Testing Azure AD per app MFA and conditional access based on network location

Published by:

azure ad

Azure AD conditional access and per app MFA is globally available starting today, as announced by Alex Simmons. This feature was in preview for some time, but now, that it is globally available, it can be used in production environments. Since this is a new feature, I played a little bit around with it and I would like to share some insights.

Azure AD per app MFA and conditional access allows administrators to set MFA requirements on applications that are registered in Azure AD. This enables interesting scenarios, like for example requiring MFA for Exchange Online, but not for SharePoint Online, if a request comes from outside the corporate network. In order for this to work, you would have to activate MFA first and define the IP ranges that define your corporate network in CIDR format. You should be able to do this by accessing following URL: https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspxContinue reading

Curriculum Vitae Builder, a great Office add-in

Published by:

Office 365 3

When I talk to partners or during my speeches at conferences I almost always mention the fact that there is a big market for Office add-ins and that developers should clearly exploit it. Today I stumbled upon a great Office add-in called Curriculum Vitae Builder, developed by Egomnia. And this add-in is really great, especially for graduates or for professionals that seek a new professional challenge. With a lot of different versions of résumé it is often difficult to put together a very strong and appealing curriculum vitae. However, with Curriculum Vitae Builder you surely won’t forget any important information about yourself. Continue reading

Azure AD Connect default synchronization interval and manual sync process have totally changed

Published by:

azure ad

Few weeks back I wrote a blog post describing how you can manually trigger an Azure AD Connect synchronization. Well, you can forget almost everything I wrote there, because Azure AD Connect default synchronization interval and manual sync process have totally changed starting with Azure AD Connect version 1.1.105.0. Let’s take a look at what’s new.

The first thing to note is that DirectorySyncClientCmd.exe does not exist anymore. No matter where you are looking for it, you won’t find this executable, so don’t lose your time. Secondly, the Azure AD Connect Task scheduler is not visible in Task Scheduler anymore. So, don’t lose your time looking for it either. What we have instead is more PowerShell. And since I am a PowerShell fan, I really like the new approach.  Continue reading

Azure AD Connect synchronization rules

Published by:

Sync rules

In older version of directory synchronization tools we normally used the miisclient.exe to perform different complex tasks, like configuring an alternate login ID or implementing attribute based filtering. With Azure AD Connect this has changed and all associated and deprecated features of older tools have been removed from the UI of miisclient.exe. In order to accomplish these tasks in Azure AD Connect, we now use synchronization rules via the Synchronization Rules Editor.

But first of all, what are synchronization rules? Azure AD Connect synchronization rules are a modular definition of logic and are used to define almost everything, including precedence, object deletion, and other rules that were previously disjointed. A synchronization rule in Azure AD Connect is bound to a single connector, either to the AD connector or to the Azure AD connector, but never to both connectors at the same time. Each rule has a certain precedence and precedence defines the specific order in which rules are applied. For instance, a synchronization rule with precedence 100 will be applied first and one with 101 immediately afterwards.  Continue reading

There is no cloud!

Published by:

no cloud

These days I saw on social media a lot of IT guys sharing with joy and great passion photos with “There is no cloud. It’s just someone else’s computer”. I also saw a lot of discussions and guys bragging with this motto, showing that they really mean it, that the cloud is bullshit and that every reasonable IT guy would resonate with this idea, that managers are kind of dumb pushing for the cloud and so on. Now, I fully support freedom of expression, but I would still want to say a few words on this topic.

First of all, technically all these people are right. The cloud is only someone else’s computer. But, in my opinion, the real problem with this attitude is not the technical part, but all the misconceptions and hostility that lies beneath these words. Disqualifying all IT guys that don’t share the same opinion on cloud computing is, first of all, a sign for the lack of common sense. But I wouldn’t like to dwell on this, right now.

The first argument I would like to bring forward is that the cloud is not something that evolved artificially. It’s exactly the other way around. The cloud is just the IT response to today’s world, to today’s economy, to today’s morals. We live in a service oriented world and almost all people nowadays prefer to consume service and not own products. That’s why we lease cars, we shop online, we order pizza instead of baking and so on. Companies, on their side, need to adapt to today’s needs and nowadays people need new services and products right away. Continue reading

Azure AD Connect – how to manually trigger a synchronization

Published by:

sync interval

Update: Azure AD Connect default sync intervals and manual sync process have totally changed starting with version 1.1.105.0 released in February 2016. Please refer to THIS article to find out how to manually trigger a synchronization cycle.

I don’t know if you have noticed so far, but I am a very  big fan of Azure AD and everything that surrounds it, like Azure AD Connect, ADFS an all features that come together with Azure AD like password write back (only with Azure AD Premium), Azure AD join, Azure AD B2C, Enterprise State Roaming and the list could go on. I also noticed that I wrote very little about Azure AD on this blog, so I decided to concentrate more on this the coming days. And since this week I had a partner engagement where this question showed up, I decided to explain here how can you manually trigger a synchronization cycle using Azure AD Connect.

First of all, this question arises because in older versions of DirSync we used to do this in a certain way, but with Azure AD Connect this process has changed. So administrators that were very familiar with this process in DirSync start to get confused.

Secondly, before starting a synchronization, we would have to decide if we need a full synchronization or a delta synchronization, right? As you may know, a full synchronization imports once again all your objects and synchronizes them again to Azure AD. A delta synchronization will synchronize only objects that have changed in Active Directory since the last synchronization, so users for which you may have changed an attribute, new users or deleted users (applies also to groups and contacts, of course).

So assuming that we need to trigger a full synchronization, we have one great option: PowerShell. Only that this is a little bit different now. So first of all, you would need to open PowerShell and navigate to the following location: C:\Program Files\Microsoft Azure AD Sync\Bin. So the very basic PowerShell cmdlet to do this would be:  Continue reading

WishAppList – let publishers know that you want their apps on Windows 10

Published by:

The absence of popular apps is one big problem in the Windows Mobile ecosystem. Microsoft did a very important move to address this problem by bringing the new universal apps model to all Windows 10 devices, no matter if PC, tablet or smartphone. However, since most of the mobile phones still didn’t receive the upgrade to Windows 10, Lumia devices started to heavily loose market share.

However, this is only the intro to what I want to share to all apps power users. There is a cool website called WishAppList, that enables users to cast their vote for their favourite apps. In order to do this, you have to sign up and login. Then, you can cast your vote for existing applications or even bring a new app to the attention of all visitors.  Continue reading

Enterprise State Roaming – everything’s possible when Azure AD and Windows 10 work together

Published by:

windows10wallpaper

Starting with Windows 8.1 I noticed that when I change my laptop, most of the settings and favourites will be there on the new device. This was a great thing! However, I asked myself if this would be possible also when changing my company laptop. With Azure AD and Windows 10 this is now possible, using a new feature called Enterprise State Roaming.  Continue reading

Using PowerShell to assign service admin roles in Azure AD

Published by:

powershell-icon

Do you remember the times when you couldn’t assign service admin roles in Office 365? Those times are not gone for a long time, but however, it was not possible to add an Exchange Online Administrator, or a SharePoint Administrator. So, in most cases, companies used Global Administrators to manage Exchange, for instance, but the same admins had also access to SharePoint. It’s clear that this was odd.

The reason why this was not possible is that users and correspondent administrative roles are handled in Azure AD. So each Office 365 organization also has an Azure AD, only that many don’t know. And back then, administrative roles weren’t properly integrated across different services. However, this is possible now and we can also use PowerShell do handle everything. Continue reading

Demystifying Exchange Online plans

Published by:

Exchange Server Logo

Exchange Online is a great business productivity service, just like the entire Office 365 suite. However, offering each company only the services that the company really needs is not an easy task since companies of all sizes would like to use these services. This is the reason why Office 365 comes with different subscriptions, where each subscription includes different service plans. Further, we also have the so called standalone plans that companies may use. All of this could become very confusing for customers and that’s why I often receive questions like what Exchange Online plan is included in Office 365 Business Premium and how is this plan different from other Exchange Online plans? Other customers prefer an Office 365 Business subscription, but would like to have only all the Exchange Online features that are present in Office 365 E3 subscriptions. So that’s why I thought of trying to demystify Exchange Online plans. I can’t promise I will succeed, but I’ll give it a try.

So, first of all, please note that all Office 365 Business subscriptions and the Office 365 E1 subscription include Exchange Online Plan 1! All other Office 365 Enterprise plans include Exchange Online Plan 2. Having this in mind, the next question would be: “what are the differences between Exchange Online Plan 1 and Exchange Online Plan 2?” Continue reading