Category: Azure AD
-
AZURE AD – EXTERNAL IDENTITIES (IV) Advanced flowS
In all our previous posts we had the user sign-up flow take control of the actual creation of the user in Azure AD. The problem with that flow is that if we want to add the user to a group or perform other functions on it (like adding additional attributes) we would have to reply…
-
F5 – Allowing AAD Guests Kerberos Access
F5 – KCD – AAD – B2B In my last post I gave you a script that allows the automatic creation of B2B users in your local AD to enable you to publish (on-premises) Kerberos applications using Constraint Delegation. In this post, we will enable an F5 to use this setup to actually publish the…
-
F5 BIG-IP & AAD & KCD Simplified
With the release of an Application in Azure AD, the configuration of F5 publishing Kerberos backend applications have just been made a whole lot easier. This we cover in this post, but as an added bonus, the previous post adds the possibility of authenticating (Forest) trusted users on the same backend server using KCD (although…
-
F5 BIG-IP & AAD & KCD – Cross Forest – Part 2
In the previous F5 posts we did, we always used a single forest, single domain setup. Obviously, this is not always the case, certainly when cross-forest migrations are being performed. Even in these situations we could leverage F5 and AAD’s federation capabilities to provide an SSO experience. Requirements: 2 Forests with a forest trust (two-way)…
-
Forcing re-authentication on (some) applications
Sign-In Frequencies in Azure AD: You might have seen on Azure Active Directory a new feature called Sign-In Frequency. In this post we are taking a closer look at this feature. First, we need to understand how authentication works and which tokens we are receiving. When you sign-in to an application which is dependent on…
-
F5 Big-IP & AAD & BASIC / NTLM
In our previous post we looked at using Azure AD to perform the authentication for our F5 published web apps that used Kerberos. Now the strength of the F5 APM module is the SSO capabilities that allow it to authenticate users once and then they could reach any web app published by it, regardless of…
-
ImmutableID – mS-DS-ConsistencyGuid – AADConnect – ADMT – part 3b
In part 3a, we explained how ADFS can be used in cross-forest migrations to ensure all users (migrated or not) can still authenticate. In part 3B we will be looking at Pass-Through authentication and how it affects migrated/non-migrated users. First of all, we need to make sure we have pass-through authentication agents deployed. In my…
-
ImmutableID – mS-DS-ConsistencyGuid – AADConnect – ADMT – part 3a
To continue our coverage of ADMT and AAD, part three of the series. I know I promised 3 articles, but given the amount of data, I’ll split part 3 (authentication) in a few more posts.. We have 1 AAD and 2 AD’s; FORESTOOT.local as the source and TARGET.local is still the target AD forest. There…