Tag Archives: active directory

Why I love the Microsoft Authenticator App: because now it sends security notifications!

I cannot hide how I use and love the Microsoft Authenticator App. If you enable MFA logins for all your cloud services, it’s like magic: even without any internet connection, the app generates a code that you can use it as an additional factor of authentication.

How it works now with these additional security notifications? When important events—such as a password change—happen on your personal Microsoft account, Microsoft Authenticator will send you a notification. You can then view your account activity and take actions to protect your account if needed. The goal of these notifications is to increase awareness and help you react quickly if there is unexpected activity. These notifications give you a powerful tool to understand and keep control of your account, like a login from a new device or an unusual location, or even a password change:

Auth app 1 (1)

If you receive an unusual notification, you can immediately check and view your account activity and take necessary actions to protect it.

Auth app 2 V2

 

Thanks for your time!

#AzureAD new feature in preview: Roles and Administrators

One more cool feature in Azure Active Directory to make managing and controlling user assignments easier than ever in Azure AD. It provides you with a complete list and description of the built-in directory roles, in case you need to know all the details related to a specific role.

It can also point you to the documentation that you need to read, in order to better understand and utilize the roles. For example, you may need to know how many Global Admins you have or what a specific role does and if you’ve assigned that role to users.

So let’s see how it works.

By using the Azure AD portal, start by clicking Roles and administrators to display the complete list and a brief description of all the built-in directory roles. You can also see your active Azure AD role assignment (if you have one) and can click Your role to access the list of your active assigned roles:

1

Just click on a role to see the users that have assigned that role:

2

and then click Description to see details about that specific role:

3

You can also move to check the details of an Azure AD user, check the roles assigned, but also assign additional roles to this user:

4

Support for Azure AD PIM

If you use Azure AD Privileged Identity Management (PIM) to limit standing admin access, there is a dedicated link to a brand-new experience in those blades as well.

If your organization hasn’t enabled PIM, click the Manage in PIM button for information on what PIM can do to protect your administrators and sign up for a trial.

 

And remember, we offer a list of Azure online courses, so you can get the proper training and gest certified on Microsoft Azure. You can see the courses offered here.

 

Thanks for your time!

Use Internal URLs to access apps from anywhere with My Apps Sign-in Extension and the #AzureAD Application Proxy

If you regularly follow this blog, you should already know a lot about Azure AD Application Proxy. I also recommend that you take a look at this presentation here: https://systemplus.gr/training/training-videos/azureadproxy/

 

Now we have the option to access internal resources using internal URLs even when outside our corporate network by using the My Apps Secure Sign-in Extension for Azure AD . When a user types in a familiar shorthand URL such as https://myinternalwebapp, they can be redirected to the externally resolvable URL, https://www.myinternalwebapp.systemplus.gr. This will work with any application that you have published using Azure AD Application Proxy, on any browser that also has the Access Panel browser extension installed.

 

You should get the latest version of the extension (supported on Edge, Chrome, and Firefox). Then, type the internal URL of the published application into the address bar. The extension will recognize that the URL has been published through Application Proxy and will redirect you to the external URL of the application.

 

Our users can download these extensions themselves, or admins can deploy the extension using the browser’s group policy settings. The URL redirection functionality is automatically enabled once a user logs into the extension.

 

To learn more about this new feature, you can read the documentation here.

 

Thanks for your time!

Better login user experience and the new “Keep me signed in” experience for #AzureAD

 

New-KMSI-1024x501

How can you reduce the times that you request a user to repeatedly sign in to Office 365 and Azure AD? Use the “Keep me signed in” checkbox, although Microsoft says that the usage of this checkbox is low. But anyway, users should be happy, and this is why the Azure AD team tries to improve the whole process.

So we have a new feature in preview and this is how it works: they replaced the usual checkbox with a prompt that will ask the user if they’d like to remain signed in. If a user responds “Yes” to this prompt, the service gives them a persistent refresh token.

(By the way, this process is related to the change in the token lifetime that was announced a few days ago, take a look at this article.)

Just take a look at the picture above to understand how it will work. If you have a federation trust with Azure AD, you’ll get this prompt just after the proper authentication against your local federation identity service (ADFS).

As soon as you type your password, you’ll be asked if you want to remain signed in. And if you care about security, there is a lot of machine learning and intelligence built-in, in case you use a shared device to sign in.

The updated prompt will only show when you use the new sign-in experience. Admins can choose to hide this new prompt for users by using the “Show option to remain signed in” setting in company branding:

Untitled

Remember the changes in the token lifetime we discussed before? This change won’t affect any token lifetime settings you have configured.

Thanks for your time!

Microsoft Official Courses at special prices to get certified

 

Do you want to attend a Microsoft Official Course and get certified at a special price? Now you have the option to do it.

If you live in Europe and you want to get a Microsoft certification, but you still cannot afford the high course prices in your country, you should consider to attend a course at our training center in Greece.

A typical Microsoft course in Greece costs a fraction of the price that you should pay in most European countries. This is mainly because of the cost of living in Greece. For example, an official Microsoft course in Germany could cost around 2500 euros (exam not included), while in Greece the exact same course costs around 1000 euros.

Our offer: We can arrange your accommodation during your stay in Greece, we can also arrange transfers to/from the airport at no additional fee and we can arrange your flights if you need to.

The courses are delivered in English by our instructors, we provide you with the official Microsoft Learning material (books, labs) and you have the option to go for the exam as soon as you finish the course! So practically you go back home certified!

Now let’s calculate the costs: Microsoft course including lecture and training material = 1000 euros
Microsoft Exam = 120 euros
Accommodation 6 nights at a 4-star hotel, including breakfast = 500 euros
Flight to/from Greece = 250 euros (or even less, some airlines can offer tickets as low as 100 euros)
Total cost = 1720 to 1870 euros

Teaching Microsoft courses for 17 years now around Europe, allows us to offer you the exact same content at a special price. Do not hesitate to contact us and take a look for more details here: https://systemplus.gr

Announcing the GA of #AzureAD PowerShell V2.0

 

Last October the Azure AD Product Group announced the new version of Azure AD PowerShell v2.0, which was in public preview and you should check this blog post, but also this one, showing you what you can do and how you can use it to create dynamic groups.

So more cmdlets that you can use today in your production environment. As the PG says, they tried to give us the same functionality, no matter which tool you use: the Graph API or PowerShell cmdlets. For this reason, all these new cmdlets are built on top of the Graph API.

Just remember that the new Azure AD PowerShell v2.0 module don’t provide full functional parity with the older MSOL module yet (they will do that during the next months). Please also note that there will be no new functionality in the MSOL PowerShell module.

And a few changes:
1. The Revoke-AzureADSignedInUserAllRefreshTokens and Revoke-AzureADUserAllRefreshTokens were renamed to Revoke-AzureADSignedInUserAllRefreshToken Revoke-AzureADUserAllRefreshToken respectively to follow the Verb-SingularNoun naming convention.
2. This GA only includes cmdlets that call into a production endpoint of the Graph API. If you want to use cmdlets that call a Beta endpoint, these are available in the public preview release of the Azure AD v2.0 PowerShell cmdlets. The cmdlets excluded from this release include those used to manage Administrative Units, Domain settings, Policy settings, and Directory settings.

How to install it: Go to the PowerShell Gallery and follow the steps. If you’re using Windows 10, you just need to open a PowerShell  window as an administrator and type “Install-Module AzureAD”. If you use any other OS, you can take a look here: https://msdn.microsoft.com/powershell/gallery/readme

5

After installation, just make sure that you have the latest version 2.0.0.33 installed:

6

Don’t forget that you can always use the Get-Help cmdlet to find information about any cmdlet that is included in this version:

7

Enjoy!

Download my FREE blog reader app from Windows Store

 

Just a quick reminder, in case you don’t know it.

There is a FREE blog reader app in the Windows Store, that gives you access to all the articles that you can read here, related to #AzureAD and other technologies. It has been published in the store for some time now, so you should give it a try!

#AzureAD PowerShell v2.0 is now in public preview

 

If you ever used PowerShell, you already know that is a cool tool to use. And if you follow this blog regularly, you should remember that I wrote back an article, in January this year, about Azure AD PowerShell and how to use it. You can check that article here: https://spanougakis.com/2016/01/18/azure-ad-powershell-and-how-to-use-it/

And some time ago I’ve presented how to automate your day-to-day administration tasks in your on-premises AD environment using PowerShell, the recording of the presentation (in Greek) can be found here: https://systemplus.gr/adauto.html

But why do we need a new version of Azure AD PowerShell? This is because the new version will bring a lot of updates to existing cmdlets, mainly because they have to align with the new features and capabilities that Azure AD has to offer. These new capabilities will be included in the new Azure AD PowerShell module, Good news is that the module is available today, so you can start testing!

Azure AD PowerShell v2.0 installation

If you look for a download link, don’t bother, because there is an easier way to download and install it. Just run as an administrator a normal PowerShell window and type:

Install-Module -Name AzureADPreview

ps1

The next step should be to import the new module and then check the version that you’ve just installed, running the following commands:

import-module azureadpreview

get-module azureadpreview

ps2

Now let’s connect to Azure AD using the following commands:

$azureadcred=get-credential

connect-azuread –credential $azureadcred

The first command prompts for credentials and stores them as $azureadcred. The next command uses those credentials as $azureadcred to connect to the service.

ps3

ps4

You probably already noticed that there is a change in the names of all cmdlets: instead of typing “connect-msolservice”, we now have to type “connect-azuread”, so practically the entire MSOL module was renamed to AzureAD. If an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser”.

For a full list of all available cmdlets and how to use them, please read the AzureAD PowerShell reference documentation here: https://msdn.microsoft.com/en-us/library/azure/mt757189.aspx

So let’s examine now some of the new functionality we get:

-SearchString parameter

We can now search for data in our directory based on a string we specify:

ps5

Or you could search for a string “Athens”, to get information about the city where the users are located, based on the information we specified on the user accounts:

ps6

Note that the SearchString search scope for users currently covers the attributes “City”, “Country”, “Department”, “DisplayName”, “JobTitle”, “Mail”, “mailNickName”, “State”, and “UserPrincipalName.

Configurable Token Lifetimes that are also included in this version are covered in detail here https://azure.microsoft.com/en-us/documentation/articles/active-directory-configurable-token-lifetimes/ and probably this will be something we’ll discuss in a next blog post.

Manage Certificate Authority using PowerShell for Azure AD

  • New-AzureADTrustedCertificateAuthority – Adds a new certificate authority for the tenant
  • Get-AzureADTrustedCertificateAuthorities – Retrieves the list of certificate authority for the tenant
  • Remove-AzureADTrustedCertificateAuthority – Removes a certificate authority for the tenant
  • Set-AzureADTrustedCertificateAuthority – Modifying a certificate authority for the tenant

… and a good idea for another blog post, meanwhile you can find details here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-certificate-based-authentication-ios/#getting-started%20/

Managing Applications using PowerShell for Azure AD

  • New-AzureADApplication
  • Remove-AzureADApplication
  • Set-AzureADApplication

Manage Directory Extensions in PowerShell

  • Get-AzureADApplicationExtensionProperty
  • New-AzureADApplicationExtensionProperty
  • Remove-AzureADApplicationExtensionProperty

Manage Owners for an Application

  • Add-AzureADApplicationOwner
  • Get-AzureADApplicationOwner
  • Remove-AzureADApplicationOwner

Manage credentials for Applications in PowerShell

  • Get-AzureADApplicationKeyCredential
  • New-AzureADApplicationKeyCredential
  • Remove-AzureADApplicationKeyCredential
  • Get-AzureADApplicationPasswordCredential
  • New-AzureADApplicationPasswordCredential
  • Remove-AzureADApplicationPasswordCredential

Take a look at this video by Nasos Kladakis, where you can see how you can use the new Azure AD PowerShell module to configure an application in your directory and assign users to roles for the new application.

Thanks for your time! 

#AzureAD Domain Services is now available, so let’s take a look

 

clip_image002_thumb5

Back in October 2015, Microsoft Identity division had announced the Azure AD Domain Services Preview, and I’ve written a blog post about this new feature here: https://spanougakis.com/2015/10/15/azure-active-directory-domain-services-your-domain-controller-as-a-service/

So the time has come and this feature is available today globally. In the meantime, they had already announced, in May this year, a cool set of enhancements:

  • Secure LDAP access
  • Custom OU support
  • Administer DNS for your managed domain
  • Domain join for Linux VMs
  • Following yesterday’s announcement of the GA, these enhancements became even better:

    • Secure LDAP access to your managed domain, including over the internet (even from Amazon Web Services)
    • Enable “AAD DC Administrators” to configure DNS on their managed domain.
    • Enable “AAD DC Administrators” to create custom organizational units (OUs).

