(2021-09-11) Azure AD Administrative Units – Delegating Scoped Admin Tasks In Azure AD

Quite some time ago I blogged about Azure AD Administrative Units (AU). The details can be found in the found through the following blog posts:

• (2019-07-04) Azure AD Delegation Through Roles And Administrative Units – The Good, The Bad And The Ugly (Part 1)
• (2019-07-07) Azure AD Delegation Through Roles And Administrative Units – The Good, The Bad And The Ugly (Part 2)

–

Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units

–

Since then many things have changed, and today it is a valuable feature to delegate management of a set of objects to other groups of people. It is different than OUs in Active Directory (AD). OUs in AD are for delegating management and applying policy. AUs in Azure AD are for delegating management only.

Figure 1: Administrative Units In Azure AD – From The Administrative Unit Perspective

–

Objects

Today AUs only support user and group objects, both cloud native and hybrid/synched. Those objects are not actually child objects of an AU. The objects are assigned to one or more AUs. The assignment basically behaves like a group membership. By allowing objects being assigned to multiple AUs, multiple groups of admins can manage the same set of objects.

Objects can be assigned to an AU

• …from the AU perspective => select AU, then add member object

OR

• …from the object perspective => select object, then assign an AU

Figure 2: User Objects Member Of A Certain Administrative Unit

–

Figure 3: Group Objects Member Of A Certain Administrative Unit

–

Figure 4: Administrative Units In Azure AD – From The Object (In This Case: User) Perspective

–

Administration

The main and only goal of AUs is the delegation of administration of user and group objects. At tenant level, Azure AD supports many administrative roles. Some of those roles, that focus on user and group objects throughout the complete Azure AD tenant, can therefore also be scoped at AU level allowing to perform the tasks supported by the administrative role on the objects that are assigned to the AU. In figure 5 you can see the administrative roles currently supported by an AU.

Figure 5: Administrative Units In Azure AD – Available Delegation Roles For Each Administrative Unit

–

This does not mean, delegation is configured by default. No, you still need to configure that by either assigning users and/or groups the respective role scoped for the corresponding AU. In terms of users you can assign any user the supported roles scoping the AU. With regards to groups, you can only assign groups only the supported Azure AD roles, if those groups have been created to support Azure AD role assignments. That support cannot be changed after the creation of the group. it must be configured when creating the group.

When looking at a specific Azure AD administrative role, you will be able to see what the scope of management is and which object (group or user) has been configured for that specific scope.

–

Assigning Objects To AUs

It is possible to add or remove assignments of individual objects, through either the Azure AD Portal, PowerShell or the Microsoft graph. Additionally, through the Azure AD Portal it is possible to bulk add or remove objects to/from the AU. When deleting an AU, only the AU, the delegating configuration (role assignment scoped to the AU, not the role itself) and the assignment of objects (users and groups, but not the objects themselves) will be deleted with it.

Figure 6: Administrative Units In Azure AD – Supported Bulk Operations

–

Another thing that would be very interesting is auto assigning users and groups to Administrative Units instead of all the current manual work that is needed. Dynamic assignment similar to dynamic groups would be very welcome and definitely a serious win!

Nevertheless, if you have something that can either leverage the Azure AD PowerShell module or the Microsoft Graph API, dynamic assignment is possible as long as you have something external to Azure AD (IAM System?) to determine the logic of adding or removing objects to/from AUs. More about these thoughts in a next blog post! Make sure to read that one!

–

PowerShell

The Azure AD PowerShell module supports CMDlets to manage AUs through either the Azure AD graph (deprecated!) (*-AzureADAdministrativeUnit*) or the Microsoft graph (preferred!) (*-AzureADMSAdministrativeUnit*)

 –

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################

IAMTEC

Identity | Security | Recovery

https://iamtec.eu/
————————————————————————————————————————————————————-

(2021-09-09) Azure AD Graph Deprecation – Are You Already Migrating?

About more than a year ago, around June 30th 2020, Microsoft announced the deprecation of Azure AD Graph. At the same time everyone was told to start migrating away from Azure AD graph to Microsoft Graph. The latter supports both Azure AD and different Microsoft online services such Exchange, Sharepoint, Teams, etc.

At a very high level Microsoft said:

Azure Active Directory (Azure AD) Graph is deprecated. To avoid loss of functionality, migrate your applications to Microsoft Graph before June 30, 2022 when Azure AD Graph API endpoints will stop responding to requests. Microsoft will continue technical support and apply security fixes for Azure AD Graph until June 30, 2022 when all functionality and support will end. If you fail to migrate your applications to Microsoft Graph before June 30, 2022, you put their functionality and stability at risk.

–

Most of the time people read this and may think: “I’ll look at that later”. With that thought, time goes by and suddenly it June 30th 2022! Oops!

Well, it’s not too late, yet. In less then a year, everything still using Azure AD graph will stop working. Microsoft provides documentation and guidance on how to determine where Azure AD graph is being used and how to migrate to Microsoft graph. Information about this can be found through the following links:

• Migration From Azure AD Graph To Microsoft Graph – Overview
• Migration From Azure AD Graph To Microsoft Graph – Planning And Checklist
• Migration From Azure AD Graph To Microsoft Graph – FAQ

–

Please be aware that changes might be more work than you would expect. For example, if you look at the Azure AD PowerShell module it uses Azure AD graph in the backend. Today already the Azure AD PowerShell module already supports the Microsoft graph in addition to the Azure AD graph. For example, taking a the CMDLet “New-AzureADgroup” as example, Microsoft did not change that CMDlet to suddenly start using Microsoft graph. No, they introduced a replacement CMDlet “New-AzureADMSGroup” that targets Microsoft graph. If you have scripts, please be aware it might not be as simple as changing from *-AzureAD* to *-AzureADMS* . Due to the change of the CMDlet and therefore the endpint, there are also (subtle) schema changes. The easiest example is the change from ObjectID to ID.

–

Also be aware that new features will be implement in Microsoft graph only, and anything that leverages it. An example of such is the ability of assigning Azure AD groups to Azure (AD) roles. When creating a group in the Azure AD portal, you need to enabled the option “Azure AD roles can be assigned to the group”. Now, through PowerShell you need to use the CMDlet “New-AzureADMSGroup” with the parameter “-IsAssignableToRole”

–

Now, if you have not started yet migrating away from Azure AD graph to Microsoft graph, make sure to start A.S.A.P.!

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################

IAMTEC

Identity | Security | Recovery

https://iamtec.eu/
————————————————————————————————————————————————————-

(2021-07-21) Microsoft Releases “Azure Active Directory Security Operations Guide”

Microsoft has released a security operations guide focusing on:

• User Accounts
• Privileged Accounts
• Privileged Identity Management
• Applications
• Devices
• Infrastructure

Lots of info and guidance. Now go get it, read it and implement any benefits for you.

See: Azure Active Directory security operations guide

–

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2021-07-21) Azure AD Connect v2.0.3.0 Has Been Released

Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

• Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
• Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
• Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
• Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

–

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

–

IMPORTANT: Major release. Lots of changes/updates!

–

Azure AD Connect: Version Release History

2.0.3.0

Released: 7/20/2021 – Released for download only, not available for auto upgrade

Note: This is a major release of Azure AD Connect. Please refer to the Azure Active Directory V2.0 article for more details.

–

Prerequisites for Azure AD Connect

–

Functional changes

• We have upgraded the LocalDB components of SQL Server to SQL 2019.
• This release requires Windows Server 2016 or newer, due to the requirements of SQL Server 2019.
• In this release we enforce the use of TLS 1.2. If you have enabled your Windows Server for TLS 1.2, AADConnect will use this protocol. If TLS 1.2 is not enabled on the server you will see an error message when attempting to install AADConnect and the installation will not continue until you have enabled TLS 1.2. Note that you can use the new “Set-ADSyncToolsTls12” cmdlets to enable TLS 1.2 on your server.
• With this release, you can use a user with the user role “Hybrid Identity Administrator” to authenticate when you install Azure AD Connect. You no longer need the Global Administrator role for this.
• We have upgraded the Visual C++ runtime library to version 14 as a prerequisite for SQL Server 2019
• This release uses the MSAL library for authentication, and we have removed the older ADAL library, which will be retired in 2022.
• We no longer apply permissions on the AdminSDHolders, following Windows security guidance. We changed the parameter "SkipAdminSdHolders" to "IncludeAdminSdHolders" in the ADSyncConfig.psm1 module.
• Passwords will now be reevaluated when the password last set value is changed, regardless of whether the password itself is changed. If for a user the password is set to “Must change password” then this status is synced to Azure AD, and when the user attempts to sign in in Azure AD they will be prompted to reset their password.
• We have added two new cmdlets to the ADSyncTools module to enable or retrieve TLS 1.2 settings from the Windows Server.
  (You can use these cmdlets to retrieve the TLS 1.2 enablement status, or set it as needed. Note that TLS 1.2 must be enabled on the server for the installation or AADConnect to succeed.)
• Get-ADSyncToolsTls12
• Set-ADSyncToolsTls12
• We have revamped ADSyncTools with several new and improved cmdlets. The ADSyncTools article has more details about these cmdlets. The following cmdlets have been added or updated:
• Clear-ADSyncToolsMsDsConsistencyGuid
• ConvertFrom-ADSyncToolsAadDistinguishedName
• ConvertFrom-ADSyncToolsImmutableID
• ConvertTo-ADSyncToolsAadDistinguishedName
• ConvertTo-ADSyncToolsCloudAnchor
• ConvertTo-ADSyncToolsImmutableID
• Export-ADSyncToolsAadDisconnectors
• Export-ADSyncToolsObjects
• Export-ADSyncToolsRunHistory
• Get-ADSyncToolsAadObject
• Get-ADSyncToolsMsDsConsistencyGuid
• Import-ADSyncToolsObjects
• Import-ADSyncToolsRunHistory
• Remove-ADSyncToolsAadObject
• Search-ADSyncToolsADobject
• Set-ADSyncToolsMsDsConsistencyGuid
• Trace-ADSyncToolsADImport
• Trace-ADSyncToolsLdapQuery
• We now use the V2 endpoint for import and export and we fixed issue in the Get-ADSyncAADConnectorExportApiVersion cmdlet. You can read more about the V2 endpoint in the Azure AD Connect sync V2 endpoint article.
  We have added the following new user properties to sync from on-prem AD to Azure AD
• employeeType
• employeeHireDate
• This release requires PowerShell version 5.0 or newer to be installed on the Windows Server. Note that this version is part of Windows Server 2016 and newer.
• We increased the Group sync membership limits to 250k with the new V2 endpoint.
• We have updated the Generic LDAP connector and the Generic SQL Connector to the latest versions. Read more about these connectors here:
• Generic LDAP Connector reference documentation
• Generic SQL Connector reference documentation
• In the M365 Admin Center, we now report the AADConnect client version whenever there is export activity to Azure AD. This ensures that the M365 Admin Center always has the most up to date AADConnect client version, and that it can detect when you’re using and outdated version
• Provides a batch import execution script which can be called from Windows scheduled job so that the customers can automate the batch import operations with scheduling.
• Credentials are provided as an encrypted file using Windows Data Protection API (DPAPI).
• Credential files can be use only at the same machine and user account where it’s created.
• The Azure AD Kerberos Feature supported for the MSAL library. To use the AAD Kerberos Feature, the customer needs to register an on-premises service principal name into the Azure AD. Provides importing of an on-premises service principal object into the Azure AD.

–

Fixed issues/Bug Fixes:

• We fixed an accessibility bug where the screen reader is announcing incorrect role of the ‘Learn More’ link.
• We fixed a bug where sync rules with large precedence values (i.e. 387163089) cause upgrade to fail. We updated sproc ‘mms_UpdateSyncRulePrecedence’ to cast the precedence number as an integer prior to incrementing the value.
• Fixed a bug where group writeback permissions are not set on the sync account if a group writeback configuration is imported. We now set the group writeback permissions if group writeback is enabled on the imported configuration.
• We updated the Azure AD Connect Health agent version to 3.1.110.0 to fix an installation failure.
• We are seeing an issue with non-default attributes from exported configurations where directory extension attributes are configured. When importing these configurations to a new server/installation, the attribute inclusion list is overridden by the directory extension configuration step, so after import only default and directory extension attributes are selected in the sync service manager (non-default attributes are not included in the installation, so the user must manually reenable them from the sync service manager if they want their imported sync rules to work). We now refresh the AAD Connector before configuring directory extension to keep existing attributes from the attribute inclusion list.
  
• We fixed an accessibility issues where the page header’s font weight is set as "Light". Font weight is now set to "Bold" for the page title, which applies to the header of all pages.
• The function Get-AdObject in ADSyncSingleObjectSync.ps1 has been renamed to Get-AdDirectoryObject to prevent ambiguity with the AD cmdlet.
• The SQL function ‘mms_CheckSynchronizationRuleHasUniquePrecedence’ allow duplicates precedence on outbound sync rules on different connectors. We removed the condition that allows duplicate rule precedence.
• We fixed a bug where the Single Object Sync cmdlet fails if the attribute flow data is null i.e. on exporting delete operation
• We fixed a bug where the installation fails because the ADSync bootstrap service cannot be started. We now add Sync Service Account to the Local Builtin User Group before starting the bootstrap service.
• We fixed an accessibility issue where the active tab on AAD Connect wizard is not showing correct color on High Contrast theme. The selected color code was being overwritten due to missing condition in normal color code configuration.
• We addressed an issue where users were allowed to deselect objects and attributes used in sync rules using the UI and PowerShell. We now show friendly error message if you try to deselect any attribute or object that is used in any sync rules.
• We made some updates to the “migrate settings code” to check and fix backward compatibility issue when the script is ran on an older version of Azure AD Connect.
• Fixed a bug where, when PHS tries to look up an incomplete object, it does not use the same algorithm to resolve the DC as it used originally to fetch the passwords. In particular, it is ignoring affinitized DC information. The Incomplete object lookup should use the same logic to locate the DC in both instances.
• We fixed a bug where AADConnect cannot read Application Proxy items using Microsoft Graph due to a permissions issue with calling Microsoft Graph directly based on AAD Connect client id. To fix this, we removed the dependency on Microsoft Graph and instead use AAD PowerShell to work with the App Proxy Application objects.
• We removed the writeback member limit from ‘Out to AD – Group SOAInAAD Exchange’ sync rule
• We fixed a bug where, when changing connector account permissions, if an object comes in scope that has not changed since the last delta import, a delta import will not import it. We now display warning alerting user of the issue.
• We fixed an accessibility issue where the screen reader is not reading radio button position, i.e. 1 of 2. We added added positional text to the radio button accessibility text field.
• We updated the Pass-Thru Authentication Agent bundle. The older bundle did not have correct reply URL for HIP’s first party application in US Gov.
• We fixed a bug where there is a ‘stopped-extension-dll-exception’ on AAD connector export after clean installing AADConnect version 1.6.X.X, which defaults to using DirSyncWebServices API V2, using an existing database. Previously the setting export version to v2 was only being done for upgrade, we changed so that it is set on clean install as well.
• The “ADSyncPrep.psm1” module is no longer used and is removed from the installation.

• From v1.5.29.0: This hotfix build fixes an issue introduced in build 1.5.20.0 where a tenant administrator with MFA was not able to enable DSSO
• From v1.5.22.0: This hotfix build fixes an issue in build 1.5.20.0 if you have cloned the In from AD – Group Join rule and have not cloned the In from AD – Group Common rule.

–

Known issues:

• The AADConnect wizard shows the “Import Synchronization Settings” option as “Preview”, while this feature is generally Available.
• Some Active Directory connectors may be installed in a different order when using the output of the migrate settings script to install the product.
• The User Sign In options page in the Azure AD Connect wizard mentions “Company Administrator”. This term is no longer used and needs to be replace by “Global Administrator”.
• The “Export settings” option is broken when the Sign In option has been configured to use PingFederate.
• While Azure AD Connect can now be deployed using the Hybrid Identity Administrator role, configuring Self Service Password Reset will still require user with the Global Administrator role.
• When importing the AADConnect configuration while deploying to connect with a different tenant than the original AADConnect configuration, directory extension attributes are not configured correctly.

