Category: Active Directory

  • Azure Active Directory Pass-through Authentication part 2

    In the initial post, we looked at PTA from a high-level perspective. This post goes into the actuals and internals of the PTA to ensure you can convince your security department on why PtA is a very good idea. Inside Azure AD there are multiple components that work together to ensure the safety of your…

  • ImmutableID – mS-DS-ConsistencyGuid – ADConnect – final part

    One of the most looked at topics on this blogpost is the ImmutableID series for Azure AD Connect and AADSync. And I wanted to give an update to this, given the latest versions of Azure AD Connect seemed to have adopted the idea to use the ms-ds-ConsistencyGuid (or any other value) to replace the ImmutableID…

  • Azure AD – Pass-through Authentication SSO – reset password

    We’ve already covered Azure AD PtA with SSO. Where a local computer object is created in your on-premises AD to help with the authentication. While the password of the object is changed periodically.  Many organizations have the requirement to reset the computer password on the fly or at a faster interval. Microsoft has released a…

  • Multi-domain ADFS with alternateID login

    So, I got a question the other day on using ADFS in combination with some 3rd party applications in a very large AD environment. Basically the problem statement was: “ we don’t want to use UPN and we don’t want to use domain\username. Users should be able to login using either (only) their employeeID or…

  • Azure AD Lockout configurations – avoiding AD account locks

    On Monday morning, the office opened, and everyone tried to login to their computers, however no-one seemed to be able to login. The helpdesk was quickly flooded with calls and it seems everyone’s account was locked-out. It could happen to almost every company that does not have a good policy on lockouts. Hackers try as…

  • Azure AD Dynamic Group Membership on Custom attributes

    In Azure Active Directory you have the option to create dynamic groups. These are groups where members are added based on a formula that uses the attributes known on a user object in Azure AD. For example you can create a dynamic group of all users that have a specific job title: But what if…

  • Your applications in a Cloud World

    The existing method of controlling user accounts and workstations in another mayor (and smaller) company is usually based on the proven technology of Active Directory. The advantage of domain joined workstations is that it is easy for IT to impose limits and enable features that make it easy for users to start working. Mapped drives,…

  • Azure Data Lake – managing data access

    When setting up Azure Data Lake services, it is possible to combine access to the actual data with Azure Active Directory B2B. The combination of these services allow external vendors and or partners to connect to the data in Azure Data Lake, but under the governance of your and their company. The logins for accessing…

  • AAD Pass-Through Authentication – SSO without ADFS

    There are multiple options for authenticating users against Azure AD. But until now, full support for SSO based logins was only possible using two options. Azure AD joined devices, or a local ADFS service to your on-premises Active Directory. The latter being the most used option it also had its problems, first of all you…

  • Azure B2B and internal applications

    Azure Active Directory released the functionality for B2B a few months ago. This new feature enables companies to extend their identity service as well as their applications beyond traditional borders. Say, you want to provide your vendor a mailbox in YOUR Office 365 tenant. That way the vendor can still read/write emails on behalf of…

  • Enabling on-premises MFA in AAD : when it just doesn’t work…

    When you want to enable MultiFactorAuthentication (MFA) for Azure / Intune / Office 365 / Dynamics 365 and you are using federated logins and want to have the MFA provider to be on-premises (integrated with ADFS/PingFed/other) integrated.. you might run into an issue where the Azure MFA page keeps popping-up and asking you to register…

  • Selective password synchronization with AAD-Connect

    In my previous post, I talked about the possibility of using Kerberos Constraint Delegation to avoid having passwords in AAD. However, sometime you want to have a few passwords in AAD-Domain Services to ensure that administrators can still login to the VM’s interactively (RDP) or users are able to use certain services that are not…