Ignite: Privileged Access Management for Office 365 general available

Another great announcement from Ignite,
Privileged Access Management in Office 365 is now Generally Available

How it works

Privileged access management in Office 365 goes beyond traditional access control capabilities by enabling access governance more granularity for specific tasks.

It’s based on the principle of Zero Standing Access, which means users who need privileged access, must request permissions for access, and once received it is just-in-time and just-enough access to perform the job at hand.

Therefore, Zero Standing Access, combined with access governance, can be an effective deterrent to misuse of privileged access by:

• Requiring users to elevate permissions to execute tasks that may expose sensitive data.
• Providing Just-Enough-Access (JEA) to specific tasks, coupled with Just-In-Time access so access is only allowed for a specific period of time.
• Removing the dependency on having a set of privileged accounts with standing access.

 

Get Started Today!

Privileged access management in Office 365 is now generally available and rolling out to customers with Office 365 E5 and Advanced Compliance SKUs.

You can get started by reviewing the below resources:

• Reading this whitepaper on Zero Standing Access
• Review the Technical Documentation

Ignite: Staged (Pilot) migration of AAD authentication methods preview is coming

There was a great session at Ignite 2018 helping you to find the right authentication method whether is is ADFS, PTA/SSO or PHS/SSO.

There where 2 interesting announcements in that session:

1. Seamless SSO will support Edge Browser shortly
   (Currently only possible with hybrid join)
2. Staged migration of authentication methods will be available in October as an public preview. So you can change auth method user-by-user.

 

Watch out the video Choosing the right authentication method:

Ignite: How to get started with Azure MFA the right way

Most organizations have understood the need for securing cloud identities with a second factor of authentication like Azure Multi-Factor Authentication (MFA). Still, a lot are doing it wrong. It is not complicated to do Azure MFA the right way with using Microsoft Intune and conditional access. Spend 20 minutes on this session and see how to protect all cloud apps and identities with a few simple steps.

Watch out that short but informative 18 mins Session from Ignite 2018 on How to get started with Azure MFA the right way:

 

Ignite: Azure AD is going password less

As announced recently on the Ignite, Microsoft and therefore Azure AD is going password-less. And you can star using it RIGHT NOW!

See Ignite Session: BRK3031 – Getting to a world without passwords”

As by the session there will be 3 possible options:

1. Windows Hello for Business (available already)
2. Authenticator App (public preview started at Ignite)
3. Security Keys like Yubikey (Preview coming January 2019)

If you want to try the 2. option this is quite easy to implement, just need an policy be activated in your tenant and users need to setup their app.

Get an overview:

The end of the password era

How to setup your tenant:

Passwordless phone sign-in with the Microsoft Authenticator app (public preview)

How users can enable their phone:

Sign in with your phone, not your password

 

 

Azure AD SSPR: Reset from the login screen available for Win 7 & 8 (preview)

Microsoft recently released the Add-In’s for Windows 7, 8 and 8.1 to provide the option to use Azure AD Self-Service Password Reset directly from the Login Screen.

Good point on this:

Unlike Windows 10 machines, Windows 7, 8, and 8.1 machines do not have an Azure AD domain-joined or Active Directory domain-joined requirement for password reset.

Here is how it looks like:

There are some requirements to meet before using it:

• Azure AD self-service password reset must be enabled.
• Patched Windows 7 or Windows 8.1 Operating System.
• TLS 1.2 enabled using the guidance found in Transport Layer Security (TLS) registry settings.

You can download the add-ins from here: https://aka.ms/sspraddin

And don’t forget to check the complete documentation here: https://aka.ms/ssprforwindows78

 

MIM 2016 sync rules become orphaned (broken) after update to 4.5.26.0

After I upgraded my MIM 2016 test lab to hotfix build 4.5.26.0 I recognized that the MIM portal sync rules became orphaned (broken) when I let them all recreate by setting the password on the MIMService MA again.

Some users also reported that in the following FIM/MIM TechNet Forum post: https://social.technet.microsoft.com/Forums/en-US/e0e6e2db-46e1-4638-bdfb-4436b8f53ae1/mim-portal-sync-rules-have-become-orphaned?forum=ilm2

I already answered there with some points that I found out while debugging the issue.

Like the guy in the forum I also tried to update to the latest hotfix 4.5.202.0 but that does not solve the issue, and it might be possible that you also run into this issue when only applying 4.5.202.0.

The error is like following:

Continue reading “MIM 2016 sync rules become orphaned (broken) after update to 4.5.26.0”

New Azure AD documentation homepage and identity blog home

Searching for the right documentation on topics related to Azure Active Directory ?

Just check out the new Azure Active Directory Documentation Homepage

 

To stay up-to-date with new announcements related to identity management don’t forget that the Identity Blog has moved to a new location at TechCommunity.

 

Azure AD: Identity Secure Score (Preview) available

When you go to the Azure Portal (https://portal.azure.com) and navigate to Azure Active Directory you will see a new menu called “Identity Secure Score (preview)“.

You may already know the Office 365 secure score but the new Identity Score is scoped to identity related aspects only.

 

 

 

The Identity Score give you an overview of your current identity security and make suggestions on how to improve security for your Azure AD tenant while showing the user impact and implementation costs.

Documentation is available here: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score

This is how it looks like:

At my tenant some of the improvements are show in German, while my portal setting are English. Think that will be fixed shortly.

Azure AD: Disabled tenant self-removal by accident with conditional access

I recently worked on a project to secure access to Azure AD integrated applications for external identities using conditional access.

The main goal was to grant external users access to 2 application but require Azure MFA and block access to all other applications (even new one’s that may be integrated in the near future), for example the Office 365 services.

So I created 2 conditional access policies for that scenario:

1. All Guest Users + Include the 2 apps to grant access for, Allow but require Azure MFA
2. All Guest Users + All apps (except the 2 apps to grant access for), Block

All works as designed and required but after testing with my guest account there, I tried to remove myself from the tenant via the Access Panel (https://myapps.microsoft.com)

But that failed due to permission error (Don’t have access to that application).

But why?

As you can see from the screen above you need to login to the foreign company again, where you are invited to. Doing so leads you to the Access Panel of that foreign company which of course is blocked because of the conditional access policy.

Sadly there is currently no application entry for the Access Panel so we cannot exclude that app from conditional access.

Currently the only way around it to not use “All apps” instead select all registered apps in the include list and build a proper manual process to include new applications that may be registered in the future.

I already reported this to the product group as an issue as this feature was introduced also because of GDPR is should be available even if I block access to all apps.

5 years of blogging, and keep going on

I looked at my first post here an realized that tomorrow I will have my 5th anniversary of blogging. That’s a long time man.

As a present to you (beside the hopefully helpful stuff I post) I change the theme of the page to a more modern and readable one. Hope you enjoy!

Thanks to all follower, for all comments and people who shared the side. I keep going on to provide useful content to you.

So let’s start into the next 5 years (minimum) 🙂

/Peter