ADFS in multi forest environments

Published by:

ADFS in multi forest environments is still a very hot topic based on my day to day experience. Even if I’m concentrating more on cloud application development projects for more than 8 months, I still get a lot of questions from partners, colleagues, customers, IT admins from all around the world regarding this specific scenario. To put this in a little bit more perspective, the questions are usually asked in the context of Azure Active Directory, so the already renowned federated identity scenario. So that’s why I decided to blog about it, hoping to complement the scarce existing documentation.

Before we get started I would like to clarify one thing. Even if I will reference a lot Azure AD, everything I describe here is not restricted to Azure AD as a relying party. In fact, last time I worked on such a scenario, the relying party was AWS. So let’s get started.

The basic scenario is the following: a company has two or more Active Directory forest and one Azure AD. Using Azure AD Connect we can synchronize several forests to the same Azure AD. The question arises on the ADFS design. How many ADFS farms would we need? How would this work? Is this supported? Continue reading

#Build 2017 – some exciting things

Published by:

I just finished watching the #Build 2017 keynote and I am really excited by all the new things that were announced in this occasion. There were so many cool things that at the end I started to forget those mentioned at the beginning. That’s why I thought of writing a //build 2017 keynote summary, to serve more for me remembering all the things that I need to keep up with during the next year.

One of the coolest thing is the new Azure Cosmos DB offering. Azure Cosmos DB is Microsoft’s globally distributed, multi-model database. With the click of a button, Azure Cosmos DB enables you to elastically and independently scale throughput and storage across any number of Azure’s geographic regions. It offers throughput, latency, availability, and consistency guarantees with comprehensive service level agreements (SLAs), something no other database service can offer. What this means is that you have a database where you can store documents, tables, graph data and many more in the same place and use really any DB API to access all the data in nearly real time.

Just to stay in the same database area, the announcement of Azure database for MySql was also a nice surprise. Basically, you get a MySql database as a service, without the need to take care of patching infrastructures and so on.

Further, Microsoft announced at //build 2017 the new Azure IoT Edge, a technology that’s meant to extend “the intelligence — and other benefits — of cloud computing to edge devices.” It’s a cross-platform run time that runs on both Windows and Linux, and it will work on devices that are smaller than a Raspberry Pi. This will solve a lot of problems in IoT scenarios with really small devices, since this new features enables a more straight forward communication between Azure and devices.

Next, the announcement of the new Azure Portal App for iOs and Android, together with the built in full featured Bash shell in the Azure Portal was also a very intriguing announcement. First, the mobile app is not available on Windows 10 mobile devices (I know, there are few of them out there, but still….) and second, the first integrated shell is a Bash shell, not PowerShell (PowerShell will come “some time” in the future). On the other side, this underlines once more the heavy open source approach that Microsoft is showing during last years.

The remote debugging of production web apps using Visual Studio 2017 without any downtime was also a great thing to watch.

Let’s go to the AI part. I was already fairly familiar with Microsoft Cognitive Services, but the announcement of the custom vision API was really exciting. This enables developers to easily train their own vision machine learning models, providing the necessary training data. This really starts to look more and more like democratized AI, which should enable developers to build more and more intelligent applications.

The PowerPoint Translator was also a fairly cool demo, but for me it was not necessarily something new since exactly the same thing was showcased two years ago at the Build conference, but back then it was a Skype extension, called Skype translator. These two are fairly similar.

A final observation: almost all demos were made from MacOS laptops and iPhones.

Watching the //Build 2017 keynote was a very good time investment. I still dream to attend this conference in person at some time 🙂

Testing Azure AD per app MFA and conditional access based on network location

Published by:

Azure AD conditional access and per app MFA is globally available starting today, as announced by Alex Simmons. This feature was in preview for some time, but now, that it is globally available, it can be used in production environments. Since this is a new feature, I played a little bit around with it and I would like to share some insights.

Azure AD per app MFA and conditional access allows administrators to set MFA requirements on applications that are registered in Azure AD. This enables interesting scenarios, like for example requiring MFA for Exchange Online, but not for SharePoint Online, if a request comes from outside the corporate network. In order for this to work, you would have to activate MFA first and define the IP ranges that define your corporate network in CIDR format. You should be able to do this by accessing following URL: https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspxContinue reading

Curriculum Vitae Builder, a great Office add-in

Published by:

When I talk to partners or during my speeches at conferences I almost always mention the fact that there is a big market for Office add-ins and that developers should clearly exploit it. Today I stumbled upon a great Office add-in called Curriculum Vitae Builder, developed by Egomnia. And this add-in is really great, especially for graduates or for professionals that seek a new professional challenge. With a lot of different versions of résumé it is often difficult to put together a very strong and appealing curriculum vitae. However, with Curriculum Vitae Builder you surely won’t forget any important information about yourself. Continue reading

Azure AD Connect default synchronization interval and manual sync process have totally changed

Published by:

Few weeks back I wrote a blog post describing how you can manually trigger an Azure AD Connect synchronization. Well, you can forget almost everything I wrote there, because Azure AD Connect default synchronization interval and manual sync process have totally changed starting with Azure AD Connect version 1.1.105.0. Let’s take a look at what’s new.

