Tag Archives: training

Azure AD B2C custom policies to build-your-own identity methods is in general availability

A few days ago the Azure AD product group has announced the general availability of the Identity Experience Framework and custom policy support in Azure Active Directory B2C. That really means that you can use your own identity frameworks to use the identity technology of your choice and interoperate with multiple identity providers.

With the release of custom policies in Azure Active Directory B2C you can now customize your identity experience for clients and partners. Do not forget to take a look at this article here: Get started with custom policies in Azure Active Directory B2C

There is also an upcoming webinar that you cannot miss it, Sign up for the webinar on April 18th: Connect more effectively with customers using Azure Active Directory B2C.

There have been many customers and partners that already use today Azure AD B2C and one of them is Subway, a leading restaurant in the US and elsewhere. They managed to migrate their customers seamlessly without changing passwords from an old, identity solution into Azure Active Directory B2C. By upgrading customer identity, Subway customers can connect through their mobile native application and take better advantage of their loyalty program:

subway_mobile_app

 

This new technology is a Microsoft-patented technology called the Identity Experience Framework. Some of the features that are included are:

  • Author and upload your own user identity journey using custom policies.
  • Federate with OpenIDConnect (e.g. Azure Active Directory multitenant, social account providers, two-factor authentication providers).
  • Federate with SAML 2.0 providers (e.g. ADFS, Salesforce, Shibboleth).

identity-experience-framework

The best way to get familiarized is to take a look here Solutions and Training for Azure Active Directory B2C page and start using it today.

 

Thanks for your time!

Azure AD Naming Policy for Office 365 Groups is now available

Another cool Azure AD feature was announced these days: we now have the ability to enforce a Naming Policy for Office 365 Groups. That new Naming Policy feature enables admins to define prefix or suffix conventions that can be automatically appended to group names and create a list of words that are blocked from use in group names. Please keep in mind that you’ll need Azure AD Premium 1 licenses for the users that will belong to these groups, the group creator and the Naming Policy administrator.

One of the obvious things that you can do with a Naming Policy could be to block specific words from being used in group names and aliases, or even create groups having names that declare the function of a group, membership, or even the geographic region that a group belongs.

How it works

You can enforce naming policy for Office 365 groups in two different ways:

  • Prefix-suffix naming policy You can define prefixes or suffixes that are then added automatically to enforce a naming convention on your groups (for example, in the group name “GRP_Athens_Accounting”, GRP_Athens_ is the prefix, and _Accounting is the suffix).

  • Custom blocked words You can upload a set of blocked words specific to your organization to be blocked in groups created by users (for example, “CEO, Payroll, HR”).

 

Install PowerShell cmdlets to configure a naming policy

Make sure to uninstall any older version of the Azure Active Directory PowerShell for Graph Module for Windows PowerShell and install Azure Active Directory PowerShell for Graph – Public Preview Release 2.0.0.137

Then:

  • Open the Windows PowerShell app as an administrator.
  • Uninstall any previous version of AzureADPreview by running: Uninstall-Module AzureADPreview
  • Install the latest version of AzureADPreview by running: Install-Module AzureADPreview
  • Reply Y to the next question and wait for a few minutes to get installed.

 

How to configure the group naming policy for a tenant using Azure AD PowerShell

 

This is an example of how you can import blocked words from a text file that you don’t want them to be used in group names:

$BadWords = Get-Content «C:\work\currentblockedwordslist.txt»

$BadWords = [string]::join(«,», $BadWords)

$Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq «Group.Unified»}

if ($Settings.Count -eq 0)

{$Template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq «Group.Unified»}

$Settings = $Template.CreateDirectorySetting() New-AzureADDirectorySetting -DirectorySetting $Settings

$Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq «Group.Unified»}}

$Settings[«CustomBlockedWordsList»] = $BadWords

$Settings[«EnableMSStandardBlockedWords»] = $True Set-AzureADDirectorySetting -Id $Settings.Id -DirectorySetting $Settings

 

For a full documentation please take a look here: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-naming-policy

 

Thanks for your time!

You can now collaborate using Azure AD and login with any account

Azure AD B2B Collaboration gives you the ability to collaborate with other organizations and people, even if they do not use Azure AD. The Azure AD Team recently improved the way that an external company can authenticate to your Azure AD using Google IDs. So, even if your external partners use Gmail accounts, you can successfully share to them apps and resources, without asking them to use Microsoft accounts. Actually it is Google the first identity provider that Azure AD supports.

If you want to read more about how GMail accounts are supported, you can take a look at this article.

So today we have another announcement, the ability to use OTPs (one-time passwords) for your external partners, making B2B collaboration really easy with anyone that has an email account.

By using email OTP, anyone who doesn’t have a Microsoft or Google account can access shared resources, without the need to create a new account just for this. They can still use their existing account to login to Azure AD and receive an OTP code via email. This code will be used during the authentication process. And if you really need it, you can integrate and use Conditional Access and MFA.

Let’s take a look at how it works:

OTP 1.png

Since we want the whole process to be really secure, remember that each authenticated session lasts for 24 hours, then you have to re-authenticate using a new OTP code. This means that external users need to verify again that they have access to the email address that they used the first time.

This is what your external users will get when they authenticate:

OTP 2.png

As soon as they receive the OTP code via email, they have to use it:

OTP 3.png

Do you need to know more? Take a look at the official documentation here.

 

Thanks for your time!

New enhancements for Azure AD MFA and Self-Service Password Reset (SSPR)

Good news today! If you really like the increased level of security that Multi-Factor Authentication offers when you use the Azure services, it is now easier than ever to enable MFA and SSPR. Self-service password reset is another great tool that allows the end-user to reset the password easily, without any need to contact an admin. So practically, through a single step-by-step process, the end-user can enable both features through the registration process.

The Azure AD Team received a lot of feedback from customers with the release of the combined registration public preview experience, so it seems that many customers asked that the whole process should be even easier for the end users. Let’s see how it works today.

 

As soon as users are required to register while signing in, they’ll see the following dialog box:

registration experience

When a user completes registration, he will get a result of all the options that they selected:

Picture1

 

But wait, there is more: When you enable the enhanced security info registration experience for your users, they’ll also get the new My Profile experience, now in public preview, which looks like this:

new profile experience

This new experience is great, because from the Security info page, users can easily change their phone number or choose a different default method for MFA:

Picture2

 

But how can you enable these new settings?

  • Sign into the Azure portal as a global administrator or user administrator.
  • Browse to Azure Active Directory > User settings > Manage settings for access panel preview features
  • Under Users you can use the preview features for registering and managing security info – refresh, you can choose to enable for a Selected group of users or for All users:

enhanced security info registration experience.

 

And do not forget to check the official documentation of these features here:

https://docs.microsoft.com/en-us/azure/active-directory/user-help/myprofile-portal-overview

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined

https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-security-info-overview

 

Thanks for your time!

Azure AD B2C now has JavaScript customization and some cool new features!

Today was officially announced by the Azure AD Team that customizing user flows with Azure AD B2C is now easier than ever with more features, including the general availability of a new portal experience and custom password complexity option. And there are some new features in public preview that you should try them today, such as:

  • User templates—Create beautiful authentication experiences using default templates as a starting point for your branded UI.
  • JavaScript and page layout versions—Add more functionality to all your Azure AD B2C pages with your own custom JavaScript.
  • Identity provider access token passthrough—Send the access token from social identity providers back to the application.

 

So let’s take a look at them.

 

New portal experience

Now it’s really easy to create a user flow in Azure B2C. If you want to try the new UI, you should go to the Azure Portal, and then go to the Azure AD B2C extension. Ensure you’re in your B2C directory and select User flows from the left-hand menu:

Azure AD B2C new features 1

 

Custom Password Complexity (really a nice one!)

You can use this feature to lower password requirements or increase the password complexity required to meet your compliance guidelines. Whatever requirement you enforce, you can help your users by having error messages that dynamically change as requirements are met. By default, password complexity is set to Strong for all newly created user flows.

Azure AD B2C new features 2

 

New user templates

You can easily customize what the users will see when they sign in, by creating beautiful sign in and sign up experiences.

Azure AD B2C new features 3

 

JavaScript and Page Layout Versions in Public Preview

Do you want to customize your sign in and sign up experiences using your own JavaScript? It’s now possible!

Azure AD B2C new features 4 v2

 

Identity Provider Access Token Passthrough in Public Preview

When a user signs in using an identity provider, like Facebook, your application can get the identity provider’s access token passed through as part of the Azure AD B2C token. You will be able to use this access token to call the identity provider’s API, such as the Facebook Graph API.

Azure AD B2C new features 5

 

There is a lot of documentation that can be found here:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-password-complexity

https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-javascript-overview

https://docs.microsoft.com/en-us/azure/active-directory-b2c/idp-pass-through-user-flow

 

Thanks for your time!

Why I love the Microsoft Authenticator App: because now it sends security notifications!

I cannot hide how I use and love the Microsoft Authenticator App. If you enable MFA logins for all your cloud services, it’s like magic: even without any internet connection, the app generates a code that you can use it as an additional factor of authentication.

How it works now with these additional security notifications? When important events—such as a password change—happen on your personal Microsoft account, Microsoft Authenticator will send you a notification. You can then view your account activity and take actions to protect your account if needed. The goal of these notifications is to increase awareness and help you react quickly if there is unexpected activity. These notifications give you a powerful tool to understand and keep control of your account, like a login from a new device or an unusual location, or even a password change:

Auth app 1 (1)

If you receive an unusual notification, you can immediately check and view your account activity and take necessary actions to protect it.

Auth app 2 V2

 

Thanks for your time!

Four major Azure AD Identity Protection enhancements are now in public preview

More and more enhancements related to Identity Protection have been announced today! So let’s see all of them:

  • Improved user interface that now includes security insights, ability to filter and create reports
  • New APIs that allow you to use all this monitored data to your own ticketing systems
  • Improved risk assessment, so to be able to have a better risk analysis
  • Service-Wide alignment with risky users and risky sign-ins, because we now that very often it’s the user that causes the problem.

All these new features are available to customers with an Azure AD Premium P2 subscription.

 

New user interface

1. Security Overview

This new view provides user and sign-in risk trends, in order to get a better idea of possible attacks. Take a look at the tiles on the right side, they give you valuable information telling you what to do:

Four major Azure AD Identity Protection enhancements 1.png

 

Risky User Report

Really great tool, because it immediately  gives you all the information you need about your users and take corrective action.What I really liked is the Risk events not linked to a sign-in tab: it shows you detections not tied to a sign in. For instance, the user may have reused their credentials at another site that was compromised.

Four major Azure AD Identity Protection enhancements 2.png

 

Four major Azure AD Identity Protection enhancements 4.png

 

And let’s see something new: The Risky sign-ins report gives you a single, integrated view to see basic sign-in info, risk, device, Multi-Factor Authentication (MFA), and policy information.

Four major Azure AD Identity Protection enhancements 6.png

 

Smart feedback  lets you protect your users by acting upon the risk assessment. If you conclude sign-ins were compromised, you can select these sign-ins and click Confirm compromised. Alternatively, you can click Confirm safe.

Four major Azure AD Identity Protection enhancements 9.png

Powerful APIs

All the data you access through the new UX is available to you via the MS-Graph APIs. You can programmatically route Identity Protection data into your SIEM, storage, ticketing, or alerting system through the following APIs.

And let’s talk about the improved risk assessment feature that practically has two options: the aggregate sign-in risk, which is new, considers all the malicious activity detected on a sign-in. It includes real-time detections (detections that trigger during the sign-in), non-real-time detections (detections that trigger minutes after the sign-in), detections made by partner security products, and other features of a sign-in.

The other option is the improved User-risk detection, using advanced machine-learning technology to automatically deal with risky users.

It seems that risky sign-ins and risky users is the most important part of Identity Protection, so it’s redesigned based on these two entities.

table1.png

 

Thanks for your time!