Tag Archives: AzureAD

#Azure AD : All about Azure Active Directory


IT has moved from Datacenter Era to the Cloud Era. Focus of the organizations have been changed from one specific set of vendors to the open world of technology. Since Datacenter came in inception, Identity has played a vital role and always been used to treat as a backbone of IT. Now in the new era of multi-cloud environment, Identity is playing a centric role that itself is a new beginning of Identity that has been extended from IT backbone to user-experience oriented.

Microsoft had played a key role in datacenter era by Windows Server Active Directory and now again playing a crucial role in multi-cloud environment by offering Azure Active Directory. Microsoft Azure Active Directory in not only a directory service but it is a complete cloud service that can fulfill all your identity and authorization needs. However, you may find there are couple of things related to identity that can’t be fulfilled by native AAD features but it is continuously evolving.

In this era, organizations don’t need SME for everything but they need design SME who has board understanding of complete end-to end solution stack starting from infrastructure technologies to application technologies.

I have written a series of blog posts on Microsoft Azure AD and these posts mainly focus on how to do it or you can say step-by-step guides backed by real-time scenarios.

Microsoft Azure Active Directory

Azure AD Connect

SSO to SaaS

Application Proxy

Multi-factor Authentication

Self-service Password Management

Self-service group management

Access Panel/My Apps

Dynamic groups membership

Pricing, Licensing and Support

Conditional Access

Custom domain names

Company branding

Cloud App Discovery

Group-based licensing

Identity Protection Part I

Identity Protection Part II

Identity Protection Part III

Privileged Identity Management Part I

Privileged Identity Management Part II

Privileged Identity Management Part III

Azure Active Directory Domain Services Part I

Azure Active Directory Domain Services Part II

Azure Active Directory Domain Services Part III

Azure Active Directory Domain Services Part IV

Device Management – Azure AD Registering

Device Management – Azure AD Join

B2B Collaboration

B2B Licensing

B2C

Error – SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration.

Above series of blog posts have covered most of the areas of Azure Active Directory. You can bookmark this blog post for any Azure AD need, I’ll try my level best to add new Azure AD related posts in this series.

Advertisements

#AzureAD : Error – SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration.


You may receive the following error if configured self-service password reset and right set of permissions are not applied to the account used for AAD connect. Generally, this occurs because of MSOL services account or any other account that had been used to configure AAD connect and don’t have required permission to reset or unlock the account.

To rectify this problem problem you need to make sure the used account has right set of permission to perform the account/password related activities. There are two ways of doing it, either assign Account Operaters role to this user or assign specific permissions to this user.

To set specific permissions, Go to your Windows Server Active Directory and open Active Directory Users and Computers.

Enbale the Advanced Features from View.

Right click on root domain and go to the properties and then go to security tab.

Go to the Advanced ad then click on Add.

Click on Select a principal and then select a service/user account.

In the applies to section, select the descendant user objects.

Under the permission and properties, assign following permissions.

  • Reset password
  • Change password
  • Write lockoutTime
  • Write pwdLastSet

Click on Apply and OK.

Now, you are done with the configuration. Ask your user to try once again to reset his/her password.

He/She should be able to reset his/her password successfully.

#AzureAD : Multi-factor Authentication


Multi-factor authentication mostly refers to two-factor authentication that provides enhanced security to user sign-ins and transactions. There are many solutions available in the market and Azure MFA is one of them. Azure MFA is a cloud access control service offering, and quite simple to use and configure. However, MFA for Office 365 and Azure AD admins available at no extra cost but Azure Multi-Factor authentication full version license can be configured through Azure Active Directory Premium or Enterprise Mobility + Security.

With the third-party partnership offerings, Microsoft makes this service a real multi factor authentication by adding one more layer of authentication mechanism. Therefore, now you can call it three-factor authentication. Third-party MFA partners are:

 

 

Azure MFA native verification process can be achieved by three options.

  1. Authentication Phone
  2. Office Phone
  3. Mobile App

Let’s see how to set it up:

Login to the Azure Portal and go to the Azure Active Directory.

Go to the Users and groups, and go to the All users.

Click on Multi-Factor Authentication.

MFA console will open in new tab.

Select a user and click on Enable.

Click on enable multi-factor auth.

Once, updated successfully. Click on Close. Now, MFA has been enabled successfully for the selected user.

Once as an administrator, you have enabled any user for MFA then user has to follow the following steps to complete the process.

Now, user should go to the browser try to login to the Azure services. In my scenario, I am trying to login to the https://myapps.microsoft.com

Once user has entered his/her credential, he/she will be redirected to the new page to setup his/her MFA. Click on set it up now.

Now, user can see; there are three options available for additional security verification.

Option 1: Authentication phone

Option 2 : Office phone

Option 3 : Mobile app

In my scenario, I have selected option 1 with “call me” method. Enter required details and click on Next

Now, user will receive a call for verification.

Once, verification will be completed successfully then user will be redirected to step 3. Read the information and click on Done.

Next time, whenever user will try to login; he/she will receive a phone call for verification.

Hope, this blog post helped you to understand Microsoft Azure MFA. However, you can try different verification methods and post your queries in comment section.

#AzureAD : Application Proxy


I believe many of you have heard about reverse proxy multiple times in your IT career. If anytime you had published any web application through reverse proxy, you can easily understand the complexity and pain behind it. To publish a web application, you would have been worked with multiple teams for fulfilling security, network and DMZ requirements. Azure AD makes it quite simple for us, you just need to enable, download and install application proxy, and finally publish your internal web application. To use this application proxy server, you need a Windows server with either Windows Server 2012 R2 or Windows Server 2016 operating system and keep this VM as a standalone machine. So now, let’s have a look how to do it.

Login to the Azure Portal from application proxy VM and go to Azure Active Directory and then go to the Application proxy to download connector.

A web browser will open, select terms and condition and download the tool.

Once tool is downloaded, run the tool and agree to the license terms and condition and click on Install.

Now, AAD Application Proxy Connector installation will start.

Login to the Azure AD through your AAD admin account to complete the installation.

Now, installation will progress further and will finish in few minutes.

Now, go to the Azure portal and enable application proxy.

Once it is done, you will be able to find your application proxy server in active status.

Now, It is a time to publish your internal application. Therefore, go to the Enterprise applications under Azure AD.

Click in “On-premises application”.

Enter your internal url and save the settings. However, you should note down the external url to access this application.

Select Assign a user for testing.

Add users and define their roles and click on Assign.

Once, you are done please wait for some time. Now access your application from the internet by using the external url. You can also publish this app through myapps portal, the way we publish enterprise apps from the gallery.

Now, you can see that I am able to access my intranet portal. (I am not a developer, however I tried to modify the default IIS page )

If you have MFA enabled for your users, you can leverage an additional layer of security for your internal web applications as well.

#AzureAD : SSO to SaaS


In this era, Software as a Service offerings have changed the entire applications landscape. Now, organizations want to take advantage of the enterprise applications to solve their business problems but trying to avoid heavily in deploying and managing these applications. Azure AD is playing a vital role in this space by providing single sign experience to the enterprise users. It is not just providing SSO experience but at the same time maintaining security context for the applications by providing features such as MFA and auditing.

Let’s have a look, how to configure enterprise application from the gallery and associate with your Azure AD.

Login to the Azure portal and go to the Azure Active Directory.

Go to the Enterprise applications.

Click on New application.

There are around 3000 applications available in gallery. Look for the application that you like to add.

In my case, I am trying to add twitter for single sign on. Now, you may have a quick question; why twitter? Just think about any multinational organization, it operates in several countries and obviously every country would like to tweet something specific to their country. How will manage it? You wouldn’t like to create multiple accounts or different local identities for your organizations as you have unique brand value associated with specific name. Here, with Azure AD you can have a single twitter account and its password managed by one responsible person and access can be given to multiple people who are involved in PR activities.

Click on Add.

Now you are ready to configure your application. You can assign user, configure single sign-on, conditional access etc.

Let me add two users so that both can access this account without knowing the password through https://myapps.microsoft.com

Select the users and click on select.

Once users selected, click on Assign.

Now, it is time to set the Single-Sign-on mode. Go to the Single sign-on mode and select the Password -based Sign-on.

As, I would like to set the password for my twitter account and give access to end users. Therefore, select the user and click on update credentials.

Set the twitter account credentials. If you don’t want to update the credential in future then select “I want Azure AD to automatically manage this user or group’s password” option so that Azure AD can manage it on your behalf. Perform the same steps for another user.

