidschendam, near The Hague in the Netherlands.

The Launch Party offers the opportunity to Dutch people to get their copy of the Active Directory Administration Cookbook and have it signed.

About SCCT

SCCT is a cloud-first Microsoft-oriented systems integrator from the Netherlands. Our aim is to help organizations embrace Microsoft cloud solutions. SCCT was founded in 2014 by Harro Borghardt and Carlo Schaeffer. In 2017, Sander Berkouwer was named CTO at SCCT, completing the management team.

Join us!

We have created a Microsoft Excel Online Form, where you can provide information. Its purpose is to collect the necessary information for SCCT to successfully organize the Launch Party. It tells us how many people will attend the event and how many books we’ll need.

Please fill out the form Dutch if you would like to attend the Active Directory Administration Cookbook Launch Party.

The post Join the Active Directory Administration Cookbook Launch Party at SCCT appeared first on The things that are better left unspoken.

I missed out on VeeamON this year in Miami, FL…

I had other engagements with customers, with NT Konferenca in Slovenia and, as a repeat speaker, Techorama in Belgium in the week of May 20th. I had lots of fun, but I would have really liked to have visited the event and would have loved to have seen Rick Vanover dump the laptop in water, in real life.

The next best thing is now available though: Two keynotes and Top 7 sessions of VeeamON are now available online, for free!

Available videos

The following sessions are now available to view online, for free:

• The Vision keynote with Ratmir Timsahev, Veeam Co-Founder and Executive Vice President Sales and Marketing
• The Technology keynote with Danny Allen, Veeam Vice President Product Strategy
• Top 7 Worst Practices when using Veeam Backup & Replication with Edwin Weijdema, Veeam Solution Architect North East EMEA
• Veeam Agents: Tips, Tricks and What Not To Do with Tom Sightler, Veeam Vice President Product Management
• Ransomware Resiliency Tips for Veeam and the Veeam Vanguards with Rick Vanover, Veeam Senior Director Product Strategy
• Architecture, Installation and Design for Veeam Backup for Microsoft Office 365 with Niels Engelen, Veeam Global Technologist and Timothy Dewin, Veeam Enterprise Systems Engineer
• From the Architect’s Desk: Sizing with Tim Smith, Veeam Solutions Architect
• Cumolonimbus Cloud Tier Deep Dive and Best Practices with Dustin Albertson, Veeam Senior Cloud Architect Global Cloud Group and Anthony Spiteri, Veeam Senior Global Technologist Product Strategy
• Let’s Manage Agents with Dmitry Popov, Veeam Product Management

About VeeamON

VeeamON is the premier conference for Cloud Data Management. It allows attendees to gain valuable insights, training and connections with industry experts, learn how to capitalize on their existing virtualization, networking, storage and Veeam investments and discover the latest cloud technologies and how you can leverage your existing assets as part of a comprehensive availability strategy.

VeeamON 2019 took place at the Fontainebleau Miami Beach Conference Center. Veeam announced Veeam Availability Orchestrator (VAO) version 2, its new With Veeam partner program and its achievement of $1 billion in annual bookings.

Hungry for more?

Save the date for VeeamON 2020. Mark your calendar for VeeamON 2020 in Las Vegas,
Aria Hotel, May 4-6, 2020.

The post Two keynotes and Top 7 sessions of VeeamON are now available online appeared first on The things that are better left unspoken.

To celebrate the availability of the Active Directory Administration Cookbook, I decided to write a blogpost in the typical structure of a recipe in this book:

Disabling account enumeration

Use this recipe to disable account enumeration for an Azure Active Directory tenant. After completing this recipe, people with user accounts in the tenant will no longer be able to list the other accounts.

Getting ready

To complete this recipe, you’ll need to sign into the Azure AD tenant with an account that has the Global administrator role assigned to it.

This recipe does not require any additional licenses. The functionality described in this recipe is included in all Azure AD tenants, including those configured as Azure AD Free.

This recipe requires the MSOnline Windows PowerShell Module. Use the following line of Windows PowerShell on a Windows or Windows Server system that runs Windows PowerShell 5.0, or higher and has Internet connectivity, in an elevated Windows PowerShell window:

Install-Module MSOnline

Press Yes twice.

When the MSOnline Windows PowerShell Module is already installed, run the above line of Windows PowerShell to update it before continuing with the recipe.

