Category Archives: Office 365

#AzureAD Password Protection and Smart Lockout are now in Public Preview

One more cool feature related to Azure Active Directory, especially for those of you that care about security. Remember that the GDPR mandates for a strict security baseline, in order to protect personal data.

So this new feature that was announced in Public Preview, forces or audits the passwords that the Azure AD users use; if a user tries to use an easy password, the admin has the option to just audit this attempt, or block it completely. We also have the option to specify a black list of banned passwords.

In order to configure it, you need to log on to your Azure AD Portal and then navigate to Security –> Authentication Methods:

azureadpass

Let’s talk a bit about the different options that we see here.

  1. Set your custom smart lockout threshold (number of failures until the first lockout) and duration (how long the lockout period lasts)

  2. Enter the banned password strings for your organization in the textbox provided (one string per line) and turn on enforcement of your custom list

  3. Extend banned password protection to Windows Server Active Directory by enabling password protection in Active Directory. Start with the audit mode, which gives you the opportunity to evaluate the current state in your organization. Once an action plan is finalized, flip the mode to Enforced to start protecting users by preventing any weak passwords being used.

How does the banned password list work
The banned password list matches passwords in the list by converting the string to lowercase and comparing to the known banned passwords within an edit distance of 1 with fuzzy matching.

Example: The word password is blocked for an organization

  • A user tries to set their password to «P@ssword» that is converted to «password» and because it is a variant of password is blocked.

  • An administrator attempts to set a users password to «Password123!» that converted to «password123!» and because it is a variant of password is blocked.

Each time a user resets or changes their Azure AD password it flows through this process to confirm that it is not on the banned password list. This check is included in hybrid scenarios using self-service password reset, password hash sync, and pass-through authentication.

What do users see
When a user attempts to reset a password to something that would be banned, they see the following error message:

“Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.”

It’s not only for the cloud
That’s nice, because you can even use it to prevent weak passwords being used in the organization using Windows Server Active Directory. And yes, we talk about your on-premises environment!

In a single forest deployment, the preview of Azure AD password protection is deployed with the proxy service on up to two servers, and the DC agent service can be incrementally deployed to all domain controllers in the Active Directory forest.

azure-ad-password-protection

Before doing anything, I strongly suggest that you take a look at the official documentation here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises

What kind of Azure AD licenses you need for this? 
The benefits of the global banned password list apply to all users of Azure Active Directory (Azure AD). The custom banned password list requires Azure AD Basic licenses.
Azure AD password protection for Windows Server Active Directory requires Azure AD Premium licenses.

Print to corporate printers from #AzureAD joined Windows 10 devices

During my trainings, you’ll often hear me saying that it doesn’t make sense anymore to join your company’s portable devices in your on-premises Active Directory. In fact, these devices are usually used outside of the company’s environment, so they never or rarely contact your Domain Controllers.

A common good practice is to join them to Azure AD and control them using MDM and Conditional Access policies. But what happens when a user needs to print to an on-premises printer?

Now this is possible using the Hybrid Cloud Print feature. Now people in your organization can use Azure AD-joined devices to discover on-premise printers, and can print from work or from home or from anywhere else they can connect to the internet.

Hybrid Cloud Print is built on top of the Windows Print Server role, so it supports traditional domain-joined devices in addition to Azure AD joined devices. Best of all, your existing printer management scripts, tools, reports, and procedures will continue to work as is. And it’s secured by Azure Active Directory, so you and your users still benefit from features like multi-factor authentication, identity protection and single sign-on (SSO).

Once deployed, the print discovery and installation experience will be familiar to your users.

 

Hybrid Cloud Print consists of two new IIS service endpoints:

  • Printer Discovery service
  • Windows Print service

There are also six new MDM policies to configure and manage Hybrid Cloud Print. These enable the client device to know where the IIS service endpoints are and which Azure tenant information to authorize against.

To get started, take a look at the Hybrid Cloud Print overview and follow the deployment guide.

I also suggest to take a look at this video, an Ignite presentation about this topic:

Thanks for your time!

“What If” tool in Public Preview for #AzureAD Conditional Access Policies

In case you don’t remember what is all about Azure AD Conditional Access, I suggest that you click here to take a look at the previous articles in my blog that deal with this.

Let’s talk about a new feature that was announced to be in Public Preview, the so called “What If” tool for Conditional Access. This tool will let you understand the impact of a Conditional Access Policy on a user sign-in, under conditions that you specify. Do you remember the on-premises Group Policy Modeling console? Well, it should give you similar results, meaning you can see how the policies will be applied to a user, rather than waiting for the user to tell you (and complain in some cases…).

So let’s see how it works:

Go to the Azure Portal, and select Azure AD Conditional Access, then click on What If:

1

 

Select the user you want to test and optionally select app, IP address, device platforms, client app, sign-in risk, and then click on the blue What If button:

2

 

And these are the results that you get:

3

 

Which policies WIIL NOT apply? This is helpful when you want to know the reason when a policy is not applied:

4

 

Want to learn more about the What If tool? Click here to go to the related Microsoft Docs article.

 

Enjoy!

#AzureAD administration experience in Azure classic portal to be retired January 8, 2018

 

Just for your convenience, I’ll copy here the latest Azure AD announcement about the reirement of the old admin portal:

 

Use the new Azure portal to manage Azure Active Directory

Action required

By January 8, 2018, you should plan to rely fully on the new administration experience for portal-based administration of Azure Active Directory.

The Azure AD experience in the classic Azure portal, and the Azure classic portal itself (https://manage.windowsazure.com), will be retired on January 8, 2018. You are receiving this email because you or another user in your organization recently used that experience.

Resources

Here are some resources to help you transition to using our new admin experience:

Azure AD admin center

Azure AD documentation

Getting started with the new administration experience

Provide feedback on the Azure AD admin experience

File a support ticket

Feedback

To give feedback, submit a feature request, or vote on existing feature requests from others, go to the admin portal section of our Feedback Forum.

Thank you,
Azure AD Team

All the news about #AzureAD @Ignite2017

MS Ignite 2017 is over, but if you need to know all the news about Azure Active Directory, you should definitely take a look at this article:

https://blogs.technet.microsoft.com/enterprisemobility/2017/09/27/whats-new-with-azure-active-directory-ignite-2017/

MS Ignite 2017: Shut the door to cybercrime with Azure Active Directory risk-based identity protection

Azure AD Identity Protection and Privileged Identity Management take secure identity and access management to the next level. These new Azure AD features puts the power of conditional access and advanced risk analytics, just-in-time administration and security reviews in your hand to stop cyber criminals from gaining entry to your systems by compromising identities. Azure AD Identity Protection is built on Microsoft’s experience protecting consumer identities, and gains tremendous accuracy from the signal from over 13B logins a day. In this session, we demonstrate the detection capabilities, real time prevention using conditional access, the end user experiences, just-in-time administration and SIEM/analytics extensibility.

Video: #AzureAD Pass-through Authentication and Seamless Single Sign-on

Watch Senior Program Manager Microsoft Identity Services, Swaroop Krishnamurthy, show you a new way you can harness the power of cloud authentication while still keeping your passwords on-premises using Azure Active Directory pass-through authentication and seamless single sign-on capabilities. You’ll see how Azure AD can now validate securely your passwords against on-premises Active Directory all without the need for expensive on-premises infrastructure and automatically sign your users in while they’re at work.

#AzureAD: The Top 5 Tips for Information Protection

Information security expert, Dan Plastina from the Azure security team shares the top 5 tips for successfully accelerating information protection inside of your organization. Watch too as Dan also highlights key technology updates for Azure Information Protection, including: ‘scoped policies’ for scaling up and personalizing default information classification labels for specialized teams and next generation RMS-protected secure email.

Learn how Microsoft Enterprise Mobility + Security supports your GDPR compliance journey

In this session, we will provide an overview of the GDPR and its potential impact on your organization, an approach for you to consider to prepare for the GDPR, and how Microsoft Enterprise Mobility + Security (EMS) can assist you on your journey to GDPR compliance. You will find specific use case scenarios Microsoft EMS can help you address and how you can obtain these capabilities today.

Presenting at #Collab365 Conference: #AzureAD, 5 reasons to implement it today

Global%20Conf%20Email%20Signature

 

Join me for a session about Azure Active Directory during the Collab365 Conference on the 1st November 2017.

During my session we’ll discover together the top 5 features of Azure Active Directory that you can use today.

More details and schedule here.

See you there!