Now, login to https://myapps.microsoft.com and access your applications.

#AzureAD : Azure AD Connect


Azure Active Directory Connect (a.k.a. AAD Connect) is a tool provided by Microsoft to connect your Windows Server Active Directory to Microsoft Azure AD. It incorporates all the features provided by preceding synchronization tools (Azure AD Sync and Dir Sync) and provides many advance features natively. Future release of AAD Connect is about to provide many FIM 2010 R2 (Forefront Identity Manager) and MIM 2016 (Microsoft Identity Manager) features such as connect to single or multiple on-premises LDAP directories, connect to on-premises AD and on-premises LDAP directories, connect to custom systems (i.e. SQL, Oracle, MySQL etc.) and connect to on-premises HR Systems (i.e. SAP, Oracle, eBusiness, Peoplesoft).

Here is the system pre-requisite to install AAD Connect:

  • At least Windows Server 2008 or later. (Note: If using Windows Server 2008 or 2008 R2 then apply the latest updates and hotfixes before starting the installation.)
  • Windows Server Standard edition or above, Essential is not supported.
  • Full GUI version of Windows Server, server core is not supported.
  • Server must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later installed.
  • At least Windows Server 2008 R2 SP1 or later if you have plan to use password synchronization feature.
  • At least Windows Server 2012 or later if you have plan to use group managed service account feature.
  • Server must not have PowerShell Transcription Group Policy enabled.

Now let’s have a look on how to install and configure AAD Connect. I am using Windows Server 2016 for AAD Connect server and will use local SQL server 2012 express edition. SQL Server 2012 express edition is a default DB option and recommended for small to medium AD environment with up to 100K AD objects. Otherwise, you can use SQL server instance with “customize” option at the time of installation.

First, go to your Azure AD tenant and create an account with global administrator directory role. This global administrator account will be used to configure AAD Connect.

Once user is created, login to the https://portal.azure.com to set the new password.

Now, open https://portal.azure.com on AAD Connect server and login with global administrator account.

Now click on Azure Active Directory in the left panel.

Now, Click on Azure AD Connect.

Now, click on “Download Azure AD Connect”. (Note: you can also download it directly from the web.)

Now, Run the executable file to install the Azure AD Connect tool.

Once installation is completed, a new wizard will open. Accept the term and conditions and click on continue.

Now, you have two options either go with express settings or click on customize. If your AAD Connect server is not domain joined then you will not have a choice to go with express settings.

Installation using express settings is too simple. You just need to make sure your AAD Connect server is domain joined and then follow the steps.

In this blogpost let me show you how to install AAD Connect with customize option. There are four optional self-explanatory configuration choices but I’m not going to select anyone for customization. However, I’ll explain these options in next step.

If you select first two options for customization then you need to provide an installation location path for “Specify a custom installation location” option and SQL server name and instance name for “Use an existing SQL Server” option. As well as you need to make sure required ports are open to connect to SQL Server.

“Use an existing service Account” customization option requires either Managed Service Account credentials or service account credential that is part of the domain in Domain Account option to connect with remote SQL Server. Make sure the user who is running the installation has SA role in SQL so that a login for the service account can be created. By default, AAD Connect creates four sync groups in local server but if you would like to select your own groups then specify those here and make sure those groups are local to the server, not in domain.

In my installation, I am not performing any optional configuration. Click on Install.

Once Installation starts, will take couple of minutes.

In User sign-in window select the sign on method and click Next.

Enter the credential of Azure AD global administrator. This step will verify your credentials.

Now, you need to connect your Widows Server Active Directory forest. This step is quite simple if your AAD Connect server is domain joined. Enter your forest fqdn and click on Add Directory.

Now, you have two option either create new AD account using Enterprise Admin credential or use existing account. In my case, I am creating a new AD account.

You may find the following error while creating a new account.

[Workaround: Go to your Active Directory and you will find a newly created user with MSOL_****** in Users container. Reset the password and copy the user name. While doing it please make you are assigning required permission (read and write) to this user.]

Required permissions:

For Password Sync: Replicate Directory Changes and Replicate Directory Changes All

For Password Writeback: Reset password

Enter the MSOL_***** credential under “Use existing AD account”.

Now, you can see that forest has been added under configured directories. Click on Next.

In Azure AD sign-in configuration you will find your Active Directory UPN Suffix but in Azure AD Domain section you can find three different states (Verified, Not Verified and Not Added).

If you want to change the Azure AD Domain status, go to the Azure portal and add custom domain. However, while adding custom domain you can verify your domain as well. In my case, I didn’t verify it.

Refresh, now you can see that status has been changed from “Not Added” to “Not Verified”. Select “continue without any verified domains” and click on Next.

Select required option and click on Next.

Select “Let Azure manage the source anchor for me” and click on Next.

Select required option and click on Next.

Select required features and click on Next.

Click on Install.

Configuration will take couple of minutes.

Once configuration completes, you will get this wizard. Click on Exit.

Now, you Windows Server Active Directory has been synced with Azure AD. If you want to do any customization after initial setup, you can open Azure AD Connect and make the necessary changes.

#AzureAD : Microsoft Azure Active Directory


First, a small clarification for entrants: Nowadays a big confusion exists among the IT folks for Active Directory. If you had worked on Active Directory in the past and asked anyone about Microsoft Identity or Directory services, you must have received a simple answer i.e. Active Directory or Windows Server Active Directory. However, people who still worked on Active Directory they know multiple variations of Active Directory. All of these confusions came up in existence because of cloud. Let me explain these variations in a simplest form:

  1. Windows Server Active Directory (Native)
  2. Azure Active Directory (Identity as a Service)
  3. Active Directory on Azure (Basically Windows Server Active Directory on Azure IaaS)

In this article, I’ll explain Azure Active Directory (a.k.a. Azure AD) in detail:

Azure AD is an Identity and access management service provided by Microsoft Azure. It is a multi-tenant, cloud based identity and was initially started with Microsoft Office 365 (formerly known as BPOS). It provides identity and access management for SaaS offerings as well as for core infrastructure and platform services. When setup your Microsoft Azure or Office 365 subscription first-time, by default an Azure AD tenant created for your subscription. Azure AD is also an integral part of Microsoft Enterprise Mobility Suite (EMS) and not limited to only identity services. It also provides advance protection services such as MFA and threat management services such as security reports, audits, alerts and adaptive conditional access policies based on device health, user location and risk level. Apart from these unique features Azure AD can be synced with on-premise Windows Server Active Directory through Azure AD Connect and provides many user/admin friendly features such as self-service password management, self-service group management, privileged account management, role based access control, dynamic group membership etc. Some unique set of capabilities such as application proxy to publish your intranet web applications is also part of the Azure AD.

Courtesy: Microsoft Ignite

Nevertheless, one blog post can’t explain you an ocean of Azure AD in one place. Let me explain different editions of Azure AD that fits in different requirements/scenarios.

Azure AD Free: Free always looks good to everyone It comes with all Azure subscription by default and offers all common set of identity features without any cost.

Azure AD Basic: It meant for cloud focused and cloud-first needs, and provides distinct functionality such as single sign-on experience for cloud centric applications, self-service password reset for cloud users along with group based access management. It also provides some great tools such as application proxy to publish your on-premises web applications using Azure AD, customized logon page, and all backed by an enterprise level SLA of 99.9% uptime.

Azure AD Premium P1: It can be seen as a top up on Azure AD Basic and provides great capabilities for hybrid identity environments. It is a complete suite for enterprise identity needs and provides features such as self-service group and app management, self-service password management and write back, device objects two-way synchronization between on-premises directories and Azure AD (Device write-back), Multi-Factor Authentication, Cloud App discovery, and many more.

Azure AD Premium P2: It is basically designed for advanced identity protection and privileged identity management, and covers all necessary security related concerns on top of Azure AD Premium P1. Azure advanced identity protection helps you to leverage inbuilt intelligence to control access to your applications and critical organization data based on user risk profile dynamically. While Azure AD privileged identity management allows you to control administrators access to resources and provide just-in time access based on the need.

Now, let’s see how to create an Azure AD tenant.

  • Login to your Azure subscription.
  • Look at the left panel and click on +New.

  • Look for Azure Active Directory in Azure Marketplace search window.

  • Click on Create from Azure Active Directory panel.

  • Now fill the organization name, intial domain name and select the “Country or region” and click on create.

  • Once directory created then you can click on “here” and play with your Azure AD.

You can also select or switch between directories from top right user panel.