How to do it

Perform these steps:

1. Open a Windows PowerShell window on the device or server where you have installed the MSOnline PowerShell module.
2. Execute the following line of PowerShell to import the MSOnline Windows PowerShell Module:
                 
   Import-Module MSOnline
                      
3. Execute the following line of PowerShell to sign into the Azure AD tenant:
                  
   Connect-MsolService
                 
4. The Sign in to Azure AD Connect Health Agent window appears:
              
   
                                      
5. Sign in with an account in Azure Active Directory that has the Global administrator role assigned.
6. Perform multi-factor authentication, when prompted.
7. Execute the following line of PowerShell to configure the Azure AD tenant:
                    
   Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false 
                            
8. Close Windows PowerShell.

How it works

This recipe uses the MSOnline Windows PowerShell module.

Microsoft recommends to use the newer AzureAD Windows PowerShell Module. However, as per version of this module, the functionality to perform the steps in this recipe is not (yet) available.

By importing the Windows PowerShell module before issuing cmdlets from the module, tab completion is available under all circumstances.

The Connect-MsolService cmdlet instructs PowerShell to connect to the Azure AD tenant. As no credentials are supplied in the above example, a prompt appears to ask for credentials. When multi-factor authentication, Azure AD Privileged Identity Management (PIM) or other information security measures are enabled, perform the required steps to successfully authenticate.

When successfully authenticated, the Set-MsolCompanySettings cmdlet configures the Azure AD tenant with the required settings.

There’s more!

To find the differences between the MSOnline and AzureAD Windows PowerShell modules and their history, look at the state of Azure AD PowerShell today.

There’s even more!

Account enumeration is labeled Account Discovery in the MITRE ATT@CK knowledgebase and tagged with ID T1087. Find out more about this adversary tactic and its impact by visiting the MITRE ATT&CK knowledgebase.

The post HOWTO: Disable account enumeration in Azure Active Directory appeared first on The things that are better left unspoken.

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

On deadlines and the typical process

When a publisher targets you as a new writer, you are typically asked to create an outline for the book they want you to write. A publishing board then decides if the right topics are present in the book, before providing a ‘Go!’ for the book.

When you write a book, a schedule is determined based on the outline, so all people know what is expected of them. Typically for every writer, their schedule features deadlines; points in time when content (usually defined per chapter for a technical book) is due.

There’s a perfectly valid reason for these deadlines: After first delivery, the content is then reviewed by an independent technical reviewer, then edited for readability, spelling and grammar by a team of content editors from your publisher and then reviewed by a technical person at the publisher to make sure everything checks out. Throughout the process, time is allocated for the writer to address the comments and changes made by everyone.

Stakes and tools

Just like every other situation in life, in the process, people have different stakes. The publishing board has a clear vision of the book in terms of the maximum total amount of pages, the topics and the search engine research that governs their choices.

The content editing team has clear expectations as well. For cookbooks at Packt, the chapters must not exceed 50 pages and should have twelve recipes per chapter. These are not ‘pages’ like you write them in Microsoft Word. No, Packt has its own portal where they require you to meet your deadlines in. This platform features a button labeled ‘View in PDF’, that will tell you how many pages a chapter would have (including its ToC, but you can deduct these)…

Changes to the schedule

I was happily writing a chapter every two weeks. Imagine my surprise when after having met ten of my deadlines, I got a call from my publisher, asking me to speed up content delivery…

Uhm, no. We have an agreement on a schedule.

Their proposal was to deliver a chapter every four days, for the last couple of chapters, resulting in a deadline for April 12th instead of May 18th, without additional compensation or a clear reason why. Also, the five days per chapter for reviews was condensed into a mere five days in total, adding to the amount of work that needed to be delivered.

I proposed an April 22nd deadline, allowing for one weekend per chapter. Given the Easter weekend with a couple of additional days off from work, April 29th would be my deadline for everything.

That was quick…

This proposal was quickly accepted. Too quickly, perhaps…

After this decision, the entire process started to come tumbling down. Instead of working on a chapter each weekend, I now also was pushed into resolving comments from the reviewers, the editors and everyone involved with the book during weekdays. Now, I was dealing with four persons at a time with different roles and different stakes.

I learned a great deal about my creative process when creating the Active Directory Administration Cookbook. Looking back, I realize that the schedule change robbed me from the one luxury I had to improve on the quality of the book: the ability to write something and then take another look at it afresh a week later.

Even when self-publishing, the above pitfall exists. The Project management triangle applies to books, too.

Picture by Georgie Pauwels, used under CC BY 2.0 license. Adjusted in size.

Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

The post Experiences with Being Published, Part 3: Deadlines appeared first on The things that are better left unspoken.