Understand your attack profile with the Attack Surface Analyzer tool

Wow, I have been looking for a tool that does this for a very long time. ūüėȬ†It analyses the attack surface of your system. Just imagine that you have just installed a piece of software and suddenly you are now more vulnerable. Would you know? ūüė¶ Normally not. Now you can find out from Attack Surface Analyzer by the Microsoft team in the Trust Worthy Computing group. Download it from https://www.microsoft.com/en-us/download/details.aspx?id=24487

Azure Active Directory Connect – GA – Upgrade road test

Last week Alex Simons made the announcement that AADConnect went GA.

Today we are simply going to perform an upgrade on our existing installation of Azure Active Directory Connect beta to GA. A large amount of beta testers including myself have made suggestions and had questions along the way which has resulted in the final product. You can always submit your Microsoft Azure feedback and suggestions here.

To view my original beta install click here.

Today I started by going to a different URL to download the GA version, here. First thing you will notice is that the file size is slightly larger. The file names were the same (until I changed them for clarity).

1.1

I ran the installer, (no right click or any elevated premisisons reguired). You will note that I was shown that an upgrade will occur.

1

I am informed that my syncing will pause during the upgrade.

2

I enter my Azure credentials

3

The checkbox was already selected, I select Upgrade.

4

The installation was successful and I am given I new completion message. To Sync Windows 10 Domain Joined computers to Azure AD as registered devices, please run

ADSyncPrep:Initialize-ADSyncDomainJoinedComputerSync for Technet.com

5

The message could be a little clearer, but what it means is load the ADSyncPrep PowerShell module, and run the following command. To save you looking and typing here are the commands that you require to complete this task:

PS C:\Users\aaron.whittaker\Desktop> import-module "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"
PS C:\Users\aaron.whittaker\Desktop> Initialize-ADSyncDomainJoinedComputerSync
cmdlet Initialize-ADSyncDomainJoinedComputerSync at command pipeline position 1
Supply values for the following parameters:
AdConnectorAccount: Aaron.Whittaker@xxxxxxxxxxxxx.onmicrosoft.com
AzureADCredentials
Initializing your Active Directory forest to sync Windows 10 domain joined computers to Azure AD.
Configuration Complete
PS C:\Users\aaron.whittaker\Desktop>

6

Complete.

How do you like the AADConnect tool? Leave your comments below and as always feel free to send me a tweet regarding this post or topic.

Till next time thanks.

profile pic

Aaron @aaronw2003

Fixing the Windows 10 login screen – avoid username entry each time.

If you are using Windows 10 beta, the default option for unlocking your machine is to enter your username and password each time. If you wish to have your username automatically entered (same as Windows 8.1) each time you unlock your machine follow these instructions.

Open regedit and¬†navigate to HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\ Authentication\LogonUI\TestHooks. Double-click “Threshold” and change the value to “1” to “0”.

Source: Here

profile pic

Aaron @aaronw2003

How to Add a custom application with Single Sign-On to your Azure Active Directory accounts

In the previous post we quickly looked at how to add a custom app (FaceBook) Single Sign-On to your Azure Active Directory accounts.

Firstly go to your Azure portal and log in as an administrator, go to Active Directory, Default Directory, Select the Applications tab at the top, then select add at the bottom of the page. Select Add an application from the gallery.

1

Then go to Custom type in your application name Facebook.

1

Select Configure single sign-on

2

I selected Password Single Sign-On as I don’t have an ADFS environment at the moment.

3

Enter the application URL.

4

I entered account and password labels that I found from the Facebook source code (there is another way to do this see below).

5

Now we need to assign some users.

6

I selected the user, and entered existing FaceBook user credentials.

98

Now if you browse to https://myapps.microsoft.com click on customfacebook and your test does not work, try the following.

Select the app and then select Configure single sign-on. Check the box to recapture sign-in fields.

9

Now select the button Click to sign in.

10

I performed this plugin install test on Chrome and IE11 successfully.

11

After the plugin was installed (browser restart might be required) I selected the username, password fields and login. The plugin highlights these fields with the red boxes.

12

Using Azure Apps SSO: Browse to https://myapps.microsoft.com tab, note the refresh message.

23

After the refresh both apps show up. Clicking on either button opens a new tab and automatically logs me into FaceBook.com

25

To see part 1 of this post click here. Now we have added a custom app.  Instead of Facebook we could have used any other valid URL with a login. The list of predefined apps is always expanding.

profile pic

Aaron aaronw2003

How to Add FaceBook Single Sign-On to your Azure Active Directory accounts

In this post we will quickly look at how to add FaceBook Single Sign-On to your Azure Active Directory accounts.

This is a relatively simple operation, with a more complex post to follow.  For the complex Part 2 post click here.

Firstly go to your Azure portal and log in as an administrator, go to Active Directory, Default Directory, Select the Applications tab at the top, then select add at the bottom of the page. Select Add an application from the gallery.

1

Then type in Facebook to find it and select FaceBook.

2

Once the app loads (refresh maybe required), click on the app.  Then you will see the screen below, click Assign Users.

3

Then add your users (you require each users Facebook Credentials)

4

Then open a new tab (assuming you gave yourself permissions) and browse https://myapps.microsoft.com click on FaceBook.

23 - Copy

This should open a new tab log you straight into FaceBook.com

To see part 2 of this post click here.

profile pic

Aaron aaronw2003

Microsoft Azure Active Directory basic verses Azure Active Directory Premium

If you are trying to decide whether to deploy Azure Active Directory (AD) basic verses Azure AD premium, Alex Simons recent announcement might just help with your decision.

For further details on this new release and feature click here.

I wanted to share the different feature sets as this maybe be overlooked in certain deployments.

There are actually 3 different versions of Azure AD. With more than 21 features spanning across the 3 versions and 11 public preview features, let’s go through the main features and differences.

Free РAzure AD Free edition is part of every Azure subscription. There is nothing to license and nothing to install. With it, you can manage user accounts, synchronize with on-premises directories, get single sign-on across Azure, Office 365, and thousands of popular SaaS applications. This exists even if you only have an Office 365 subscription and no active Azure subscription.

Basic РAzure AD Basic edition provides application access and self-service identity management requirements for task workers with cloud-first needs. Beyond all the capabilities that Azure Active Directory Free has to offer, you also get group-based access management, self-service password reset for cloud applications, Azure Active Directory application proxy (to publish on-premises web applications using Azure Active Directory), customizable environment for launching enterprise and consumer cloud applications, and an enterprise-level SLA of 99.9 percent uptime.

  • User Write-Back‚Äď Currently in preview.
  • Company branding‚Äď To make the end user experience even better, you can add your company logo and color schemes to your organization‚Äôs Sign In and Access Panel pages. Once you‚Äôve added your logo, you also have the option to add localized versions of the logo for different languages and locales.¬†See my TechEd presentation on this.
  • Group-based application access‚Äď Use groups to provision users and assign user access in bulk to thousands of SaaS applications. These groups can either be created solely in the cloud or you can leverage existing groups that have been synced in from your on-premises Active Directory.
  • Self-service password reset- See my TechEd presentation on this.
  • Azure Active Directory Application Proxy– Give your employees secure access to on-premises applications like SharePoint and Exchange/OWA from the cloud using Azure¬†AD.

Premium РAzure AD Premium comes with all of the capabilities that the Azure Active Directory Free and Basic editions have to offer, plus additional feature-rich enterprise-level identity management capabilities explained below.

  • Report leaked credentials‚Äď Currently in preview.
  • Self-service group management– enables¬†users to create groups, request access to other groups, delegate group ownership so others can approve requests and maintain their group‚Äôs memberships.
  • Advanced security reports and alerts‚Äď Monitor and protect access to your cloud applications by viewing detailed logs showing more advanced anomalies and inconsistent access pattern reports. Advanced reports are machine learning-based and can help you gain new insights to improve access security and respond to potential threats.
    Multi-Factor Authentication РMulti-Factor Authentication is included with Premium and can help you to secure access to on-premises applications (VPN, RADIUS, etc.), Azure, Microsoft Online Services like Office 365 and Dynamics CRM Online, and thousands of Non-MS Cloud services
  • Microsoft Identity Manager (MIM)– grant rights to use a MIM server (and CALs) in your on-premises network to support any combination of Hybrid Identity solutions. This is a great option if you have a variation of on-premises directories and databases that you want to sync directly to Azure Active Directory. There is no limit on the number of FIM servers you can use, however, MIM CALs are granted based on the allocation of an Azure Active Directory premium user license.¬†For more information, see¬†Deploy MIM 2010 R2.
  • Password reset with write-back– self-service password reset can be written back to on-premises directories. See my TechEd presentation on this.

Now that is a lot of features and some big differences so where do you start?  Personally I think the best business case for Azure AD Premium comes down to the following common/popular/major features:

  • Multi Factor Authentication (MFA)
  • Self-Service password reset with on-premise write-back
  • Self-service group management for cloud users
  • MIM (if it is required)
  • Advanced anomaly security reports (machine learning-based) including detecting leaked credentials

The other critical feature included within basic and premium is the enterprise-level SLA of 99.9 percent uptime.  This is an important guarantee that is often overlooked in Office 365 deployments.  Building in multiple points of redundancy is no use if you don’t have a guarantee on your Azure AD users. For more information, see Active Directory Premium SLA.

So you should focus building a business case around these features. You cannot build an on-premises MFA solution for the price that Microsoft is charging. This feature alone easily outweighs the cost of Azure AD Premium. An Azure administrator can activate an Azure Active Directory Premium trial here. Take a trial and decide what features best suit your organization/customer. Hopefully this helps with your decision making.

profile pic

AaronW @aaronw2003

Sources:

https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx

http://blogs.technet.com/b/ad/archive/2015/06/15/azure-active-directory-premium-reporting-now-detects-leaked-credentials.aspx

A second look at Azure AD Connect Public Preview 2

Before viewing this post please refer back to my following articles if you require a base understanding of Microsoft Azure ADConnect and the features available.

  • I first posted on AADConnect and AADSync¬†back in August last year.
  • I also presented on Cloud Identities¬†at TechEd Melbourne and Sydney last year here.

This post will focus on what is new and what has changed.

As posted by Alex Simons (Azure AD Director) the Microsoft Azure ADConnect preview 2 was released earlier this year. I downloaded Azure AD Connect Public Preview Download from here. I started the installer and was presented with the screen to install the services. Note: I could have specified a SQL server if my Domain was large enough to warrant this (Microsoft recommends this for over 50,000 + users). I could specift a Service Account if that was a company requirement. I could also select import settings if I had a previous configuration that I wanted to apply to this ADSync server.  I left all options unselected and selected install.

1

The next option was to specifiy what I wanted to install, ADSync or SSO. I selected ADSync.

2

I then entered my Azure Global Admin credentials. The installer now creates and assigns a service account within Azure AD with the minimum permissions that it requires, which is a great improvement. I then entered my On-Premises credentials (this also creates a service account).

3

The following option allows for Group Based filtering. ¬†I noted that you can only specify 1 group here which may suit some customers who do not wish to use OU based filtering. Microsoft added this option with the intention of pilot and evaluations of Azure AD and¬†Office 365. ¬†I selected ‘Synchronise all users and devices’.

4.1

Here I specify that a user is represented only once across all directories.

5

Here you can change your user attribute mappings.  This may be required if you are using for example Shibboleth for SSO or if you have some other customised requirements.

6

Optional features can be modified later, so don’t be overwhelmed by the amount of options. ¬†You can re-run the wizard to make changes later if you need.

  • Exchange Hybrid- For an Exchange Hybrid migration to Office 365.
  • Azure AD attributes- if you only want to sync¬†a smaller set of user attributes.
  • Password writeback- change a password in Azure AD and it writes back to On-Premises and verifies the On-Premises password policy.
  • User writeback- A user created in Azure AD is created in On-Premises AD.
  • Group writeback- Groups in Office 365 will be written back to your On-Premises Exchange forest.
  • Device Sync- Allows for Windows 10 computers enrolled with Intune or directly with Azure AD to sync to On-Premises¬†AD. (we are seeing the start of managing a Windows-as-a-Service subscription model). This is called ‘Cloud registered Devices’.¬†NOTE: This requires a 2012 R2 schema.
  • Directory extension- Use this if you want to sync a unique attribute to Azure AD, eg. a custom Linux attribute, or an Employee ID (currently limitations apply to certian values and characters).

7

The screenshot below is for Azure AD attributes.  So in my example I will not be using CRM so I remove the syncing of these attributes.

8

Below we have the option to remove attributes from being Synced. ¬†Eg. An organisation may have extended their schema and used “extensionAttribute’s”. Perhaps these contain sensitive information, the administrator can simply uncheck these attributes so they are not synced.

9

Here we confirm which On-Premise destination we want to use for User writeback. Select the Users OU. Note: you can add/merge many domains to the one Azure AD subscription, so Write-Back destination is required. 

2

Here I ticked the box to start a sync after install.

11

Here you can see I have run the miisclient and can see that 60 objects have been synced automatically.

12

Here was can easily see errors. My user account had an error because AD and AAD had the exact same display name of aaron.whittaker. For this test environment I will ignore this error.

13

Next in Azure AD I create a new user called CloudUser1

14

Back on my Sync server I selected connectors at the top, then selected my Azure AD and run a ‘Full Synchronization’.

18

Below you can see the event for the CloudUser1 being synced to On-Premises.

16

Here we can verify that the user has been synced.  You can see I have applied an On-Premises group membership permission to a Cloud User.

3

To view my post on upgrading to AADConnect GA from Beta see my post here.

To get started refer to the following articles:

Post by Alex Simons

And follow these twitter handles:

@askariel  @Alex_A_Simons

To start planning for your business transformation you can deploy and test these features all from within your Microsoft Azure subscription.  If you don’t have a Microsoft Azure subscription you can take a trial here.

Aaron Whittaker
@AaronW2003

profile pic