–

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

–

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2020-05-08) Upgrading Azure AD Connect – Some Tips

These are some tips I would like to share with you when upgrading Azure AD Connect

[1] Before the upgrade I always export the global configuration and sync rules of Azure AD Connect through a PowerShell script I wrote to a folder

–

[2] During upgrade, I  ALWAYS UNcheck the following. Why? I like to have the opportunity to check things before any sync cycle starts

Figure 1: “Ready To Configure” In The Azure AD Connect Upgrade Wizard

–

[3] After the upgrade I always check the global configuration options to see if anything is different compared to before the upgrade. You either need to have a good memory or create screenshots before the upgrade to be able to compare

Azure AD Connect Wizard –> Configure –> View current configuration

Figure 2: Global Configuration Of Azure AD Connect

–

[4A] After the upgrade I always check the selected forests/domains/OUs to see if anything is different compared to before the upgrade. You either need to have a good memory or create screenshots before the upgrade to be able to compare or have documentation describing what should be configured

Azure AD Connect Wizard –> Configure –> Customize Synchronization Options

In this screen I really want to make sure everything is as it should be! For every connected directory I always expand every AD domain to be sure only required OUs are selected and nothing else. This only applies if you have selected AD domains and OUs that need to be synched. The check is very simple. For every AD domain, expand and then collapse again. Look at the difference in figure 3 and 4

Figure 2: Domain And OU Filtering – BEFORE Expanding

–

Figure 3: Domain And OU Filtering – AFTER Expanding And Collapsing

–

[4B] After the upgrade I always check the Optional Features, Azure AD Apps, Azure AD Attributes and Directory Extensions to see if anything is different compared to before the upgrade. You either need to have a good memory or create screenshots before the upgrade to be able to compare or have documentation describing what should be configured. I always close/cancel the wizard by clicking on the cross in the upper right corner

–

[5] After the upgrade I always export the global configuration and sync rules of Azure AD Connect through a PowerShell script I wrote to a folder

–

[6] After the upgrade I always compare the global configuration exported before the upgrade and the global configuration after the upgrade. This is done through a PowerShell script I wrote

–

[7] After the upgrade I always compare the sync rules exported before the upgrade and the sync rules after the upgrade. This is done through a PowerShell script I wrote

–

[8] After the upgrade I always check the “Application Event Log” for any “weirdness” whatever that may be

–

[9] After the upgrade I always check the most recent log files in the folder “C:\ProgramData\AADConnect” to see what happened during the AAD Connect upgrade and to see if there is any weirdness

–

[10] And when everything is OK, I reenable the sync schedule and manually start of a sync cycle!

–

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2020-05-08) Azure AD Connect v1.5.29.0 (And v1.5.22.0) Have Been Released

Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

• Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
• Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
• Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
• Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

–

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

–

 

IMPORTANT: In one environment I upgraded from Azure AD Connect 1.5.20.0. I noticed that it triggered a Full Synchronization on the AD MA/Connector(s). Since the full syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

–

Azure AD Connect: Version Release History

1.5.29.0 / 1.5.22.0

Released: 4/23/2020 / 4/20/2020

Released for download.

–

Prerequisites for Azure AD Connect

–

More information about Azure AD Connect

–

Functional changes ADSyncAutoUpgrade

• N.A.

–

Fixed issues:

• From v1.5.29.0: This hotfix build fixes an issue introduced in build 1.5.20.0 where a tenant administrator with MFA was not able to enable DSSO
• From v1.5.22.0: This hotfix build fixes an issue in build 1.5.20.0 if you have cloned the In from AD – Group Join rule and have not cloned the In from AD – Group Common rule.

–

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

–

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2020-04-10) Azure AD Connect v1.5.20.0 Has Been Released

Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

• Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
• Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
• Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
• Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

–

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

–

IMPORTANT: N.A.

–

Azure AD Connect: Version Release History

1.5.20.0

Released: 4/9/2020

Released for download. Not available for auto-upgrade

–

Prerequisites for Azure AD Connect

–

More information about Azure AD Connect

–

Functional changes ADSyncAutoUpgrade

• N.A.

–

Fixed issues:

• This hotfix build fixes an issue with build 1.5.18.0 if you have the Group Filtering feature enabled and use mS-DS-ConsistencyGuid as the source anchor.

