Azure AD Connect high (100%) CPU usage after update

Today I updated my demo lab VMs with the latest patches from July 2018.

Some time after the reboot the machine starts to use 100% CPU ending in slow responses to nearly become unusable.

From the task manager (takes 30-60 seconds to start) I could see one process consuming all the CPU power:

Microsoft.Online.Reporting.MonitoringAgent.Startup

Read more of this post

Advertisements

Azure AD: New roles and administrator blade

Finally, 2 or 3 weeks ago (I think) Microsoft has implemented a new Azure AD blade most admins awaited a long time. It’s the “Roles and Administrator” overview with some additional information on what permissions those roles are given.

You don’t need to leverage PowerShell any more to get a list of all your Azure AD admins and which roles they are in. Privileged Identity Management has that listing since a long time but requires an AAD P2 license. The new feature is available for all customers incl. AAD Free.

Go to the Azure AD blade and you find the new experience called “Roles and Administrators

Read more of this post

Where Azure AD stores identity data (European related)

Customers often asks me where their identity data is stored exactly.

So in general you know that most identity data stays in the region where your tenant is created but some attribute are synchronized anyway to the US regions.
“Some” ? But which one exactly ?

There is a document from Microsoft that clears up that:
Where does Microsoft Azure Active Directory (Azure AD) store identity data for European customers

The following identity-related attributes will be replicated to the United States:

Read more of this post

Azure AD B2B invitation / redemption updates

I was again quite busy at work so had not that time to blog, which will result that I will loose my MVP at the end of June.

Hopefully I will find the time to blog more from now on, again.

I got some comments also from a customer that starting at end of may my blog post about
How to bulk invite B2B user” stops working.

Investigating this it seems Microsoft has done some updates to be compliant with GDPR.
However there was no notice before this change so one customer ran into issues while in a larger migration project.

What I can say for sure is, the described way I wrote about in my blog post will no longer work, Azure AD B2B bulk invite without redemption has gone.

But good news:
The new implementation in quite easier with some challenges as you can see in the
Updated Azure AD B2B redemption documentation

So here are the changes compared to the old solution:

  • You don’t need an account in the tenant you are about to invite users from (source tenant)
  • You just need at least guest inviter role in your tenant, like before
  • You don’t need to send out the invitation mail with the redemption link, users can directly go to the resource and accept the new consent screen (GDPR)
  • You can still invite MSA account and also now google accounts.
  • If you invite a user who does not have an Azure AD (work/school account) the user is forced to create a MSA account
  • This means NO viral/unmanaged tenant is created any more (great news)

So as a conclusion, just bulk invite (PowerShell or Graph API) as many guests as you need without sending the invitation mail and users can just accept the consent screen which does the redemption automatically.

However, I find that this current behavior has some not so nice side effects:

  • If you invite a user without a tenant, the user need to create a MSA
  • If the company of that user decide to use Azure AD in the future, those users will have an MSA with the same mail address at the work/school account.
    Which in fact is not possible currently to create and also not recommended. In fact most of us created a mail alias to get the MSA away from the work account.
  • If the user wants to use their new work/school account you currently need to delete and invite the user again with his work/school account.

Hope there will be an update that addresses this issue in the near future and that the above information cleared up some things for you guys.

 

 

MIM Portal: regular user access and unable to process your request

Getting the error „Unable to process your request“, is a common issue a lot of people are facing when accessing the FIM/MIM portal a regular user.

There are a lot of forums discussions and blog posts around that issue and how to solve it.

However, I think I found another reason why that issue can occur even if that will not be a common scenario for most people but still worth to write about it in my opinion.

Read more of this post

New Azure Group Based Licensing (V2) available as public preview

Just saw it in my demo tenant today that the new Azure Group Based Licensing (V2) is now available within the new Azure portal http://portal.azure.com under the Active Directory Node.

Until today, since all of you know, you could only assign EMS licenses by groups created in Azure or synchronized from an On-Premises directory. In addition, you could only assign the whole license/suite in one piece without the ability to disable sub plans, like RMS for example.

With the new group based licensing, you now can also assign other services license like Office 365 for example and are also be able to disable specific sub plans.

Here is how it looks like:

Navigate to the new portal (the artist formerly known as “the island”): http://portal.azure.com

Go to the Azure Active Directory Management (Preview):

01

You will see an overview of all your licenses and current assigned users and groups via the “All products” option:

02

03

Let us assign the Office 365 license by a group and disable some of the features:

Click “Licensed Group” and then “+ Assign”

04

Select a group created in Azure or synchronized from your On-Premises directory.

Click “assignment option (optional)”

05

Done, license assignment changes will now be scheduled and you can check the state of pending or active (should be active within one minute.)

06

You can have multiple groups with different sub plans disabled to reflect the licenses needed for different user type (Power Users, Limited Users or Guests)

There is also an audit log for all license assignment but with by early tests there is nothing logged, I assume because the necessary categories are missing until rollout of preview is complete.

 

MIM: Strange issue with Oracle DB when chaning connection parameter and create new MA

I’m recently in a migration of an IDM solution from FIM 2010 R2 to MIM 2016.

Doing that I setup a new server with 2012 R2 (old server was 2008 R2), and also switched to newest Oracle Client 12.1.0.2.
I also copied over the tnsnames.ora and all seems working so far.

Then one of the Oracle DBs switched to Oracle 12 server by application owner.
So I modified tnsnames.ora to match the new server name.

I just want to check if all is working properly on the MA and entered the PW of the DB user again in MA properties.

But here the trouble starts and it took me around 2 hours to find out whats wrong.
Read more of this post

%d bloggers like this: