Tag Archives: Azure Active Directory

#Azure AD : All about Azure Active Directory

IT has moved from Datacenter Era to the Cloud Era. Focus of the organizations have been changed from one specific set of vendors to the open world of technology. Since Datacenter came in inception, Identity has played a vital role and always been used to treat as a backbone of IT. Now in the new era of multi-cloud environment, Identity is playing a centric role that itself is a new beginning of Identity that has been extended from IT backbone to user-experience oriented.

Microsoft had played a key role in datacenter era by Windows Server Active Directory and now again playing a crucial role in multi-cloud environment by offering Azure Active Directory. Microsoft Azure Active Directory in not only a directory service but it is a complete cloud service that can fulfill all your identity and authorization needs. However, you may find there are couple of things related to identity that can’t be fulfilled by native AAD features but it is continuously evolving.

In this era, organizations don’t need SME for everything but they need design SME who has board understanding of complete end-to end solution stack starting from infrastructure technologies to application technologies.

I have written a series of blog posts on Microsoft Azure AD and these posts mainly focus on how to do it or you can say step-by-step guides backed by real-time scenarios.

Microsoft Azure Active Directory

Azure AD Connect

SSO to SaaS

Application Proxy

Multi-factor Authentication

Self-service Password Management

Self-service group management

Access Panel/My Apps

Dynamic groups membership

Pricing, Licensing and Support

Group-based licensing

Identity Protection Part I

Identity Protection Part II

Identity Protection Part III

Privileged Identity Management Part I

Privileged Identity Management Part II

Privileged Identity Management Part III

Azure Active Directory Domain Services Part I

Azure Active Directory Domain Services Part II

Azure Active Directory Domain Services Part III

Azure Active Directory Domain Services Part IV

Device Management – Azure AD Registering

Device Management – Azure AD Join

B2B Collaboration

B2B Licensing

B2C

Error – SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration.

Above series of blog posts have covered most of the areas of Azure Active Directory. You can bookmark this blog post for any Azure AD need, I’ll try my level best to add new Azure AD related posts in this series.

#AzureAD : B2C

Leave a reply

Azure Active Directory B2C is a new way of providing access to the business applications using web & Mobile apps to your business consumers. It provides flexibility to the business to have all types of consumers. Users to the business applications can be divide in three types.

Local Accounts (username & password, email account & password)
Enterprise Accounts (leverage enterprise accounts by using open standard protocols such as Open ID or SAML)
Social Accounts (such as Facebook, LinkedIn, Google etc.)

Let’s see how to create a B2C tenant and link this tenant with your Azure subscription.

Click on “Create”.

Select “Create a new Azure AD B2C Tenant”.

Fill the required details such as organization name, Initial domain name and select the country or region.

Once created, click on “here” to manage the new B2C directory.

You can see the notification to link your B2C tenant with Azure subscription.

To link B2C tenant with your Azure subscription. Select Azure subscription directory from the top right panel.

Now, again search for “Azure Active Directory B2C”.

Click on “Create”.

This time select “Link an existing Azure AD B2C Tenant to my Azure subscription”.

Select the existing Azure AD B2C tenant, select the Azure subscription and finally select the resource group, and then click on create.

Once done, you can open the Azure AD B2C settings.

Now, you can observe that hidden option have ben enabled.

If you would like to add social accounts, go to the “Identity providers” and click on “+ Add”.

Now, give the name of your choice and select the identity provider.

In the next step, you have to provide “Client Id” and “Client Secret”. For example, if you want to add Facebook then first Add the new App. For more information click here.

#AzureAD : B2B Licensing

Leave a reply

In my previous post, I have covered B2B collaboration capabilities and how to use it fundamentals. When you use this service, you should be very clear about licensing requirements for B2B functionalities. There is no black and white licensing requirements for this service but it totally depends on the functionality that you extend for B2B users.

Totally confused???

Let me simplify everything here by an example.

InsideMSTech is a conglomerate and deals in multiple business that includes many subsidiaries and it works along with variety of partners. Company has centralized supporting departments such as Finance, HR, Legal and IT. Many employees of these functions belong to subsidiaries, which are running independently.

Scenario 1: InsideMSTech is inviting external partner users as a B2B guest user and offering free Azure AD features.

License Requirements: No license required as organization is offering free services.

Scenario 2: InsideMSTech is inviting external partner users as a B2B guest user and offering free Azure AD features but guest user must use MFA for dual authentication.

License Requirements: Azure AD P1 license required as organization has mandate to use MFA. Now, you will have another question that how many licenses? You need to acquire 1 Azure AD P1 license for five unique guest users.

Scenario 3: InsideMSTech is inviting external partner users as a B2B guest user and offering Azure AD P1 features but guest user must have identity protect enabled.

License Requirements: Azure AD P1 license required for guest users in 5:1 ratio. But when you enable identity protection for B2B guest users then you must acquire Azure AD P2 licenses in 5:1 ratio.

Scenario 4: InsideMSTech subsidiary employees want to Access Azure AD services as a B2B guest user.

License Requirements: Azure AD license required based on the service used by the subsidiary employees. This license will not be in 5:1 ratio, it will be in 1:1 ratio.

Scenario 5: InsideMSTech subsidiary employees want to Access Azure AD services as a B2B guest user using their personal email address.

License Requirements: Azure AD license required based on the service used by the subsidiary employees. This license will not be in 5:1 ratio, it will be in 1:1 ratio.

Scenario 6: InsideMSTech acquired a small company, employees of this acquired company wants to Access Azure AD services as an employee of acquired company.

License Requirements: Azure AD license required based on the service used by the employees of acquired companies. This license will not be in 5:1 ratio, it will be in 1:1 ratio.

I hope, these scenarios helped you to understand B2B licensing requirements in a much simpler way. If you have any another scenario, where you need any assistance then please write your scenario in comment section. I’ll answer your query and will add your scenario in this post.

#AzureAD : B2B Collaboration

Leave a reply

Azure Active Directory business-to-business (B2B) collaboration is a capability of Azure AD that simplifies the provisioning of non-corporate users (who don’t have accounts in organizational Azure Active Directory in any form, neither using cloud native Azure AD identity nor with hybrid identity) to provide access on organizational resources, applications and data. It enables collaborative capabilities to work with people beyond your organizations such as partners, vendors, freelancers, government agencies etc. There is no mandate for these external people to have any kind of specific identity requirements. To make it simple, I am calling every non-corporate user as a partner of your organization in this blogpost.

Your partner can have Azure AD tenant, Hybrid identity or with no corporate identity, or even with or without an IT organization. Using this capability, Organization with Azure AD can provide access to the organizational resources, application and data to any partner. This Access can be provided on three different levels, i.e. tenant level, application level and user level. Organizations can also leverage the Azure AD B2B APIs to write applications that can connect two organizations in a simpler and secure manner so that the users can take the advantage of collaboration without any identity chaos.

Azure AD provides the following set of capabilities:

Work with any user from any partner	Simple and secure collaboration	No management overhead
Partners use their own credentials	Provide access to any corporate app or data, while applying sophisticated, Azure AD-powered authorization policies	No external account or password management
No requirement for partners to use Azure AD	Easy for users	No sync or manual account lifecycle management
No external directories or complex set-up required	Enterprise-grade security for apps and data	No external administrative overhead

Courtesy: Microsoft

Let me show you how to do it.

To invite a new non-corporate users, select “+New guest user”.

Enter the email address of the user and you can also add the personal message and then click on “Invite”.

User will receive a invite from the organization on his email account.

User has to open the email message and select “Get Started” to configure his account.

Once user select “Get Started” in the email message, he/she will be redirected to the organizational login page. Here select “Next” to continue.

Create your password to access the organizational resources, applications and data, and then click on Next.

You will receive a code on your email address, enter the received code here and click on Next.

Enter the captcha to verify your authenticity and click on Next.

You will be redirected to the page if your host organization has conditional access policy such as MFA.

Once, you are done with all the pre-requisite. You will be redirected Access panel of applications.

Now, as a host you can assign access to the guest users on your organizational applications.

Once, guest user will have access on application. He/She can access application from the access panel.

However, you can directly go to the enterprise applications and invite user from their itself. To invite a new guest, select “+Invite”

Enter the email address of guest and personal message.

Once, you will invite new guest user directly from the application then he/she has to follow the same method that we had followed earlier in this blogpost.

#AzureAD : Device Management – Azure AD Join

Leave a reply

In Device Management – Azure AD Registering blogpost, I had covered the basics of Azure AD device management and registering feature of Azure AD. Azure AD registering device feature allow administrators to control the access for devices, which are leveraging corporate network and resources. Azure AD join is an extension of registering a device to Azure AD. It provides all the features that are part of the registering device, in addition to that Azure AD join changes the local state of the device. This change in the local state of the device allows users to logon to a device using the organizational account instead of personal account.

Azure AD join feature is extensively beneficial for small-to-medium organizations, who don’t have corporate/on-premises Active Directory and still want to provide almost same experience and control to the employees. However, organization using Hybrid AD can also leverage the benefit of Azure AD join for windows 10 and as well as for down-level devices such as Windows 8 and Windows 7.

Note: This feature doesn’t work with Windows 10 Home edition.

Below are the following benefits that can be provided by implementing Azure AD:

Users will experience single-sign-on while accessing Azure managed SaaS apps and services. It is kind of similar experience that you recognize while using windows server Active Directory joined machines.
Provides roaming profile settings at enterprise level across AAD join devices even though users are not in the corporate network.
Users can choose application from the inventory prearranged by the organization.
Windows Hello support.
Allows administrators to set restriction policy for apps so that apps can be access only from the devices that meet compliance policies.

Let see how to join Windows 10 device to Azure AD.

Go to your windows 10 system and go to the settings. In settings panel, select Accounts.

Go to “Access work or school” and select “+Connect”.

To join this device to the domain, select “Join this device to Azure Active Directory”.

Enter you Azure AD account in UPN format.

In the password page, enter your password.

It will few seconds to join your device.

Read the message carefully and Select “Join” to continue.

Once you are done will get the following message, click on Done to finish.

Under “Access work or school” in settings, you can see that your device is connected to Azure AD.

Now, you will be able to see your Azure AD join device in “Devices -All devices” panel of Azure Active Directory.

Hope, it helped you.

#AzureAD : Device Management – Azure AD Registering

Leave a reply

In the era of cloud-first and mobile-first, organizations embracing bring your own device concept. Control on these devices becomes necessary when these devices use your network, access your applications and data. Apart from BYOD, administrators are also concern about the devices, which are being used by the remote users because these remote users come rarely in the office network and therefore control on these devices become a big-time challenge for the administrators. Azure AD provides a fundamental baseline for device management, it becomes more powerful when combined with MDM (Mobile device management) solution such as Microsoft Intune. You can achieve it either by registering or by joining to Azure AD. Registration can be done for Windows 10, Mac, iOS and Android device while AD join can be done only for Windows 10 devices.

Here are few device configuration settings available at Azure AD Portal.

Under “All devices” you can see all devices that are being registered or joined to the Azure AD.

Under “Device Settings” you can configure settings based on your organization needs.

Once, devices will be added then you see here in “All devices” panel.

Let see how can your users can register their devices to your corporate network. Registration allows administrators to enforce conditional access on these devices to meet security and compliance criteria of your organization. This registration also helps users to access all the applications associated with this account without logging in multiple times.

Go to “Access work or school” and select “+Connect”.

Enter you Azure AD account in UPN format.

In the password page, enter your password.

It will few seconds to register your machine.

Once you are done will get the following message.

Now, you will be able to see your Azure AD account through which you have registered your device.

Hope, it helped you.

#AzureAD : Azure Active Directory Domain Services Part IV

Leave a reply

Part I, Part II and Part III of this post has covered Azure AD domain services fundamental, deployment, pricing and configuration. This post will cover how to use Azure AD DS, like join machine to the domain and AD/DNS management. Make sure your Azure AD DS VNet connects with rest of the Azure VNets, which are going to leverage this domain service. One more important consideration before moving further, use Azure AD DS DNS for all the VNets, which are going to connect with this domain service.

Let me show you, how to join Azure VMs to the Azure AD DS domain. Login to the Azure VM and check the DNS configuration to make sure that right DNS addresses have been assigned to the VM.

Open server manager to join this machine to the domain. (Note: I hope you followed the part III of this post and had reset your passwords for synchronization otherwise you may face credentials related error.)

Credentials must be used in two formats either domainname\username (insidemstech\aadadmin) or username@domainname (aadadmin@insidemstechaad.onmicrosoft.com).

Once joined, restart your machine.

Install RSAT (Remote server administration tool) to manage domain and dns of your Azure AD Domain Services.

Once rebooted, login with member of “AAD DC Administrators” group and play with your AD & DNS using native tools.

I hope you enjoyed this series of Azure AD Domain Services. Please feel free to share your experience through comments.

#AzureAD : Azure Active Directory Domain Services Part III

Leave a reply

Part I & Part II of this post has covered fundamentals, deployment and pricing of Azure AD DS. Once, deployment completes then you can verify and finish the basic configuration.

To verify and complete the initial configuration, login to Azure Portal.

Go to the resource group, wherever you had deployed your domain services.

To verify the deployment configuration, click on Deployments.

Within deployments panel, you can see Domain Services and both the domain controllers.

Double click on any deployment name and review the configuration.

Select and open Azure AD Domain Services.

Click on view health to check the health of Azure AD Domain Services.

From the health, panel you can see the details like Back, last synchronization with Azure AD and alerts.

Now, complete Azure AD DS DNS configuration for Azure VNets. Click on “Configure DNS servers”.

In DNS servers panel, select custom in DNS servers and enter DNS server IP address as mentioned in Azure AD Domain Services and save the configuration.

Once, DNS configuration completes then you need to enable Azure AD DS password synchronization. For cloud only Azure AD tenants, ask your users to reset their password who wants to leverage Azure AD DS and wait for at least 30 min to an hour for synchronization to take place (Recommendation: Do it for all users). While for synced Azure AD tenants, you need to run a script in your forests for synchronization to take place. Follow this article for more details.

To view the deployment activity log, click on “Activity log” or “Related events” for specific deployment name under deployments.

To view the Activity log of Azure AD Domain Services, select the “Activity log” under Azure AD Domain Services.

Now, it is time to provide administrative access to the Azure AD DS administrator in your organization. Go to the Azure Active Directory portal.

Look for “AAD DC Administrators” group under all groups.

Add any members, to whom you would like to provide administrative access on Azure AD Domain Services.

You can use just-in-time access to provide administrative access of Azure AD Domain Services.

#AzureAD : Azure Active Directory Domain Services Part II

Leave a reply

Azure Active Directory Domain Services Part I covers fundamental of Azure AD Domain services. Now, this post will cover how to enable/configure AD DS and its pricing/licensing.

To configure, login to the Azure portal.

Click on create a resource and search for Azure AD Domain Services.

From the Azure AD Domain Services portal, click on create.

Define basic settings. Set you DNS domain name in 15 characters and avoid non-routable domain such as insidemstech.local instead use name such as insidemstech1.com.

(Note: I am trying to use insidemstch.local to do some research but you should avoid non-routable domain.)

Set virtual network. (Best practice: Create a new dedicated subnet for AD DS)

Select “Create mew to define a subnet”.

Define your virtual network and click on create.

Once configured, click on Ok.

Here select administrators who are supposed to manage domain services. You can manage group membership later as well.

Review the configuration from summary tab and click on OK to start the deployment process.

This deployment process will take approximately 20-30 minutes for each domain controller. Once completed successfully, you will be able to see resources inside resource group.

Now, let see the pricing of Azure AD DS services. Microsoft has made it very simple based on the number of users and there is no up-front cost for this service.

Tier/Number of directory objects	Price /Hour	Price /Month
< 25,000	~ 0.15	~ 109.50
25,001 – 1,00,000	~ 0.40	~ 292.00
1,00,000 – 5,00,000	~ 1.60	~ 1,168.00
> 5,00,000	Contact Microsoft (wapteams@microosft.com)

Azure AD DS count all objects part of this domain that includes users, groups and domain-joined computers.

Like most of the services, Microsoft offers 99.9% SLA for user authentication belongs to managed domain, DNS lookup for records and LDAP bind to the root DSE.

#AzureAD : Azure Active Directory Domain Services Part I

Leave a reply

Microsoft Azure cloud services are growing rapidly. Many organizations are using hybrid models and planning to move applications to the cloud as much as possible. One of the biggest hurdle in moving existing applications are identity and security. Most of the existing applications are controlled and managed by Windows server Active Directory, DNS and Group policies. At large, applications can be categorized under two umbrellas I.e. enterprise applications and line-of-business applications. Most of these enterprise applications and line-of-business applications leverage domain joined machines controlled by group policies and AD for identity needs. Now-a-days most of the enterprise applications are available in SAAS model and can leverage cloud identity for authentication and authorization, while line-of-business application can’t be rewritten overnight to support new technologies such as SAML, Open Id, OAuth etc. due to multiple reasons. Therefore, access to the domain controller from Microsoft Azure IaaS becomes a last option. Organizations achieve this goal in three ways:

By connecting Azure network with On-premises AD domain services.
By setting up a replica of existing AD domain/forest on Microsoft Azure IaaS using virtual machines.
By deploying a new AD domain/forest with trust between existing on-premises domain/forest and newly deployed domain/forest on MS Azure IaaS.

To resolve these issues, Microsoft has taken a leap into the directory services offerings. Microsoft Azure AD DS is managed active directory domain service provided by Microsoft Azure. It is an extension of on-premises active directory available in the cloud and managed by Microsoft. Azure AD DS doesn’t require any additional setup to sync with on-premises directory services.

It simply leverages your Azure Active Directory to connect with on-premises active directory. Once, you enable this service and link with your Azure VNet then your workloads/apps can connect to this domain services. As it is like your traditional domain controllers, deployed and managed by Microsoft therefore you can use all traditional authentication methods such as Windows Integrated authentication, NTLM, Kerberos etc. You can access these domain services by traditional AD management tools such as Active Directory Administrative Center but you don’t have to worry about the patching, management, replication, availability, backup etc. As, it is just a service therefore you will not be provided domain administrator and enterprise administrator privileges on this domain.

This service can be deployed/leveraged in two ways.

For hybrid organizations: In this scenario, Azure AD sync with on-premises directory services and Azure AD DS leverages user identities, their passwords and group memberships. Password sync is mandatory for hybrid organizations to leverage Azure AD DS. It is needed to authenticate users via NTLM and Kerberos authentication methods.

Courtesy: Microsoft

For Cloud-only organizations: In this scenario, organization doesn’t have any on-premises directory setup. AD DS leverage cloud native Azure AD tenant for all user identities, their password, and group memberships.

Courtesy: Microsoft

With the help of this service, on-premise applications can be lifted and shifted easily to the clouds. Azure AD DS deploy two domain controllers per tenant to maintain high availability of the services. It also provides automatic health detection and remediation. Azure AD DS offers LDAP bind, LDAP read and secure LDAP (including over internet). It maintains synced on-premises SIDHistory in your managed domains. Like your on-premises domain services, you can also manage your DNS and Group policies in a traditional way.