–

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

–

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2020-04-04) Azure AD Connect v1.5.18.0 Has Been Released

Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

• Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
• Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
• Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
• Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

–

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

–

IMPORTANT: In one environment I upgraded from Azure AD Connect 1.4.38.0. I noticed that it triggered a Full Import on the AAD MA/Connector, and it also triggered a Full Sync on both the AD and AAD MA/Connector. Since the full imports/syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

–

Azure AD Connect: Version Release History

1.5.18.0

Released: 4/2/2020

Released for download. Not available for auto-upgrade

–

Prerequisites for Azure AD Connect

–

More information about Azure AD Connect

–

Functional changes ADSyncAutoUpgrade

• Added support for the mS-DS-ConsistencyGuid feature for group objects. This allows you to move groups between forests or reconnect groups in AD to Azure AD where the AD group objectID has changed, e.g. when an AD server is rebuilt after a calamity. For more information see Moving groups between forests.
• The mS-DS-ConsistencyGuid attribute is automatically set on al synced groups and you do not have to do anything to enable this feature.
• Removed the Get-ADSyncRunProfile because it is no longer in use.
• Changed the warning you see when attempting to use an Enterprise Admin or Domain Admin account for the AD DS connector account to provide more context.
• Added a new cmdlet to remove objects from the connector space the old CSDelete.exe tool is removed, and it is replaced with the new Remove-ADSyncCSObject cmdlet. The Remove-ADSyncCSObject cmdlet takes a CsObject as input. This object can be retrieved by using the Get-ADSyncCSObject cmdlet.

–

Fixed issues

• Fixed a bug in the group writeback forest/OU selector on rerunning the Azure AD Connect wizard after disabling the feature.
• Introduced a new error page that will be displayed if the required DCOM registry values are missing with a new help link. Information is also written to log files.
• Fixed an issue with the creation of the Azure Active Directory synchronization account where enabling Directory Extensions or PHS may fail because the account has not propagated across all service replicas before attempted use.
• Fixed a bug in the sync errors compression utility that was not handling surrogate characters correctly.
• Fixed a bug in the auto upgrade which left the server in the scheduler suspended state.

–

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

–

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2020-03-30) Resetting The Password Of The Special Purpose KrbTgt Account For Azure AD

To reset the password of krbtgt accounts in the AD domain I have written a script that helps you with that.

More information can be found through the following links:

• (2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs
• (2019-02-12) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 1)
• (2019-02-25) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 2)
• (2020-02-10) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 3)
• (2020-02-18) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 4)

–

The script itself can be downloaded through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs

–

With the passwordless investments made by Microsoft, a preview currently is available to also use passwordless authentication using security keys against the on-premises AD. You can read more about it through the following link:

• Enable passwordless security key sign-in to on-premises resources with Azure Active Directory (preview)

–

To achieve the goal of passwordless authentication using security keys against AD, a special krbtgt account (‘Krbtgt_AzureAD’) is created in every single AD domain where that is required. That krbtgt account is very similar to a krbtgt account for an RODC and represents Azure AD for a specific AD domain. Like any other krbtgt account, that krbtgt account also requires to have its password reset and keys rotated. Very important to note here, is the password reset should not be done like any other regular password reset, but instead a special procedure should be followed. The PowerShell script that I mention above DOES NOT impact that special krbtgt account. Including with other updates, I will update the PowerShell script to warn you if it finds that special krbtgt account in the AD domain, and also include the method and steps to officially reset the password and rotate the keys.

–

To officially officially reset the password and rotate the keys, use the following steps:

• Go to an Azure AD Connect server (v1.4.32.0 or later)
• Open a PowerShell Command Prompt window
• In that window execute the following commands:

# Import The PowerShell Module For Azure AD Kerberos Server
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1"

# AD Domain FQDN To Target
$adDdomainFQDN = Read-Host "AD Domain FQDN To Target"

# AD Domain/Enterprise Admin Credentials
$adDomainAdminAccount = Read-Host "AD Admin Account"
$adDomainAdminPassword = Read-Host "AD Admin Account Password" -AsSecureString
$secureAdDomainAdminPassword = ConvertTo-SecureString $adDomainAdminPassword -AsPlainText -Force
$adDomainAdminCreds = New-Object System.Management.Automation.PSCredential $adDomainAdminAccount, $secureAdDomainAdminPassword

# Azure AD Global Admin Credentials
$aadDomainAdminAccount = Read-Host "Azure AD Admin Account"
$aadDomainAdminPassword = Read-Host "Azure AD Admin Account Password" -AsSecureString
[string]$aadDomainAdminPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($aadDomainAdminPassword))
$secureAadDomainAdminPassword = ConvertTo-SecureString $aadDomainAdminPassword -AsPlainText -Force
$aadDomainAdminCreds = New-Object System.Management.Automation.PSCredential $aadDomainAdminAccount, $secureAadDomainAdminPassword

