Tag Archives: Azure AD

ADFS in multi forest environments

Published by:

Dan Patrascu-Baba

Partner Technical Consultant at Microsoft
Azure PaaS and dev consultant, working for Microsoft. Mostly dealing with Microsoft Azure services, ASP.Net Core, AngularJS, Javascript. Helping partners and customers to write good code and to architect their cloud and hybrid solutions.

ADFS in multi forest environments is still a very hot topic based on my day to day experience. Even if I’m concentrating more on cloud application development projects for more than 8 months, I still get a lot of questions from partners, colleagues, customers, IT admins from all around the world regarding this specific scenario. To put this in a little bit more perspective, the questions are usually asked in the context of Azure Active Directory, so the already renowned federated identity scenario. So that’s why I decided to blog about it, hoping to complement the scarce existing documentation.

Before we get started I would like to clarify one thing. Even if I will reference a lot Azure AD, everything I describe here is not restricted to Azure AD as a relying party. In fact, last time I worked on such a scenario, the relying party was AWS. So let’s get started.

The basic scenario is the following: a company has two or more Active Directory forest and one Azure AD. Using Azure AD Connect we can synchronize several forests to the same Azure AD. The question arises on the ADFS design. How many ADFS farms would we need? How would this work? Is this supported? Continue reading

Testing Azure AD per app MFA and conditional access based on network location

Published by:

Dan Patrascu-Baba

Partner Technical Consultant at Microsoft
Azure PaaS and dev consultant, working for Microsoft. Mostly dealing with Microsoft Azure services, ASP.Net Core, AngularJS, Javascript. Helping partners and customers to write good code and to architect their cloud and hybrid solutions.

Azure AD conditional access and per app MFA is globally available starting today, as announced by Alex Simmons. This feature was in preview for some time, but now, that it is globally available, it can be used in production environments. Since this is a new feature, I played a little bit around with it and I would like to share some insights.

Azure AD per app MFA and conditional access allows administrators to set MFA requirements on applications that are registered in Azure AD. This enables interesting scenarios, like for example requiring MFA for Exchange Online, but not for SharePoint Online, if a request comes from outside the corporate network. In order for this to work, you would have to activate MFA first and define the IP ranges that define your corporate network in CIDR format. You should be able to do this by accessing following URL: https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspxContinue reading

Azure AD Connect default synchronization interval and manual sync process have totally changed

Published by:

Dan Patrascu-Baba

Partner Technical Consultant at Microsoft
Azure PaaS and dev consultant, working for Microsoft. Mostly dealing with Microsoft Azure services, ASP.Net Core, AngularJS, Javascript. Helping partners and customers to write good code and to architect their cloud and hybrid solutions.

Few weeks back I wrote a blog post describing how you can manually trigger an Azure AD Connect synchronization. Well, you can forget almost everything I wrote there, because Azure AD Connect default synchronization interval and manual sync process have totally changed starting with Azure AD Connect version 1.1.105.0. Let’s take a look at what’s new.

The first thing to note is that DirectorySyncClientCmd.exe does not exist anymore. No matter where you are looking for it, you won’t find this executable, so don’t lose your time. Secondly, the Azure AD Connect Task scheduler is not visible in Task Scheduler anymore. So, don’t lose your time looking for it either. What we have instead is more PowerShell. And since I am a PowerShell fan, I really like the new approach.  Continue reading

Azure AD Connect – how to manually trigger a synchronization

Published by:

Dan Patrascu-Baba

Partner Technical Consultant at Microsoft
Azure PaaS and dev consultant, working for Microsoft. Mostly dealing with Microsoft Azure services, ASP.Net Core, AngularJS, Javascript. Helping partners and customers to write good code and to architect their cloud and hybrid solutions.

Update: Azure AD Connect default sync intervals and manual sync process have totally changed starting with version 1.1.105.0 released in February 2016. Please refer to THIS article to find out how to manually trigger a synchronization cycle.

I don’t know if you have noticed so far, but I am a very  big fan of Azure AD and everything that surrounds it, like Azure AD Connect, ADFS an all features that come together with Azure AD like password write back (only with Azure AD Premium), Azure AD join, Azure AD B2C, Enterprise State Roaming and the list could go on. I also noticed that I wrote very little about Azure AD on this blog, so I decided to concentrate more on this the coming days. And since this week I had a partner engagement where this question showed up, I decided to explain here how can you manually trigger a synchronization cycle using Azure AD Connect.

First of all, this question arises because in older versions of DirSync we used to do this in a certain way, but with Azure AD Connect this process has changed. So administrators that were very familiar with this process in DirSync start to get confused.

Secondly, before starting a synchronization, we would have to decide if we need a full synchronization or a delta synchronization, right? As you may know, a full synchronization imports once again all your objects and synchronizes them again to Azure AD. A delta synchronization will synchronize only objects that have changed in Active Directory since the last synchronization, so users for which you may have changed an attribute, new users or deleted users (applies also to groups and contacts, of course).

So assuming that we need to trigger a full synchronization, we have one great option: PowerShell. Only that this is a little bit different now. So first of all, you would need to open PowerShell and navigate to the following location: C:\Program Files\Microsoft Azure AD Sync\Bin. So the very basic PowerShell cmdlet to do this would be:  Continue reading

Enterprise State Roaming – everything’s possible when Azure AD and Windows 10 work together

Published by:

Dan Patrascu-Baba

Partner Technical Consultant at Microsoft
Azure PaaS and dev consultant, working for Microsoft. Mostly dealing with Microsoft Azure services, ASP.Net Core, AngularJS, Javascript. Helping partners and customers to write good code and to architect their cloud and hybrid solutions.

Starting with Windows 8.1 I noticed that when I change my laptop, most of the settings and favourites will be there on the new device. This was a great thing! However, I asked myself if this would be possible also when changing my company laptop. With Azure AD and Windows 10 this is now possible, using a new feature called Enterprise State Roaming.  Continue reading

Using PowerShell to assign service admin roles in Azure AD

Published by:

Dan Patrascu-Baba

Partner Technical Consultant at Microsoft
Azure PaaS and dev consultant, working for Microsoft. Mostly dealing with Microsoft Azure services, ASP.Net Core, AngularJS, Javascript. Helping partners and customers to write good code and to architect their cloud and hybrid solutions.

Do you remember the times when you couldn’t assign service admin roles in Office 365? Those times are not gone for a long time, but however, it was not possible to add an Exchange Online Administrator, or a SharePoint Administrator. So, in most cases, companies used Global Administrators to manage Exchange, for instance, but the same admins had also access to SharePoint. It’s clear that this was odd.

The reason why this was not possible is that users and correspondent administrative roles are handled in Azure AD. So each Office 365 organization also has an Azure AD, only that many don’t know. And back then, administrative roles weren’t properly integrated across different services. However, this is possible now and we can also use PowerShell do handle everything. Continue reading

Azure AD, the door to the future

Published by:

Dan Patrascu-Baba

Partner Technical Consultant at Microsoft
Azure PaaS and dev consultant, working for Microsoft. Mostly dealing with Microsoft Azure services, ASP.Net Core, AngularJS, Javascript. Helping partners and customers to write good code and to architect their cloud and hybrid solutions.

Last week I was in Munich, attending a Microsoft partner event and I also delivered a track on Azure AD, called “Azure AD, the door to the future”. So I was thinking on writing down a brief summary of the content I delivered on Azure AD.

But it’s not possible to jump directly to Azure AD, without spending some words on the modern workplace, since Azure AD is just a technical answer for the challenges IT administrators face nowadays. Ten years back, the workplace was straightforward. Users came in their office, logged in to their PC and worked. In the evening they sut everything down and went home. Nowadays it’s different, since users are very mobile. They don’t simply work from their desk. Instead, users are now working from places difficult to imagine few years back, like bars, trains, hotels and their homes, of course. Not only that users are physically mobile, but they also use a vast palette of devices to accomplish work related tasks. If the IT department doesn’t offer devices, users will bring them themselves. In this circumstances, mobility is not something about movement anymore, but about the mobility of the entire experience.

Further, users also use a vast range of apps in their day to day work. And to be sincere, users also use a lot of third party SaaS apps to accomplish their tasks. Most IT departments wanted to improve the user experience and tried to integrate some way all the apps in their IT infrastructure, in order to prevent the leak of corporate information.  Continue reading