Note-to-self: New deployment guides for AAD authentication

I was quite busy the last weeks and month to migrate a lot of customers from ADFS to mostly Password Hash Sync (PHS) combined with Seamless SSO for Azure AD authentication.

While documenting all that projects on my own, I recently find pre-written deployment guides for authentication from the Deployment Plan Team at Microsoft.

The new deployment guides covering the following scenarios: Read more of this post

Advertisements

Azure AD Connect high (100%) CPU usage after update

Today I updated my demo lab VMs with the latest patches from July 2018.

Some time after the reboot the machine starts to use 100% CPU ending in slow responses to nearly become unusable.

From the task manager (takes 30-60 seconds to start) I could see one process consuming all the CPU power:

Microsoft.Online.Reporting.MonitoringAgent.Startup

Read more of this post

Where Azure AD stores identity data (European related)

Customers often asks me where their identity data is stored exactly.

So in general you know that most identity data stays in the region where your tenant is created but some attribute are synchronized anyway to the US regions.
“Some” ? But which one exactly ?

There is a document from Microsoft that clears up that:
Where does Microsoft Azure Active Directory (Azure AD) store identity data for European customers

The following identity-related attributes will be replicated to the United States:

Read more of this post

Azure AD Connect: New version 1.1.561.0 available

A new version of Azure AD Connect is available since yesterday.

This release expands the scope of automatic upgrade to a wider scope, so there is an action needed if you don’t want that:

The scope expansion of the Automatic Upgrade feature affects customers with Azure AD Connect build 1.1.105.0 and after. If you do not want your Azure AD Connect server to be automatically upgraded, you must run following cmdlet on your Azure AD Connect server: 

Set-ADSyncAutoUpgrade -AutoUpgradeState disabled.

 

You can download the new version from HERE.

Read more of this post

Azure AD Connect: New version 1.1.557.0 available

Yesterday a new smaller version update was made available for download. It contains one fix and two improvements/features:

New build number is: 1.1.557.0

See Azure AD Connect: Version release history and download the bits from here.

Fixed issue

  • Fixed an issue with the Initialize-ADSyncDomainJoinedComputerSync cmdlet that caused the verified domain configured on the existing service connection point object to be changed even if it is still a valid domain. This issue occurs when your Azure AD tenant has more than one verified domains that can be used for configuring the service connection point.

New features and improvements

  • Password writeback is now available for preview with Microsoft Azure Government cloud and Microsoft Cloud Germany. For more information about Azure AD Connect support for the different service instances, refer to article Azure AD Connect: Special considerations for instances.
  • The Initialize-ADSyncDomainJoinedComputerSync cmdlet now has a new optional parameter named AzureADDomain. This parameter lets you specify which verified domain to be used for configuring the service connection point.

Global Azure Bootcamp: Speaking at Let’s talk Azure in Saarbruecken

On Saturday, 22.04.2017 there will be the next Global Azure Bootcamp.

I will speak at the meetup “Let’s talk Azure” in Germany, Saarbruecken. There are still some seats free, so come an join us.

My topic will be Microsoft Identity Manager 2016 (MIM) as an extented tool for Hybrid Identity.
The following points will be covered by my presentation and demos:

  • Manage Azure AD and PIM Role with on-Premises groups
  • Customized group write-back for static and dynamic security groups
  • Manage licenses and group membership of cloud-only and B2B users
  • B2B user write-back to on-Premises Active Directory

 

 

New Azure Group Based Licensing (V2) available as public preview

Just saw it in my demo tenant today that the new Azure Group Based Licensing (V2) is now available within the new Azure portal http://portal.azure.com under the Active Directory Node.

Until today, since all of you know, you could only assign EMS licenses by groups created in Azure or synchronized from an On-Premises directory. In addition, you could only assign the whole license/suite in one piece without the ability to disable sub plans, like RMS for example.

With the new group based licensing, you now can also assign other services license like Office 365 for example and are also be able to disable specific sub plans.

Here is how it looks like:

Navigate to the new portal (the artist formerly known as “the island”): http://portal.azure.com

Go to the Azure Active Directory Management (Preview):

01

You will see an overview of all your licenses and current assigned users and groups via the “All products” option:

02

03

Let us assign the Office 365 license by a group and disable some of the features:

Click “Licensed Group” and then “+ Assign”

04

Select a group created in Azure or synchronized from your On-Premises directory.

Click “assignment option (optional)”

05

Done, license assignment changes will now be scheduled and you can check the state of pending or active (should be active within one minute.)

06

You can have multiple groups with different sub plans disabled to reflect the licenses needed for different user type (Power Users, Limited Users or Guests)

There is also an audit log for all license assignment but with by early tests there is nothing logged, I assume because the necessary categories are missing until rollout of preview is complete.

 

%d bloggers like this: