AzureAD: Identity Governance with Access Requests and Entitlements

At Ignite Mark Wahl and Joseph Dadzie showed a very exciting new feature that will come up in the near future to manage access with entitlements and approvals for B2B user and employees.

It also will be possible to create a life-cycle on B2B accounts by auto-invite them if an employee from business grants those user an access by an entitlement and also removes or disables the user after expiration.

The key-points are:

  • B2B and employee access requests via a new user facing portal.
  • B2B and employee approval workflows for access
  • Access reviews of guests
  • Entitlement management (to hand over access control to business users)

Watch out their great session recording:


Ignite: Privileged Access Management for Office 365 general available


Another great announcement from Ignite,
Privileged Access Management in Office 365 is now Generally Available

How it works

Privileged access management in Office 365 goes beyond traditional access control capabilities by enabling access governance more granularity for specific tasks.

It’s based on the principle of Zero Standing Access, which means users who need privileged access, must request permissions for access, and once received it is just-in-time and just-enough access to perform the job at hand.

Therefore, Zero Standing Access, combined with access governance, can be an effective deterrent to misuse of privileged access by:

  • Requiring users to elevate permissions to execute tasks that may expose sensitive data.
  • Providing Just-Enough-Access (JEA) to specific tasks, coupled with Just-In-Time access so access is only allowed for a specific period of time.
  • Removing the dependency on having a set of privileged accounts with standing access.


Get Started Today!

Privileged access management in Office 365 is now generally available and rolling out to customers with Office 365 E5 and Advanced Compliance SKUs.

You can get started by reviewing the below resources:

Ignite: Staged (Pilot) migration of AAD authentication methods preview is coming

Azure Active Directory_COLOR

There was a great session at Ignite 2018 helping you to find the right authentication method whether is is ADFS, PTA/SSO or PHS/SSO.

There where 2 interesting announcements in that session:

  1. Seamless SSO will support Edge Browser shortly
    (Currently only possible with hybrid join)
  2. Staged migration of authentication methods will be available in October as an public preview. So you can change auth method user-by-user.


Watch out the video Choosing the right authentication method:

Ignite: How to get started with Azure MFA the right way

Multi-Factor Authentication

Most organizations have understood the need for securing cloud identities with a second factor of authentication like Azure Multi-Factor Authentication (MFA). Still, a lot are doing it wrong. It is not complicated to do Azure MFA the right way with using Microsoft Intune and conditional access. Spend 20 minutes on this session and see how to protect all cloud apps and identities with a few simple steps.

Watch out that short but informative 18 mins Session from Ignite 2018 on How to get started with Azure MFA the right way:


Ignite: Azure AD is going password less

Multi-Factor Authentication

As announced recently on the Ignite, Microsoft and therefore Azure AD is going password-less. And you can star using it RIGHT NOW!

See Ignite Session: BRK3031 – Getting to a world without passwords

As by the session there will be 3 possible options:

  1. Windows Hello for Business (available already)
  2. Authenticator App (public preview started at Ignite)
  3. Security Keys like Yubikey (Preview coming January 2019)


If you want to try the 2. option this is quite easy to implement, just need an policy be activated in your tenant and users need to setup their app.

Get an overview:

The end of the password era

How to setup your tenant:

Passwordless phone sign-in with the Microsoft Authenticator app (public preview)

How users can enable their phone:

Sign in with your phone, not your password



Azure AD SSPR: Reset from the login screen available for Win 7 & 8 (preview)

Access Control

Microsoft recently released the Add-In’s for Windows 7, 8 and 8.1 to provide the option to use Azure AD Self-Service Password Reset directly from the Login Screen.

Good point on this:

Unlike Windows 10 machines, Windows 7, 8, and 8.1 machines do not have an Azure AD domain-joined or Active Directory domain-joined requirement for password reset.

Here is how it looks like:


There are some requirements to meet before using it:

You can download the add-ins from here:

And don’t forget to check the complete documentation here:


MIM 2016 sync rules become orphaned (broken) after update to


After I upgraded my MIM 2016 test lab to hotfix build I recognized that the MIM portal sync rules became orphaned (broken) when I let them all recreate by setting the password on the MIMService MA again.

Some users also reported that in the following FIM/MIM TechNet Forum post:

I already answered there with some points that I found out while debugging the issue.

Like the guy in the forum I also tried to update to the latest hotfix but that does not solve the issue, and it might be possible that you also run into this issue when only applying

The error is like following:

Continue reading “MIM 2016 sync rules become orphaned (broken) after update to”