The first thing to note is that DirectorySyncClientCmd.exe does not exist anymore. No matter where you are looking for it, you won’t find this executable, so don’t lose your time. Secondly, the Azure AD Connect Task scheduler is not visible in Task Scheduler anymore. So, don’t lose your time looking for it either. What we have instead is more PowerShell. And since I am a PowerShell fan, I really like the new approach.  Continue reading

Azure AD Connect synchronization rules

Published by:

In older version of directory synchronization tools we normally used the miisclient.exe to perform different complex tasks, like configuring an alternate login ID or implementing attribute based filtering. With Azure AD Connect this has changed and all associated and deprecated features of older tools have been removed from the UI of miisclient.exe. In order to accomplish these tasks in Azure AD Connect, we now use synchronization rules via the Synchronization Rules Editor.

But first of all, what are synchronization rules? Azure AD Connect synchronization rules are a modular definition of logic and are used to define almost everything, including precedence, object deletion, and other rules that were previously disjointed. A synchronization rule in Azure AD Connect is bound to a single connector, either to the AD connector or to the Azure AD connector, but never to both connectors at the same time. Each rule has a certain precedence and precedence defines the specific order in which rules are applied. For instance, a synchronization rule with precedence 100 will be applied first and one with 101 immediately afterwards.  Continue reading

There is no cloud!

Published by:

These days I saw on social media a lot of IT guys sharing with joy and great passion photos with “There is no cloud. It’s just someone else’s computer”. I also saw a lot of discussions and guys bragging with this motto, showing that they really mean it, that the cloud is bullshit and that every reasonable IT guy would resonate with this idea, that managers are kind of dumb pushing for the cloud and so on. Now, I fully support freedom of expression, but I would still want to say a few words on this topic.

First of all, technically all these people are right. The cloud is only someone else’s computer. But, in my opinion, the real problem with this attitude is not the technical part, but all the misconceptions and hostility that lies beneath these words. Disqualifying all IT guys that don’t share the same opinion on cloud computing is, first of all, a sign for the lack of common sense. But I wouldn’t like to dwell on this, right now.

The first argument I would like to bring forward is that the cloud is not something that evolved artificially. It’s exactly the other way around. The cloud is just the IT response to today’s world, to today’s economy, to today’s morals. We live in a service oriented world and almost all people nowadays prefer to consume service and not own products. That’s why we lease cars, we shop online, we order pizza instead of baking and so on. Companies, on their side, need to adapt to today’s needs and nowadays people need new services and products right away. Continue reading

Azure AD Connect – how to manually trigger a synchronization

Published by:

Update: Azure AD Connect default sync intervals and manual sync process have totally changed starting with version 1.1.105.0 released in February 2016. Please refer to THIS article to find out how to manually trigger a synchronization cycle.

I don’t know if you have noticed so far, but I am a very  big fan of Azure AD and everything that surrounds it, like Azure AD Connect, ADFS an all features that come together with Azure AD like password write back (only with Azure AD Premium), Azure AD join, Azure AD B2C, Enterprise State Roaming and the list could go on. I also noticed that I wrote very little about Azure AD on this blog, so I decided to concentrate more on this the coming days. And since this week I had a partner engagement where this question showed up, I decided to explain here how can you manually trigger a synchronization cycle using Azure AD Connect.

First of all, this question arises because in older versions of DirSync we used to do this in a certain way, but with Azure AD Connect this process has changed. So administrators that were very familiar with this process in DirSync start to get confused.

Secondly, before starting a synchronization, we would have to decide if we need a full synchronization or a delta synchronization, right? As you may know, a full synchronization imports once again all your objects and synchronizes them again to Azure AD. A delta synchronization will synchronize only objects that have changed in Active Directory since the last synchronization, so users for which you may have changed an attribute, new users or deleted users (applies also to groups and contacts, of course).

So assuming that we need to trigger a full synchronization, we have one great option: PowerShell. Only that this is a little bit different now. So first of all, you would need to open PowerShell and navigate to the following location: C:\Program Files\Microsoft Azure AD Sync\Bin. So the very basic PowerShell cmdlet to do this would be:  Continue reading

WishAppList – let publishers know that you want their apps on Windows 10

Published by:

The absence of popular apps is one big problem in the Windows Mobile ecosystem. Microsoft did a very important move to address this problem by bringing the new universal apps model to all Windows 10 devices, no matter if PC, tablet or smartphone. However, since most of the mobile phones still didn’t receive the upgrade to Windows 10, Lumia devices started to heavily loose market share.

However, this is only the intro to what I want to share to all apps power users. There is a cool website called WishAppList, that enables users to cast their vote for their favourite apps. In order to do this, you have to sign up and login. Then, you can cast your vote for existing applications or even bring a new app to the attention of all visitors.  Continue reading

Enterprise State Roaming – everything’s possible when Azure AD and Windows 10 work together

Published by:

Starting with Windows 8.1 I noticed that when I change my laptop, most of the settings and favourites will be there on the new device. This was a great thing! However, I asked myself if this would be possible also when changing my company laptop. With Azure AD and Windows 10 this is now possible, using a new feature called Enterprise State Roaming.  Continue reading