Note-to-self: New deployment guides for AAD authentication

I was quite busy the last weeks and month to migrate a lot of customers from ADFS to mostly Password Hash Sync (PHS) combined with Seamless SSO for Azure AD authentication.

While documenting all that projects on my own, I recently find pre-written deployment guides for authentication from the Deployment Plan Team at Microsoft.

The new deployment guides covering the following scenarios: Read more of this post

Advertisements

Azure AD: New roles and administrator blade

Finally, 2 or 3 weeks ago (I think) Microsoft has implemented a new Azure AD blade most admins awaited a long time. It’s the “Roles and Administrator” overview with some additional information on what permissions those roles are given.

You don’t need to leverage PowerShell any more to get a list of all your Azure AD admins and which roles they are in. Privileged Identity Management has that listing since a long time but requires an AAD P2 license. The new feature is available for all customers incl. AAD Free.

Go to the Azure AD blade and you find the new experience called “Roles and Administrators

Read more of this post

Azure AD B2B invitation / redemption updates

I was again quite busy at work so had not that time to blog, which will result that I will loose my MVP at the end of June.

Hopefully I will find the time to blog more from now on, again.

I got some comments also from a customer that starting at end of may my blog post about
How to bulk invite B2B user” stops working.

Investigating this it seems Microsoft has done some updates to be compliant with GDPR.
However there was no notice before this change so one customer ran into issues while in a larger migration project.

What I can say for sure is, the described way I wrote about in my blog post will no longer work, Azure AD B2B bulk invite without redemption has gone.

But good news:
The new implementation in quite easier with some challenges as you can see in the
Updated Azure AD B2B redemption documentation

So here are the changes compared to the old solution:

  • You don’t need an account in the tenant you are about to invite users from (source tenant)
  • You just need at least guest inviter role in your tenant, like before
  • You don’t need to send out the invitation mail with the redemption link, users can directly go to the resource and accept the new consent screen (GDPR)
  • You can still invite MSA account and also now google accounts.
  • If you invite a user who does not have an Azure AD (work/school account) the user is forced to create a MSA account
  • This means NO viral/unmanaged tenant is created any more (great news)

So as a conclusion, just bulk invite (PowerShell or Graph API) as many guests as you need without sending the invitation mail and users can just accept the consent screen which does the redemption automatically.

However, I find that this current behavior has some not so nice side effects:

  • If you invite a user without a tenant, the user need to create a MSA
  • If the company of that user decide to use Azure AD in the future, those users will have an MSA with the same mail address at the work/school account.
    Which in fact is not possible currently to create and also not recommended. In fact most of us created a mail alias to get the MSA away from the work account.
  • If the user wants to use their new work/school account you currently need to delete and invite the user again with his work/school account.

Hope there will be an update that addresses this issue in the near future and that the above information cleared up some things for you guys.

 

 

Azure AD Connect: New version 1.1.561.0 available

A new version of Azure AD Connect is available since yesterday.

This release expands the scope of automatic upgrade to a wider scope, so there is an action needed if you don’t want that:

The scope expansion of the Automatic Upgrade feature affects customers with Azure AD Connect build 1.1.105.0 and after. If you do not want your Azure AD Connect server to be automatically upgraded, you must run following cmdlet on your Azure AD Connect server: 

Set-ADSyncAutoUpgrade -AutoUpgradeState disabled.

 

You can download the new version from HERE.

Read more of this post

MIM2016: Configuration best practices with MIMCheck

My fellow MVP Jeff Ingalls released a new cool tool to check your MIM solution against well known best practices. There was a FIM 2010 R2 BPA (Best practice analyzer) in the past but that tool has not get updates for a long time.

So Jeff decided to create his own tool putting in all the know best practices spread over the internet.

These are the bullet points of MIMCheck:

A read-only, stand-alone, remote, command-line tool that performs Microsoft Identity Manager best practice analysis checks.

Version 1.0 features include:

  • 38 best practice task checks including data integrity checks of the synchronization service database
  • Run an entire category of tasks: syncserver, portalserver, syncdb, portaldb
  • Manually specify synchronization or portal server names, ports, instance names, and database names
  • Export all tasks, description, and references to output without performing any action
  • Verbose output which includes task names, which can be used to run the task individually, requirements to run the task, reference(s) for further reading, a description of the task, number of errors, and a task result.
  • Redirection of output to a datetime name stamped file for periodic automation
  • Digitally signed
  • Licensing options available for consultants and consulting companies who which to use the product as a service and/or charge for the use of the software.

You can download the tool from here: http://www.ingallsdesigns.com/downloads.html

You can drop Jeff a mail for feedback or feature requests.

He did also a small presentation of the tool at the MIM Team User Group meeting yesterday, so you can wait for the recording of that presentation available on the Unify Solutions youtube channel within a few days.

 

MIM Configuration Documenter released on GitHub

The Identity community project team has recently released the MIM Configuration Documenter on GitHub as an open source project.

Its a very cool and easy tool to document your MIM solution (Sync and Service).
It also supports MIMWAL.

The main intend of that tool is:

  • Document deployment configuration details for the MIM / FIM solution!
  • Track any configuration changes you have made since a specific baseline!!
  • Build confidence in getting things right when making changes to the deployed solution!!

Current Version 1.17.0522.0 is the public beta which has limitation one some Management Agents but I’m sure there is more to come.

You can download precompiled binaries and source code from the Microsoft Repo:

https://github.com/Microsoft/MIMConfigDocumenter

 

Global Azure Bootcamp: Speaking at Let’s talk Azure in Saarbruecken

On Saturday, 22.04.2017 there will be the next Global Azure Bootcamp.

I will speak at the meetup “Let’s talk Azure” in Germany, Saarbruecken. There are still some seats free, so come an join us.

My topic will be Microsoft Identity Manager 2016 (MIM) as an extented tool for Hybrid Identity.
The following points will be covered by my presentation and demos:

  • Manage Azure AD and PIM Role with on-Premises groups
  • Customized group write-back for static and dynamic security groups
  • Manage licenses and group membership of cloud-only and B2B users
  • B2B user write-back to on-Premises Active Directory

 

 

%d bloggers like this: