Tag Archives: Azure AD

#Azure AD : All about Azure Active Directory

IT has moved from Datacenter Era to the Cloud Era. Focus of the organizations have been changed from one specific set of vendors to the open world of technology. Since Datacenter came in inception, Identity has played a vital role and always been used to treat as a backbone of IT. Now in the new era of multi-cloud environment, Identity is playing a centric role that itself is a new beginning of Identity that has been extended from IT backbone to user-experience oriented.

Microsoft had played a key role in datacenter era by Windows Server Active Directory and now again playing a crucial role in multi-cloud environment by offering Azure Active Directory. Microsoft Azure Active Directory in not only a directory service but it is a complete cloud service that can fulfill all your identity and authorization needs. However, you may find there are couple of things related to identity that can’t be fulfilled by native AAD features but it is continuously evolving.

In this era, organizations don’t need SME for everything but they need design SME who has board understanding of complete end-to end solution stack starting from infrastructure technologies to application technologies.

I have written a series of blog posts on Microsoft Azure AD and these posts mainly focus on how to do it or you can say step-by-step guides backed by real-time scenarios.

Microsoft Azure Active Directory

Azure AD Connect

SSO to SaaS

Application Proxy

Multi-factor Authentication

Self-service Password Management

Self-service group management

Access Panel/My Apps

Dynamic groups membership

Pricing, Licensing and Support

Conditional Access

Custom domain names

Company branding

Cloud App Discovery

Group-based licensing

Identity Protection Part I

Identity Protection Part II

Identity Protection Part III

Privileged Identity Management Part I

Privileged Identity Management Part II

Privileged Identity Management Part III

Azure Active Directory Domain Services Part I

Azure Active Directory Domain Services Part II

Azure Active Directory Domain Services Part III

Azure Active Directory Domain Services Part IV

Device Management – Azure AD Registering

Device Management – Azure AD Join

B2B Collaboration

B2B Licensing


Error – SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration.

Above series of blog posts have covered most of the areas of Azure Active Directory. You can bookmark this blog post for any Azure AD need, I’ll try my level best to add new Azure AD related posts in this series.

#AzureAD : B2C

Azure Active Directory B2C is a new way of providing access to the business applications using web & Mobile apps to your business consumers. It provides flexibility to the business to have all types of consumers. Users to the business applications can be divide in three types.

  • Local Accounts (username & password, email account & password)
  • Enterprise Accounts (leverage enterprise accounts by using open standard protocols such as Open ID or SAML)
  • Social Accounts (such as Facebook, LinkedIn, Google etc.)

Let’s see how to create a B2C tenant and link this tenant with your Azure subscription.

Login to the Azure Portal (https://portal.azure.com) and search for “Azure Active Directory B2C”

Click on “Create”.

Select “Create a new Azure AD B2C Tenant”.

Fill the required details such as organization name, Initial domain name and select the country or region.

Once created, click on “here” to manage the new B2C directory.

You can see the notification to link your B2C tenant with Azure subscription.

To link B2C tenant with your Azure subscription. Select Azure subscription directory from the top right panel.

Now, again search for “Azure Active Directory B2C”.

Click on “Create”.

This time select “Link an existing Azure AD B2C Tenant to my Azure subscription”.

Select the existing Azure AD B2C tenant, select the Azure subscription and finally select the resource group, and then click on create.

Once done, you can open the Azure AD B2C settings.

Now, you can observe that hidden option have ben enabled.

If you would like to add social accounts, go to the “Identity providers” and click on “+ Add”.

Now, give the name of your choice and select the identity provider.

In the next step, you have to provide “Client Id” and “Client Secret”. For example, if you want to add Facebook then first Add the new App. For more information click here.

#AzureAD : B2B Licensing

In my previous post, I have covered B2B collaboration capabilities and how to use it fundamentals. When you use this service, you should be very clear about licensing requirements for B2B functionalities. There is no black and white licensing requirements for this service but it totally depends on the functionality that you extend for B2B users.

Totally confused???

Let me simplify everything here by an example.

InsideMSTech is a conglomerate and deals in multiple business that includes many subsidiaries and it works along with variety of partners. Company has centralized supporting departments such as Finance, HR, Legal and IT. Many employees of these functions belong to subsidiaries, which are running independently.

Scenario 1: InsideMSTech is inviting external partner users as a B2B guest user and offering free Azure AD features.

License Requirements: No license required as organization is offering free services.

Scenario 2: InsideMSTech is inviting external partner users as a B2B guest user and offering free Azure AD features but guest user must use MFA for dual authentication.

License Requirements: Azure AD P1 license required as organization has mandate to use MFA. Now, you will have another question that how many licenses? You need to acquire 1 Azure AD P1 license for five unique guest users.

Scenario 3: InsideMSTech is inviting external partner users as a B2B guest user and offering Azure AD P1 features but guest user must have identity protect enabled.

License Requirements: Azure AD P1 license required for guest users in 5:1 ratio. But when you enable identity protection for B2B guest users then you must acquire Azure AD P2 licenses in 5:1 ratio.

Scenario 4: InsideMSTech subsidiary employees want to Access Azure AD services as a B2B guest user.

License Requirements: Azure AD license required based on the service used by the subsidiary employees. This license will not be in 5:1 ratio, it will be in 1:1 ratio.

Scenario 5: InsideMSTech subsidiary employees want to Access Azure AD services as a B2B guest user using their personal email address.

License Requirements: Azure AD license required based on the service used by the subsidiary employees. This license will not be in 5:1 ratio, it will be in 1:1 ratio.

Scenario 6: InsideMSTech acquired a small company, employees of this acquired company wants to Access Azure AD services as an employee of acquired company.

License Requirements: Azure AD license required based on the service used by the employees of acquired companies. This license will not be in 5:1 ratio, it will be in 1:1 ratio.

I hope, these scenarios helped you to understand B2B licensing requirements in a much simpler way. If you have any another scenario, where you need any assistance then please write your scenario in comment section. I’ll answer your query and will add your scenario in this post.

#AzureAD : B2B Collaboration

Azure Active Directory business-to-business (B2B) collaboration is a capability of Azure AD that simplifies the provisioning of non-corporate users (who don’t have accounts in organizational Azure Active Directory in any form, neither using cloud native Azure AD identity nor with hybrid identity) to provide access on organizational resources, applications and data. It enables collaborative capabilities to work with people beyond your organizations such as partners, vendors, freelancers, government agencies etc. There is no mandate for these external people to have any kind of specific identity requirements. To make it simple, I am calling every non-corporate user as a partner of your organization in this blogpost.

Your partner can have Azure AD tenant, Hybrid identity or with no corporate identity, or even with or without an IT organization. Using this capability, Organization with Azure AD can provide access to the organizational resources, application and data to any partner. This Access can be provided on three different levels, i.e. tenant level, application level and user level. Organizations can also leverage the Azure AD B2B APIs to write applications that can connect two organizations in a simpler and secure manner so that the users can take the advantage of collaboration without any identity chaos.

Azure AD provides the following set of capabilities:

Work with any user from any partner Simple and secure collaboration No management overhead

Partners use their own credentials

Provide access to any corporate app or data, while applying sophisticated, Azure AD-powered authorization policies

No external account or password management

No requirement for partners to use Azure AD

Easy for users

No sync or manual account lifecycle management

No external directories or complex set-up required

Enterprise-grade security for apps and data

No external administrative overhead

Courtesy: Microsoft

Let me show you how to do it.

Login to the Azure Active Directory Portal and go to the “Users”.

To invite a new non-corporate users, select “+New guest user”.

Enter the email address of the user and you can also add the personal message and then click on “Invite”.

User will receive a invite from the organization on his email account.

User has to open the email message and select “Get Started” to configure his account.

Once user select “Get Started” in the email message, he/she will be redirected to the organizational login page. Here select “Next” to continue.

Create your password to access the organizational resources, applications and data, and then click on Next.

You will receive a code on your email address, enter the received code here and click on Next.

Enter the captcha to verify your authenticity and click on Next.

You will be redirected to the page if your host organization has conditional access policy such as MFA.

Once, you are done with all the pre-requisite. You will be redirected Access panel of applications.

Now, as a host you can assign access to the guest users on your organizational applications.

Once, guest user will have access on application. He/She can access application from the access panel.

However, you can directly go to the enterprise applications and invite user from their itself. To invite a new guest, select “+Invite”

Enter the email address of guest and personal message.

Once, you will invite new guest user directly from the application then he/she has to follow the same method that we had followed earlier in this blogpost.

#AzureAD : Device Management – Azure AD Join

In Device Management – Azure AD Registering blogpost, I had covered the basics of Azure AD device management and registering feature of Azure AD. Azure AD registering device feature allow administrators to control the access for devices, which are leveraging corporate network and resources. Azure AD join is an extension of registering a device to Azure AD. It provides all the features that are part of the registering device, in addition to that Azure AD join changes the local state of the device. This change in the local state of the device allows users to logon to a device using the organizational account instead of personal account.

Azure AD join feature is extensively beneficial for small-to-medium organizations, who don’t have corporate/on-premises Active Directory and still want to provide almost same experience and control to the employees. However, organization using Hybrid AD can also leverage the benefit of Azure AD join for windows 10 and as well as for down-level devices such as Windows 8 and Windows 7.

Note: This feature doesn’t work with Windows 10 Home edition.

Below are the following benefits that can be provided by implementing Azure AD:

  • Users will experience single-sign-on while accessing Azure managed SaaS apps and services. It is kind of similar experience that you recognize while using windows server Active Directory joined machines.
  • Provides roaming profile settings at enterprise level across AAD join devices even though users are not in the corporate network.
  • Users can choose application from the inventory prearranged by the organization.
  • Windows Hello support.
  • Allows administrators to set restriction policy for apps so that apps can be access only from the devices that meet compliance policies.

Let see how to join Windows 10 device to Azure AD.

Go to your windows 10 system and go to the settings. In settings panel, select Accounts.

Go to “Access work or school” and select “+Connect”.

To join this device to the domain, select “Join this device to Azure Active Directory”.

Enter you Azure AD account in UPN format.

In the password page, enter your password.

It will few seconds to join your device.

Read the message carefully and Select “Join” to continue.

Once you are done will get the following message, click on Done to finish.

Under “Access work or school” in settings, you can see that your device is connected to Azure AD.

Now, you will be able to see your Azure AD join device in “Devices -All devices” panel of Azure Active Directory.

Hope, it helped you.

#AzureAD : Device Management – Azure AD Registering

In the era of cloud-first and mobile-first, organizations embracing bring your own device concept. Control on these devices becomes necessary when these devices use your network, access your applications and data. Apart from BYOD, administrators are also concern about the devices, which are being used by the remote users because these remote users come rarely in the office network and therefore control on these devices become a big-time challenge for the administrators. Azure AD provides a fundamental baseline for device management, it becomes more powerful when combined with MDM (Mobile device management) solution such as Microsoft Intune. You can achieve it either by registering or by joining to Azure AD. Registration can be done for Windows 10, Mac, iOS and Android device while AD join can be done only for Windows 10 devices.

Here are few device configuration settings available at Azure AD Portal.

Login to the Azure AD Portal (https://aad.portal.azure.com) and go to the “Devices”.

Under “All devices” you can see all devices that are being registered or joined to the Azure AD.

Under “Device Settings” you can configure settings based on your organization needs.

Once, devices will be added then you see here in “All devices” panel.

Let see how can your users can register their devices to your corporate network. Registration allows administrators to enforce conditional access on these devices to meet security and compliance criteria of your organization. This registration also helps users to access all the applications associated with this account without logging in multiple times.

Login to you windows 10 system and go to the settings. In settings panel, select Accounts.

Go to “Access work or school” and select “+Connect”.

Enter you Azure AD account in UPN format.

In the password page, enter your password.

It will few seconds to register your machine.

Once you are done will get the following message.

Now, you will be able to see your Azure AD account through which you have registered your device.

Hope, it helped you.

#AzureAD : Azure Active Directory Domain Services Part IV

Part I, Part II and Part III of this post has covered Azure AD domain services fundamental, deployment, pricing and configuration. This post will cover how to use Azure AD DS, like join machine to the domain and AD/DNS management. Make sure your Azure AD DS VNet connects with rest of the Azure VNets, which are going to leverage this domain service. One more important consideration before moving further, use Azure AD DS DNS for all the VNets, which are going to connect with this domain service.

Let me show you, how to join Azure VMs to the Azure AD DS domain. Login to the Azure VM and check the DNS configuration to make sure that right DNS addresses have been assigned to the VM.

Open server manager to join this machine to the domain. (Note: I hope you followed the part III of this post and had reset your passwords for synchronization otherwise you may face credentials related error.)

Credentials must be used in two formats either domainname\username (insidemstech\aadadmin) or username@domainname (aadadmin@insidemstechaad.onmicrosoft.com).

Once joined, restart your machine.

Install RSAT (Remote server administration tool) to manage domain and dns of your Azure AD Domain Services.

Once rebooted, login with member of “AAD DC Administrators” group and play with your AD & DNS using native tools.

I hope you enjoyed this series of Azure AD Domain Services. Please feel free to share your experience through comments.