Tag Archives: mvp

#AzureAD Password Protection and Smart Lockout are now in Public Preview

One more cool feature related to Azure Active Directory, especially for those of you that care about security. Remember that the GDPR mandates for a strict security baseline, in order to protect personal data.

So this new feature that was announced in Public Preview, forces or audits the passwords that the Azure AD users use; if a user tries to use an easy password, the admin has the option to just audit this attempt, or block it completely. We also have the option to specify a black list of banned passwords.

In order to configure it, you need to log on to your Azure AD Portal and then navigate to Security –> Authentication Methods:


Let’s talk a bit about the different options that we see here.

  1. Set your custom smart lockout threshold (number of failures until the first lockout) and duration (how long the lockout period lasts)

  2. Enter the banned password strings for your organization in the textbox provided (one string per line) and turn on enforcement of your custom list

  3. Extend banned password protection to Windows Server Active Directory by enabling password protection in Active Directory. Start with the audit mode, which gives you the opportunity to evaluate the current state in your organization. Once an action plan is finalized, flip the mode to Enforced to start protecting users by preventing any weak passwords being used.

How does the banned password list work
The banned password list matches passwords in the list by converting the string to lowercase and comparing to the known banned passwords within an edit distance of 1 with fuzzy matching.

Example: The word password is blocked for an organization

  • A user tries to set their password to «P@ssword» that is converted to «password» and because it is a variant of password is blocked.

  • An administrator attempts to set a users password to «Password123!» that converted to «password123!» and because it is a variant of password is blocked.

Each time a user resets or changes their Azure AD password it flows through this process to confirm that it is not on the banned password list. This check is included in hybrid scenarios using self-service password reset, password hash sync, and pass-through authentication.

What do users see
When a user attempts to reset a password to something that would be banned, they see the following error message:

“Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.”

It’s not only for the cloud
That’s nice, because you can even use it to prevent weak passwords being used in the organization using Windows Server Active Directory. And yes, we talk about your on-premises environment!

In a single forest deployment, the preview of Azure AD password protection is deployed with the proxy service on up to two servers, and the DC agent service can be incrementally deployed to all domain controllers in the Active Directory forest.


Before doing anything, I strongly suggest that you take a look at the official documentation here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises

What kind of Azure AD licenses you need for this? 
The benefits of the global banned password list apply to all users of Azure Active Directory (Azure AD). The custom banned password list requires Azure AD Basic licenses.
Azure AD password protection for Windows Server Active Directory requires Azure AD Premium licenses.


Use Internal URLs to access apps from anywhere with My Apps Sign-in Extension and the #AzureAD Application Proxy

If you regularly follow this blog, you should already know a lot about Azure AD Application Proxy. I also recommend that you take a look at this presentation here: https://systemplus.gr/training/training-videos/azureadproxy/


Now we have the option to access internal resources using internal URLs even when outside our corporate network by using the My Apps Secure Sign-in Extension for Azure AD . When a user types in a familiar shorthand URL such as https://myinternalwebapp, they can be redirected to the externally resolvable URL, https://www.myinternalwebapp.systemplus.gr. This will work with any application that you have published using Azure AD Application Proxy, on any browser that also has the Access Panel browser extension installed.


You should get the latest version of the extension (supported on Edge, Chrome, and Firefox). Then, type the internal URL of the published application into the address bar. The extension will recognize that the URL has been published through Application Proxy and will redirect you to the external URL of the application.


Our users can download these extensions themselves, or admins can deploy the extension using the browser’s group policy settings. The URL redirection functionality is automatically enabled once a user logs into the extension.


To learn more about this new feature, you can read the documentation here.


Thanks for your time!

New #AzureAD B2C customization options

(Σημείωση: έχουμε ανακοινώσει ένα webinar στα ελληνικά για το Microsoft Azure, ώστε να μπορέσετε να εκπαιδευθείτε από το σπίτι. Δείτε περισσότερες πληροφορίες εδώ.)


The Azure AD product group recently announced some exciting new features. Here is a short list:

  • Enhanced flexibility for customizing login and registration experiences.
  • Update the portal experience so that features are more easily accessible.
  • New features that make it easy to use custom Open ID Connect (OIDC) identity providers in built-in policies.
  • New features for how custom OIDC providers work in custom policies to make configuration easier.
  • Azure AD B2C Language customization features are now Generally Available!

Let’s check them now.


What’s new in Public Preview and GA

Add custom OIDC identity providers in built-in policies: There is a new feature that enables you to use any OIDC identity provider right out of the box — a feature that used to be only available in custom policies. If you’re running a scenario in which you’re talking to multiple Azure AD tenants, you can now configure a single multi-tenant Azure AD provider with custom policies. This saves you from having a long list of identity providers and you no longer have to configure each tenant individually. This feature directs users to the right directory for authentication based on their email domain.

So you simply need to create a new identity provider and select the social identity provider that you want to use:




  • Create a policy using ROPC flow: With this feature, your application will be able to gather user credentials in the context of a native mobile app without needing the user to interact with a web browser. The app will authenticate the user with Azure AD B2C via API.
  • B2Clogin.com: To better allow you to customize your login experience, we now have the b2clogin.com feature. With this feature, you can remove the ‘Microsoft’ from your app URL and use <your tenant name>.b2clogin.com instead.
  • New policy portal experience: Now when you are creating and editing a policy (or as we refer to it now, a user flow), we have a new experience that will streamline your tasks and reduce friction in using our features.
  • Language customization: This feature is now generally available! Microsoft provides support for 36 languages and for custom languages when you provide the translations for all the strings.

Thanks for your time!

What is (usually) in my bag for the MVP Summit 2018 (and also when I travel for business)

As many of you know, I travel a lot for business. And obviously I need to carry some technology with me, that in many cases makes my life easier. During travels I also need to use some technology to spend my time during long-haul flights from Europe to the US for example. During conferences I need to get a lot of notes, but I also need to do some remote work, to remotely support my clients.

So this is what I usually bring with me:

1. Microsoft Surface Pro 4
Bought in the UK from Microsoft Store, it lets me do presentations, it’s light and small with an excellent battery life, a perfect travel companion. I use the keyboard, use it as a tablet, but I also use the Surface Pen to take notes. I also use it as a Kindle device to read my digital books during long flights.
2. Power adapters for many countries
I need this when I visit UK and USA, because you all know that they use a different plug there. (I should not forget to bring it with me for my trip to Malta…)
3. Microsoft Bluetooth Mobile Mouse 3600
It’s small, bluetooth and has a long battery life, the perfect companion for my Surface.
4. Microsoft Microfiber mouse pad
When I use my Microsoft optical bluetooth mouse, I need a light-weight pad. Bought from the Microsoft Company Store at the Microsoft campus, I can even use my mouse on glass surfaces, as many hotel rooms use today. It also works as a screen-cleaning cloth!
5. OnePlus 3T
It’s dual-sim, so I use a second SIM when travelling to non-European countries, just to avoid extra costs. The Dash charger can charge this phone from 0 to 60% in just 30 mins, if you forget to charge it overnight.
6. Surface adapters
I always carry a USB to Ethernet adapter and a “mini HDMI to everything” adapter, because you never know when you’ll need to project your screen.
7. Audio-Technica ATH-ANC1 QuietPoint noise cancelling headphones
They are not so expensive as the Bose ones, but they do an excellent job. I can hear music or watch videos on my Surface without any external noise, completely isolated. In the package is included that special headphone jack that is used on some airlines.

Thanks for your time!

