Azure AD B2B invitation / redemption updates

I was again quite busy at work so had not that time to blog, which will result that I will loose my MVP at the end of June.

Hopefully I will find the time to blog more from now on, again.

I got some comments also from a customer that starting at end of may my blog post about
How to bulk invite B2B user” stops working.

Investigating this it seems Microsoft has done some updates to be compliant with GDPR.
However there was no notice before this change so one customer ran into issues while in a larger migration project.

What I can say for sure is, the described way I wrote about in my blog post will no longer work, Azure AD B2B bulk invite without redemption has gone.

But good news:
The new implementation in quite easier with some challenges as you can see in the
Updated Azure AD B2B redemption documentation

So here are the changes compared to the old solution:

  • You don’t need an account in the tenant you are about to invite users from (source tenant)
  • You just need at least guest inviter role in your tenant, like before
  • You don’t need to send out the invitation mail with the redemption link, users can directly go to the resource and accept the new consent screen (GDPR)
  • You can still invite MSA account and also now google accounts.
  • If you invite a user who does not have an Azure AD (work/school account) the user is forced to create a MSA account
  • This means NO viral/unmanaged tenant is created any more (great news)

So as a conclusion, just bulk invite (PowerShell or Graph API) as many guests as you need without sending the invitation mail and users can just accept the consent screen which does the redemption automatically.

However, I find that this current behavior has some not so nice side effects:

  • If you invite a user without a tenant, the user need to create a MSA
  • If the company of that user decide to use Azure AD in the future, those users will have an MSA with the same mail address at the work/school account.
    Which in fact is not possible currently to create and also not recommended. In fact most of us created a mail alias to get the MSA away from the work account.
  • If the user wants to use their new work/school account you currently need to delete and invite the user again with his work/school account.

Hope there will be an update that addresses this issue in the near future and that the above information cleared up some things for you guys.

 

 

Advertisements

Global Azure Bootcamp: Speaking at Let’s talk Azure in Saarbruecken

On Saturday, 22.04.2017 there will be the next Global Azure Bootcamp.

I will speak at the meetup “Let’s talk Azure” in Germany, Saarbruecken. There are still some seats free, so come an join us.

My topic will be Microsoft Identity Manager 2016 (MIM) as an extented tool for Hybrid Identity.
The following points will be covered by my presentation and demos:

  • Manage Azure AD and PIM Role with on-Premises groups
  • Customized group write-back for static and dynamic security groups
  • Manage licenses and group membership of cloud-only and B2B users
  • B2B user write-back to on-Premises Active Directory

 

 

New Azure Group Based Licensing (V2) available as public preview

Just saw it in my demo tenant today that the new Azure Group Based Licensing (V2) is now available within the new Azure portal http://portal.azure.com under the Active Directory Node.

Until today, since all of you know, you could only assign EMS licenses by groups created in Azure or synchronized from an On-Premises directory. In addition, you could only assign the whole license/suite in one piece without the ability to disable sub plans, like RMS for example.

With the new group based licensing, you now can also assign other services license like Office 365 for example and are also be able to disable specific sub plans.

Here is how it looks like:

Navigate to the new portal (the artist formerly known as “the island”): http://portal.azure.com

Go to the Azure Active Directory Management (Preview):

01

You will see an overview of all your licenses and current assigned users and groups via the “All products” option:

02

03

Let us assign the Office 365 license by a group and disable some of the features:

Click “Licensed Group” and then “+ Assign”

04

Select a group created in Azure or synchronized from your On-Premises directory.

Click “assignment option (optional)”

05

Done, license assignment changes will now be scheduled and you can check the state of pending or active (should be active within one minute.)

06

You can have multiple groups with different sub plans disabled to reflect the licenses needed for different user type (Power Users, Limited Users or Guests)

There is also an audit log for all license assignment but with by early tests there is nothing logged, I assume because the necessary categories are missing until rollout of preview is complete.

 

Offering: BYOK as a Service

Ok, this is not a regular blog post, instead allow me a little advertising for the company I’m currently working for.

At ExpertCircle GmbH we have made BYOK available as a service for customers who wants to use Azure Key Vault and encrypt their data with their own keys.

So if you are need to use BYOK in Azure and don’t want to purchase your own HSM module and train people in how to use it correctly you can find more information here:

BYOK as a Service Workshop

Since we are located in Germany and this service will bring the need to meet in person the offering is in german language but will maybe also be interesting for other countries around us.

 

Assign Azure/O365 licenses based on AD group membership

Hello,

just a short post today.

I thgought it might be a good idea to share more scripts in future, so here is the first one to assign Azure/O365 licenses based on AD group membership.
EMS/AADP and RMS licenses can also be assigned directly in Azure using group memberships but you still have to handle O365 licenses by your own with scripts.

So at some customers I have the reqirement to also manage O365 licenses after synchronizing objects with AADConnect, so I decided to manage all licenses with script.

This script still need some improvement in security (PW stored in file) but you can modify that like you want.
Also I do not cover License Option of O365 Licenses, instead the complete O365 features will be assigned.

Read more of this post

AADConnect: Updated build (1.0.8667) available

If you look at the current download page of Azure AD Connect (AADC) you will see there is a new build (Version 1.0.8667) available since 8/20/2015.

Azure AD Connect Download Page

You can get a list of improvements and fixes here:

Azure AD Connect: Version Release History

 

Using AADConnect to merge users originating in AzureAD

I shortly came into a situation with a customer who’s got to have OnPremise IT infrastructure for the first time. As a start-up they began with BYOD and some SaaS applications incl. a Hosted Exchange.

Since they are and will be heavily growing over the next few years they decided to plan and implement an IT infrastructure OnPremise with only a few components for security and client deployment including an Active Directory and combine that with Office365 and AzureAD for Mail and SaaS Application Management.

The migration from Hosted Exchange to O365 is already done, which leads into user account in Azure AD for all 250 users. I’ve implemented the Active Directory for them and now want to synchronize OnPrem AD Users with AzureAD.

But since all account are in Azure AD, I have to do an initial import of those accounts from Azure AD to OnPrem. And that’s where the issues began.

Read more of this post

%d bloggers like this: