New Azure Group Based Licensing (V2) available as public preview

Just saw it in my demo tenant today that the new Azure Group Based Licensing (V2) is now available within the new Azure portal http://portal.azure.com under the Active Directory Node.

Until today, since all of you know, you could only assign EMS licenses by groups created in Azure or synchronized from an On-Premises directory. In addition, you could only assign the whole license/suite in one piece without the ability to disable sub plans, like RMS for example.

With the new group based licensing, you now can also assign other services license like Office 365 for example and are also be able to disable specific sub plans.

Here is how it looks like:

Navigate to the new portal (the artist formerly known as “the island”): http://portal.azure.com

Go to the Azure Active Directory Management (Preview):

01

You will see an overview of all your licenses and current assigned users and groups via the “All products” option:

02

03

Let us assign the Office 365 license by a group and disable some of the features:

Click “Licensed Group” and then “+ Assign”

04

Select a group created in Azure or synchronized from your On-Premises directory.

Click “assignment option (optional)”

05

Done, license assignment changes will now be scheduled and you can check the state of pending or active (should be active within one minute.)

06

You can have multiple groups with different sub plans disabled to reflect the licenses needed for different user type (Power Users, Limited Users or Guests)

There is also an audit log for all license assignment but with by early tests there is nothing logged, I assume because the necessary categories are missing until rollout of preview is complete.

 

Advertisements

Authorize MIM Portal user image upload with Microsoft Cognitive Services

I saw these great videos from //build keynote some weeks ago about the Microsoft Cognitive Services and I was really impressed. I know these APIs like face, emotion, speech are designed for other purposes but I was thinking to myself on who to benefit from them for identity management.

So I remembered some time ago when talking about MIM Portal as a user self-service portal for personal data some customers find it is sometimes not a good idea if users can upload their own photos. The arguments where that photos cannot be validated in that way that it really belongs to that person. So people could upload for example funny pictures and avatars or even more bad images.

Sure, you can handle this by organizational policies, but I was thinking of a technical solution. At this point when thinking about Microsoft Cognitive Services the Face API came to my mind.

If you check the Face API it has methods for face detection in images and also face identification or verifying. You can also create person groups and persons with multiple faces saved in Azure if you want.

But for my little demo I only need the face detect and verify methods.

So here is how this demo works:

If people upload new images to MIM Portal, I trigger an authorization workflow and get the current and new photo with an MIMWAL update resource activity and pass that data to a PowerShell script which then calls the Face API.

The PowerShell Script uploads both images to Azure to do a face detection within the image and then returns a faceId for each of the pictures. Images are saved 24 hours Azure.
Read more of this post

AADConnect 1.1 SyncScheduler Issue: DateTime Error and Scheduler not working

I recently installed Azure AD Connect 1.1 (Build 1.1.105.0) in my demolab.
I installed on a fresh Windows Server 2012 R2 with latest hotfixes and done the following:

  • Install AADC in Custom Setting Mode
  • Done all settings (which are not relevant to that issue)
  • Disabled direct start of Scheduler to modify sync rules
  • Re-Run AADC Wizard and activated the now internal Scheduler

But when checking SyncCycle within the Sync Service Manager I cloud not see any syncs.

Read more of this post

Offering: BYOK as a Service

Ok, this is not a regular blog post, instead allow me a little advertising for the company I’m currently working for.

At ExpertCircle GmbH we have made BYOK available as a service for customers who wants to use Azure Key Vault and encrypt their data with their own keys.

So if you are need to use BYOK in Azure and don’t want to purchase your own HSM module and train people in how to use it correctly you can find more information here:

BYOK as a Service Workshop

Since we are located in Germany and this service will bring the need to meet in person the offering is in german language but will maybe also be interesting for other countries around us.

 

Azure AD Connect (AADConnect) now generally available (GA)

Today I saw the announcement of GA of AADConnect on the Microsoft Directory blog:

You can download the binaries from here.

AADConnect is a complete replacement and enhancement to DirSync and also AADSync.
With the release of this RTM both older tools should be in your mind as deprecated.

Here are some features provides by AADConnect:

  • Enable your users to perform self-service password reset in the cloud with write-back to on premises AD
  • Enable provisioning from the cloud with user write back to on premises AD
  • Enable write back of “Groups in Office 365” to on premises distribution groups in a forest with Exchange
  • Enable device write back so that your on-premises access control policies enforced by ADFS can recognize devices that registered with Azure AD. This includes the recently announced support for Azure AD Join in Windows 10.
  • Sync custom directory attributes to your Azure Active Directory tenant and consume it from your cloud applications
  • Multi Forest Support
  • Wizard for setting up ADFS and WAP Server directly from the main wizard via Remote PowerShell
  • Staging Mode for testing or other purposes

Keep in mind even this is a RTM you will eventually face some issues because some of the features like user writeback are still in preview in Azure AD.

In addition Azure AD Connect health has also reached GA.

 

AADConnect: User Writeback: Filtering user objects from the cloud

I recently installed the Preview #2 of Azure Active Directory Connect (AADConnect) in on my testlab with user write-back feature enabled.

Sadly there is currently no possibility to filtering objects that are created in the cloud, so they get not provisioned to the on-premise directory.

I already provided that as a feedback to connect and I assume there will be some filtering OOB in future/final release.

As a workaround you can do the following to modify the sync rules on your own:

Read more of this post

Preview 2 of Azure AD Connect (AADConnect) is available

Yesterday (on March 20. 2015) Microsoft released the next preview of the cloud (bridge) synchronization tool AADConnect (called Public Preview March 2015).

You can download and test the “fresh” release via the Microsoft Connect site for AADConnect.

Beside the features of the last preview like multi-forest support, password write-back you can now also test group and user write-back from the cloud to on-prem AD.

AADConnect can also setup your ADFS and WAP servers directly from the AADConnect wizard for using SSO with ADFS.
Some of the features (like write-back’s) require a Azure AD Premium license.

The new Preview of AADConnect also provides a very new “neat” feature, beside filter on-premise objects to be synchronized to the cloud by organizationalUnit and attribute values, you are now able to filter objects based on on-premise (AD) group membership. (See screenshots below).

Also the hint for not using this in production has gone, so if you need to implement this right now, contact product group for more information and joining a TAP program.

I’ve done a fast install and configuration in advanced mode:

Read more of this post

%d bloggers like this: