Every discussion about security should start with a discussion about identity and access management. It’s that important and therefore the quest for a perfect IDaaS solution is a painful but needed journey. One could of course choose to build its own identity and access management systems/software, but most of the time companies don’t have the necessary time and resources to do that since we’re seeing crazy release cycles nowadays. Going towards IDaaS is therefore a natural choice in a lot of circumstances. But do we really have a “perfect for every scenario” IDaaS solution somewhere out there? Let’s see! Continue reading
Coming from the Microsoft world it was natural for me to immediately jump to Azure AD B2C when I needed to implement authentication in an Angular 5 application. However, things weren’t so rosy, so I had to look for alternatives after an entire day playing around with Azure AD B2C and so I met Google Firebase. And after more days of playing around and comparing pros and cons, I thought it might be useful for others to share some thoughts on these two products.
What was everything about?
I am currently working on a personal project that might be some day a consumer app. Since I like Angular a lot, it was a natural choice for me to use it for my front end work. The larger picture involves also a .Net Core API and all needed application layers. When I started to work on the front end, one of the first things I wanted to do is to implement authentication. Here it’s important to note that my project will hopefully be some day a consumer app. So that’s why I was looking at Azure AD B2C and not the (let’s say) normal Azure AD. Continue reading
ADFS in multi forest environments is still a very hot topic based on my day to day experience. Even if I’m concentrating more on cloud application development projects for more than 8 months, I still get a lot of questions from partners, colleagues, customers, IT admins from all around the world regarding this specific scenario. To put this in a little bit more perspective, the questions are usually asked in the context of Azure Active Directory, so the already renowned federated identity scenario. So that’s why I decided to blog about it, hoping to complement the scarce existing documentation.
Before we get started I would like to clarify one thing. Even if I will reference a lot Azure AD, everything I describe here is not restricted to Azure AD as a relying party. In fact, last time I worked on such a scenario, the relying party was AWS. So let’s get started.
The basic scenario is the following: a company has two or more Active Directory forest and one Azure AD. Using Azure AD Connect we can synchronize several forests to the same Azure AD. The question arises on the ADFS design. How many ADFS farms would we need? How would this work? Is this supported? Continue reading
Azure AD conditional access and per app MFA is globally available starting today, as announced by Alex Simmons. This feature was in preview for some time, but now, that it is globally available, it can be used in production environments. Since this is a new feature, I played a little bit around with it and I would like to share some insights.
Azure AD per app MFA and conditional access allows administrators to set MFA requirements on applications that are registered in Azure AD. This enables interesting scenarios, like for example requiring MFA for Exchange Online, but not for SharePoint Online, if a request comes from outside the corporate network. In order for this to work, you would have to activate MFA first and define the IP ranges that define your corporate network in CIDR format. You should be able to do this by accessing following URL: https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx. Continue reading
Few weeks back I wrote a blog post describing how you can manually trigger an Azure AD Connect synchronization. Well, you can forget almost everything I wrote there, because Azure AD Connect default synchronization interval and manual sync process have totally changed starting with Azure AD Connect version 18.104.22.168. Let’s take a look at what’s new.
The first thing to note is that DirectorySyncClientCmd.exe does not exist anymore. No matter where you are looking for it, you won’t find this executable, so don’t lose your time. Secondly, the Azure AD Connect Task scheduler is not visible in Task Scheduler anymore. So, don’t lose your time looking for it either. What we have instead is more PowerShell. And since I am a PowerShell fan, I really like the new approach. Continue reading
Update: Azure AD Connect default sync intervals and manual sync process have totally changed starting with version 22.214.171.124 released in February 2016. Please refer to THIS article to find out how to manually trigger a synchronization cycle.
I don’t know if you have noticed so far, but I am a very big fan of Azure AD and everything that surrounds it, like Azure AD Connect, ADFS an all features that come together with Azure AD like password write back (only with Azure AD Premium), Azure AD join, Azure AD B2C, Enterprise State Roaming and the list could go on. I also noticed that I wrote very little about Azure AD on this blog, so I decided to concentrate more on this the coming days. And since this week I had a partner engagement where this question showed up, I decided to explain here how can you manually trigger a synchronization cycle using Azure AD Connect.
First of all, this question arises because in older versions of DirSync we used to do this in a certain way, but with Azure AD Connect this process has changed. So administrators that were very familiar with this process in DirSync start to get confused.
Secondly, before starting a synchronization, we would have to decide if we need a full synchronization or a delta synchronization, right? As you may know, a full synchronization imports once again all your objects and synchronizes them again to Azure AD. A delta synchronization will synchronize only objects that have changed in Active Directory since the last synchronization, so users for which you may have changed an attribute, new users or deleted users (applies also to groups and contacts, of course).
So assuming that we need to trigger a full synchronization, we have one great option: PowerShell. Only that this is a little bit different now. So first of all, you would need to open PowerShell and navigate to the following location: C:\Program Files\Microsoft Azure AD Sync\Bin. So the very basic PowerShell cmdlet to do this would be: Continue reading
Starting with Windows 8.1 I noticed that when I change my laptop, most of the settings and favourites will be there on the new device. This was a great thing! However, I asked myself if this would be possible also when changing my company laptop. With Azure AD and Windows 10 this is now possible, using a new feature called Enterprise State Roaming. Continue reading
Do you remember the times when you couldn’t assign service admin roles in Office 365? Those times are not gone for a long time, but however, it was not possible to add an Exchange Online Administrator, or a SharePoint Administrator. So, in most cases, companies used Global Administrators to manage Exchange, for instance, but the same admins had also access to SharePoint. It’s clear that this was odd.
The reason why this was not possible is that users and correspondent administrative roles are handled in Azure AD. So each Office 365 organization also has an Azure AD, only that many don’t know. And back then, administrative roles weren’t properly integrated across different services. However, this is possible now and we can also use PowerShell do handle everything. Continue reading
Last week I was in Munich, attending a Microsoft partner event and I also delivered a track on Azure AD, called “Azure AD, the door to the future”. So I was thinking on writing down a brief summary of the content I delivered on Azure AD.
But it’s not possible to jump directly to Azure AD, without spending some words on the modern workplace, since Azure AD is just a technical answer for the challenges IT administrators face nowadays. Ten years back, the workplace was straightforward. Users came in their office, logged in to their PC and worked. In the evening they sut everything down and went home. Nowadays it’s different, since users are very mobile. They don’t simply work from their desk. Instead, users are now working from places difficult to imagine few years back, like bars, trains, hotels and their homes, of course. Not only that users are physically mobile, but they also use a vast palette of devices to accomplish work related tasks. If the IT department doesn’t offer devices, users will bring them themselves. In this circumstances, mobility is not something about movement anymore, but about the mobility of the entire experience.
Further, users also use a vast range of apps in their day to day work. And to be sincere, users also use a lot of third party SaaS apps to accomplish their tasks. Most IT departments wanted to improve the user experience and tried to integrate some way all the apps in their IT infrastructure, in order to prevent the leak of corporate information. Continue reading