    So let’s take a look at these new features, as they are described in the original announcement of the AzureAD team here: https://blogs.technet.microsoft.com/enterprisemobility/2016/10/12/azuread-domain-services-is-now-ga-lift-and-shift-to-the-cloud-just-got-way-easier/

    For your convenience, I’ve copied the original text here, because it contains a lot of useful articles and guides that you should check.

    • Support for secure LDAP: You can access your managed domain using LDAPS (secure LDAP), including over the internet.
    • Custom OU support: Users in the ‘AAD DC Administrators’ delegated group can create and administer a custom organizational unit on your managed domain.
    • Configure managed DNS for your domain: Users in the ‘AAD DC Administrators’ delegated group can administer DNS on your managed domain using Windows Server DNS administration tools.
    • Domain join for Linux: The AzureAD team has co-operated with RedHat to document how you can join a RedHat Linux VM to your managed domain.
    • New and improved synchronization with your Azure AD tenant: Re-design of the synchronization between your Azure AD tenant and your managed domain. For existing domains, this new improved synchronization has been rolled out automatically in a phased manner.
    • The ‘password does not expire’ attribute: Some accounts had the ‘password-does-not-expire’ attribute set on them, for example, service accounts. The password policy was being enforced for these accounts in managed domains, resulting in their passwords expiring. Passwords for such accounts will not expire.
    • Incorrect group display name for accounts created in Azure AD: The samAccountName attribute for groups created in Azure AD was not being set correctly in the managed domain. These were being set to GUIDs instead of valid samAccountName.
    • SID history sync: The on-premises primary user and group SIDs will now be synchronized to your managed domain and set as the SidHistory attribute on corresponding users and groups. This cool feature helps you move your workloads to Azure without having to worry about re-ACLing them.
    • Virtual network peering: The Azure networking team recently announced GA for virtual network peering. This awesome feature makes it easy to connect Domain Services to other virtual networks. You can connect a classic virtual network in which your managed domain is available to workloads deployed in resource manager virtual networks using network peering.

    Well, I can guarantee you that you’ll spend some hours if you want to explore all these new features, as I did.

    One of the best enhancements (personal opinion) is the ability to create custom OUs. If you really want to test it, please follow the guide here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-admin-guide-create-ou/

    Through the official announcement of the GA, we have some idea of what is on the way:

    • Support for Azure Resource Manager including the ability to enable the service in Resource Manager based virtual networks.
    • A new management UI experience in the modern Azure portal (portal.azure.com).

    So I strongly suggest that you take a look at the official announcement, and we’ll explore together through this blog post all these new exciting features:

     https://blogs.technet.microsoft.com/enterprisemobility/2016/10/12/azuread-domain-services-is-now-ga-lift-and-shift-to-the-cloud-just-got-way-easier/

    Thanks for your time!

    #AzureAD Conditional Access: Per app MFA and Network Location based policies are now available

    This is a really cool feature in case you use Multifactor Authentication on Azure AD (and you should use it, trust me Γελαστούλης). In the past, MFA was available for all the apps and services that are based on Azure AD, like Office365, CRM Online, etc. and it was more or less mandatory, regardless of the application and the location you were connecting from.

    Well, I’m really excited because now we have the ability to specify MFA to be used on specific apps and network locations: when you connect from your company computer you can skip it entirely, because this computer is trusted and protected. But when toy connect from a public computer, you should use it because you probably want the extra protection that MFA has to offer.

    So this is how it’s configured.

    1. Log on to the Azure management portal.

    2. Select your directory and then select the Applications tab.

    mfa1

    3. In this example I’ll configure MFA only for the CRM Online app, so I have to select the app and click Configure.

    4. Here we are: we have the option to configure how MFA will work by enable access rules and specify the required settings. Cool, don’t you think?

    mfa

    Thanks for your time!