Microsoft MVP Summit Μάρτιος 2018, μια ανασκόπηση από την επίσκεψή μας στα κεντρικά της Microsoft στο Redmond


Για ακόμα μια χρονιά είχα την ευκαιρία να επισκεφθώ ως MVP τα κεντρικά της Microsoft στο Redmond, για να παρακολουθήσω εκπαιδεύσεις από το product group του Active Directory.

Πρόκειται για ένα από τα σημαντικότερα πλεονεκτήματα που έχεις όταν έχεις αναγνωριστεί ως Microsoft Most Valuable Professional από την ίδια τη Microsoft: η δυνατότητα να βρεθείς για 4 μέρες με τους ανθρώπους που κατασκευάζουν τις τεχνολογίες που χρησιμοποιούμε εμείς καθημερινά στις εταιρίες μας και στους πελάτες μας.

Αντιλαμβάνεστε φυσικά ότι από μόνη της η επίσκεψη στο Microsoft Campus είναι μια ξεχωριστή εμπειρία: πρόκειται για μα τεράστια έκταση όσο το κέντρο και κάποια προάστια της Θεσσαλονίκης, με παραπάνω από 100 κτίρια γραφείων και πάρκα, γήπεδα ποδοσφαίρου και άλλων αθλημάτων, ώστε να δίνεται έμφαση στο υγειές εργασιακό περιβάλλον.

Το ταξίδι ξεκινάει από κάπου στην Ευρώπη και η πτήση έχει διάρκεια 10 ώρες μέχρι το Seattle.



Φτάνοντας στο Seattle αντιλαμβάνεσαι ότι συνήθως…. βρέχει. Η πόλη και τα προάστια είναι πολύ όμορφη, αλλά ο καιρός…..


Εμείς κατευθυνόμαστε από το αεροδρόμιο SeaTac προς το Bellevue, ένα προάστιο που τα τελευταία χρόνια επιλέγεται ως διαμονή για τους περίπου 2000 MVPs λόγω της κοντινής απόστασης με το Redmond, όπου βρίσκεται το Microsoft campus.


Η ατμόσφαιρα είναι γιορτινή στο campus εκείνες τις μέρες: 2000 περίπου MVPs από όλες τις χώρες έρχονται για να εκπαιδευθούν και να ανταλλάξουν απόψεις και εμπειρίες με συναδέλφους από όλο τον κόσμο.

Ένας λοιπόν φίλος μου από τα παλιά και MVP, ο γνωστός σε πολλούς συγγραφέας Mark Minasi ήταν φέτος για τελευταία χρονιά εκεί, αφού όπως έχει ανακοινώσει, αποσύρεται από την “ενεργό δράση¨. Συναντηθήκαμε λοιπόν στο δρόμο για το campus και πιάσαμε την κουβέντα. Για μένα είναι πολύ σημαντικό να έχω γνωρίσει ανθρώπους σαν τον Mark, του οποίου τα βιβλία διάβαζα όταν είχα αρχίσει να ασχολούμαι με τεχνολογίες Microsoft πριν από περίπου 20 χρόνια. Τον ευχαρίστησα λοιπόν για όλη αυτή τη γνώση που μας έχει προσφέρει:


Και ξεκινάμε με τις παρουσιάσεις από τα product groups, οι οποίες σημειωτέον ότι προστατεύονται από NDA, που σημαίνει ότι δεν μπορώ να σας αποκαλύψω τεχνικές λεπτομέρειες για αυτά που είδα και άκουσα. Θα τα δείτε να έρχονται σιγά σιγά τους επόμενους μήνες.


Όμως μπορώ να σας πω ότι δίνεται πολύ μεγάλη σημασία στην ασφάλεια. Το συμπέρασμα από πολλές παρουσιάσεις είναι ότι πρέπει να κάνουμε ότι είναι δυνατό για να προστατεύσουμε τα δεδομένα μας. Τεχνολογίες υπάρχουν πολλές, αρκεί να τις υλοποιήσουμε.


