Tag: Azure AD
-
AZURE AD – EXTERNAL IDENTITIES (IV) Advanced flowS
In all our previous posts we had the user sign-up flow take control of the actual creation of the user in Azure AD. The problem with that flow is that if we want to add the user to a group or perform other functions on it (like adding additional attributes) we would have to reply…
-
AZURE AD – EXTERNAL IDENTITIES (III) Custom ATTRIBUTES
In the previous two posts I explained how to connect External Identities to a Logic App. This allows us to define advanced workflows for signing up external users. The power of Logic Apps is virtually unlimited and the built-in connectors can help us with lots of things. I created a logic app that adds the…
-
AZURE AD – EXTERNAL IDENTITIES (II) Logic Apps
First of all, I have a confession to make: I’m not a developer to the extend that I cannot write an API from scratch or any other application that isn’t based on pure PowerShell or VBS scripting. Which means integrating an API into External Identities is going to be a challenge for me. I wish…
-
Azure AD – External Identities (I)
Let’s say you have an application that you want your vendors to access. If this application is Azure AD joined you could create a separate account, you could invite them as a guest using their email address, you can even add their domain name as a connected organization, or you could use external identities. That…
-
F5 – AAD – HEADER BASED – EXTERNAL ATTRIBUTES
In earlier posts I talked about my favorite authentication protocol ‘Kerberos’, but obviously there are many more authentication protocols such as HEADER based authentication. While we won’t be sending the password of users straight to the backend webserver we can send additional information. Azure AD App Proxy in combination with Ping Access can already do…
-
F5 – AAD – VPN with MFA
In earlier posts I talked about using F5 as a reverse proxy to Kerberos based resources using Azure AD authentication. This post takes it a step further. Creating an SSL VPN based on Azure AD identities with Conditional Access (if needed). So, the architecture: As you might have seen, there is no Active directory in…
-
Delegated Windows Virtual Desktop Deployment
When deploying Windows Virtual Desktop in Azure you can use all the administrative credentials you can find as per the guide. But what if you are in a more “regular” environment where you don’t have “Domain Admin” and “Global Admin” permissions? In that case, you follow this post where we will look at who needs…
-
FIDO2 – the infinite loop broken
In my previous post I talked about FIDO2 keys from FEITIAN and how to register them. One of the points for registration was that you need to sign-in with MFA to register your FIDO2 key. But what if your users do not want that, or cannot do that? To the rescue comes ENSURITY. They have…
-
Even strong passwords are… stupid – part 2 – FIDO2
Microsoft is on a quest to remove passwords. While this will be a long journey it is worth the effort. Passwords are weak as people tend to reuse their passwords on various sites and/or websites don’t do enough to protect them. And so, accounts are breached almost on weekly basis, and many passwords are “known”…
-
F5 BIG-IP & AAD & KCD Simplified
With the release of an Application in Azure AD, the configuration of F5 publishing Kerberos backend applications have just been made a whole lot easier. This we cover in this post, but as an added bonus, the previous post adds the possibility of authenticating (Forest) trusted users on the same backend server using KCD (although…
-
F5 BIG-IP & AAD & KCD – Cross Forest – Part 2
In the previous F5 posts we did, we always used a single forest, single domain setup. Obviously, this is not always the case, certainly when cross-forest migrations are being performed. Even in these situations we could leverage F5 and AAD’s federation capabilities to provide an SSO experience. Requirements: 2 Forests with a forest trust (two-way)…