# Check the CURRENT status of the Azure AD Kerberos Server object in Active Directory
Get-AzureADKerberosServer -Domain $adDdomainFQDN -DomainCredential $adDomainAdminCreds -CloudCredential $aadDomainAdminCreds

# Reset the password and rotate the keys
Set-AzureADKerberosServer -Domain $adDdomainFQDN -DomainCredential $adDomainAdminCreds -CloudCredential $aadDomainAdminCreds -RotateServerKey

# Check the NEW status of the Azure AD Kerberos Server object in Active Directory
Get-AzureADKerberosServer -Domain $adDdomainFQDN -DomainCredential $adDomainAdminCreds -CloudCredential $aadDomainAdminCreds

REMARKS:

• For AD, domain or enterprise admin credentials are required
• For AAD, global admin credentials are required (accounts with MFA are supported!)
• Make sure the ‘KeyVersion’ value matches the ‘CloudKeyVersion’ value and the ‘KeyUpdatedOn’ value matches the ‘CloudKeyUpdatedOn’ value!

–

Figure 1A: The Popup You Will Get When The AAD Global Admin Account Is MFA Enabled Or Is Targeted Through Conditional Access For MFA

–

Figure 1B: The Popup You Will Get When The AAD Global Admin Account Is MFA Enabled Or Is Targeted Through Conditional Access For MFA

–

Figure 2: When Having The Correct Version Of Azure AD Connect And The KrbTgt Account Does Not Yet Exist

–

Figure 3: The Initial Creation Of The KrbTgt Account For Azure AD

–

Figure 4: How The KrbTgt Account Looks Like Under The Hood

–

Figure 5A: The Placeholder RODC Computer Account For The KrbTgt Account

–

Figure 5B: The Placeholder RODC Computer Account For The KrbTgt Account

–

Figure 6: Result After Resetting The Password Of The KrbTgt Account Like Any Other KrbTgt Account (DO NOT Do This!)

–

Fixing regular reset: Set-AzureADKerberosServer -Domain <AD Domain FQDN> -DomainCredential <AD Domain Admin Creds> -CloudCredential <AAD Global Admin Creds> –RotateServerKey

Official reset: Set-AzureADKerberosServer -Domain <AD Domain FQDN> -DomainCredential <AD Domain Admin Creds> -CloudCredential <AAD Global Admin Creds> -RotateServerKey

Figure 7: Fixing A Regular Reset And Officially Resetting The Passwords

–

Figure 8: Too Frequent (Within 24 Hours) Password Resets Generates A Warning

–

Set-AzureADKerberosServer : You must wait 24 hours in between rolling the Azure AD Kerberos Server keys. Rolling keys too frequently may result in service disruption. You may use the Force option to ignore this warning.
At line:1 char:1
+ Set-AzureADKerberosServer -Domain $adDomainFQDN -DomainCredential $ad …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-AzureADKerberosServer], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.AzureAD.Kdc.Management.SetAzureADKerberosServer

–

Have fun!

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2020-01-30) Deprecation Of Azure AD Connect Versions

Starting on November 1st, 2020, Microsoft will begin implementing a deprecation process whereby versions of Azure AD Connect that were released more than 18 months ago will be deprecated. At that time Microsoft will begin this process by deprecating all releases of Azure AD Connect with version 1.1.751.0 (which was released on 4/12/2018) and older, and Microsoft will proceed to evaluate the deprecation of older versions of Azure AD Connect every time a new version releases.

–

You need to make sure you are running a recent version of Azure AD Connect to receive an optimal support experience. If you run a deprecated version of Azure AD Connect you may not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools and service enhancements, and if you require support Microsoft may not be able to provide you with the level of service your organization needs.

If you have enabled Azure AD Connect for sync you will soon automatically begin receiving Health notifications that warn you about upcoming deprecations when you are running one of the older versions.

Please refer to this article to learn more about how to upgrade Azure AD Connect to the latest version

–

In other words: if you are still running the old stuff, start planning to get rid of it! There is NO excuse!

–

Azure AD Connect: Version release history

–

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-