Το “γραφείο” μου αυτές τις μέρες εκεί ήταν το κτίριο 43, στο οποίο στεγάζεται ένα μέρος από το Identity Product Group (ναι, σωστά καταλάβατε, Azure Active Directory).


Στο Microsoft campus η διακόσμηση γενικά είναι ευχάριστη, με διάφορα retro στοιχεία, όπως αυτό στην παραπάνω φωτογραφία.


Οι εργαζόμενοι σε ένα τέτοιο ευχάριστο περιβάλλον διακοσμούν και τα γραφεία τους ανάλογά, όπως για παράδειγμα οι εικόνες στα παράθυρα με postit χαρτάκια σημειώσεων στη παραπάνω φωτογραφία.

Φυσικά όταν δεν βρέχει, έχεις τη δυνατότητα σαν εργαζόμενος να κάνεις μια βόλτα στο campus, ή ακόμα και να φας κάτι από τα εστιατόρια που υπάρχουν εκεί, ή ακόμα και από υπαίθριες καντίνες για κάτι πιο πρόχειρο:


Στο ταξίδι αυτό σε ταλαιπωρεί το jet lag: με 10 ώρες διαφορά από την Ελλάδα χρειάζεσαι κάποιες μέρες για να προσαρμοστείς. Η γνώση όμως και η συνολική εμπειρία είναι ανεκτίμητη.


Εννοείται φυσικά ότι όλη αυτή η γνώση που αποκτούμε, μεταφέρεται τελικά σε εσάς που μας παρακολουθείτε και συμμετέχετε στις τεχνικές εκπαιδεύσεις Microsoft που διοργανώνουμε. Έχουμε αρκετή πληροφόρηση “εκ των έσω” και μπορούμε να σας κατευθύνουμε σωστά, αφού έχουμε εικόνα για το πως κινείται η τεχνολογία.

Σας προτείνω λοιπόν να ρίξετε και εσείς μια ματιά στο Identity Webinar που έχω ανακοινώσει εδώ και κάποιο καιρό, ώστε να αποκτήσετε και εσείς τεχνικές γνώσεις σχετικές με το Active Directory, είτε αυτό είναι σε on-premises περιβάλλον, είτε στο Microsoft Azure.


Δείτε το Identity webinar εδώ.


Σας ευχαριστώ για τον χρόνο σας!

#AzureAD and Hybrid MIM reporting is here

You can hear me talk a few times during the Windows Server 2016 Identity course about Microsoft Identity Management. It’s a great tool, giving you the ability to control your on-premises identities effectively.

But we all know that many customers use hybrid environments, on-premises Active Directory and Azure Active Directory. For those customers, user access to resources is done by using security group memberships. Many customers today use MIM, but they would like to have some better reporting.

Now we have the option to monitor user activity related to password resets (self-service) and to groups, without actually caring where it happens: on-premises or in the cloud, it really doesn’t matter.

The reports that we can create now can be found in the Azure portal, or better, you can use Power BI, or even export them to generate custom views.

If you use MIM and you want to enable this feature, please read the documentation here: Hybrid identity management audit reporting.


Thanks for your time!

#AzureAD Application Proxy and faster application deployment

Just before reading the great news about Azure AD Application Proxy, I suggest that you take a look at this training video: https://systemplus.gr/training/training-videos/azureadproxy/

So what are the news? You can now use PowerShell to manage deployment of your Azure AD Application Proxy. This could be handy for customers that need to deploy multiple applications and need an easy way to do it.

To use it, you need to install the new preview of the Azure AD PowerShell module. This module includes commands for:

  • Creating a new application
  • Changing SSO settings for an application
  • Assign certificates to applications to enable custom domains
  • Assigning a different Connector to an application
  • Getting all the Connectors in a specific group
  • Most other administrative controls for Azure AD Application Proxy

To learn more about the PowerShell commands and Azure AD Application Proxy, see the documentation here.

And don’t forget to provide feedback here.