Azure Active Directory released the functionality for B2B a few months ago. This new feature enables companies to extend their identity service as well as their applications beyond traditional borders. Say, you want to provide your vendor a mailbox in YOUR Office 365 tenant. That way the vendor can still read/write emails on behalf of […]
When you want to enable MultiFactorAuthentication (MFA) for Azure / Intune / Office 365 / Dynamics 365 and you are using federated logins and want to have the MFA provider to be on-premises (integrated with ADFS/PingFed/other) integrated.. you might run into an issue where the Azure MFA page keeps popping-up and asking you to register […]
Sometimes you have the need to add additional disks to VM’s in Azure.. and if you happen to manage a big farm of servers and all servers need to have additional disks, you find yourself in the portal a lot.. or in Powershell hacking your way through variables and collections..
This script will help you adding one or multiple disks to a single VM, all VM’s in a ResourceGroup or all VM’s in a ResourceGroup starting with a particular name Read more
When using Azure as your development platform, or to play with.. you eventually find yourself deleting resources 1 by 1 or entire resource groups.. cause when you delete a VM in ARM (the new portal), it deletes only the VM, but leaves the VHD, the NIC, the public IP, and NGS’s… so what if you could run a script that looks at the unused resources and deletes them for you?
well, look no further.. (but develop with me, based on) the initial script I wrote.. AzureCleanUp.ps1
<Last update April 2017>
The PowerBI Gateway can be used to connect on-premises database sources into PowerBI, Microsoft Flow, Logic Apps and PowerApps. The advantages are many, and if installed correctly it will work flawlessly. However, the default install of the connector is based on the gateway being able to connect directly to the internet. While it’s the fastest […]
When you want to change the user UPN, in certain conditions, this UPN change will not be synchronized to AAD (Office365/Intune/other).. why?
When you have federated domains for Office 365, or rather AAD in general and you want to switch your users from one domain to another, you will notice that that object will replicate anymore to AAD (and thus Office 365). I noticed this a long time ago, and it seems Microsoft now also posted this as a known KB a few weeks ago..
In my previous post, I talked about the possibility of using Kerberos Constraint Delegation to avoid having passwords in AAD. However, sometime you want to have a few passwords in AAD-Domain Services to ensure that administrators can still login to the VM’s interactively (RDP) or users are able to use certain services that are not published with Kerberos or aren’t web services.
In this post we will look at editing the configuration of AAD-Connect to synchronize the passwords* of users that have an attribute in AD present so that some users (like administrators) will be able to login to VM’s joined to AAD-DS using their on-premises passwords.
* see note below
When you have ADFS hosted on Azure (as per my previous post), you might want to look at using Traffic Manager and then especially the probes and the endpoints..
Euhm.. oops.. this is embarrassing… we’ve found a bug. Well one of my readers did and I investigated further. When you follow the directions as below, you will notice the Traffic Manager will always set the endpoints as healthy. Despite whatever the status of the backend service is. So.. the bug in this case is that:
WAP will always listen for /adfs/probe despite the published rules. This is causing issues, cause as long as the WAP is up, that probe endpoint is up too. Your ADFS farm could be stone cold dead, according to WAP, all is fine. And as the traffic manager is relying on the /adfs/probe to determine the endpoint health, traffic manager will still happily send traffic to the endpoint as long as WAP (not ADFS) is up.
While this blog talks (and solves) the same problem: http://www.gi-architects.co.uk/2017/01/traffic-manager-endpoint-monitor-and-adfs-adfsprobe/ I think their workaround (although it actually works) is not the best. It involves installing IIS completely to then be able to rewrite the inbound URL to the correct one. There is a reason however why ADFS was removed from IIS (version 1.1 used to install IIS Web Services). It opens up too much.. and therefore I think its not that nice. So.. while I’m working on this.. head over to their page, use if required, until I have a better solution.
>>In short, this one goes back to the drawing board..<<<<
So, this post is to help you to configure ADFS behind the Azure Traffic Manager and ensure proper failover on service unavailability.
New (and only available within Azure) are the Azure Active Directory Domain Services. This service is based on Azure Active Directory and the data replicated into it. It provides Domain Services as a service to subscription administrators and can be very useful for many scenario’s where domain services are required, but security or management of domain controllers in the cloud is a concern.
In many documents, you will see that you need to replicate user password [hashes] into AAD to make it fully work.. but this post is about how you can avoid that using Kerberos Constraint Delegation with Protocol Transition….
Read more
Ever since playing with BGP I was looking for a way to make redundant tunnels. As the local internet provider here would only allow me a single IP address, I looked at the other side. What if we have two Azure regions that have a VPN tunnel to my SRX and between each other. Routing would be dealt with by BGP and thus, I should be able to connect to both VNET’s through each of the VPN tunnels.