Corporate applications may also hold critical operation data related to the company. By doing regular reviews, we can make sure only the relevant people have access to corporate applications. However, if we just use the native method, it will be mainly based on Enterprise app Sign-ins and audit log data. the only problem with this method is, it is so time-consuming. As it is all manual process, the result may not be that accurate either. But now with Azure AD Access reviews, we can do this by setting up a simple access review job. Here is why it is good rather than a typical audit. 

Automated – It is all automated. You do not need to go through logs and do anything manually. 

Actions – we can also attach predefined action to execute at the end of a successful access review job. If required, we also can manually decide what to do with the findings (approve or deny access)

Schedule – Access reviews jobs can be scheduled to run periodically. It helps to do it more frequently than the manual method.

Recommendation – Access review job itself provides recommendations based on findings. It helps reviewers to decide. 

Delegations – Access reviews job allows delegation. We can assign someone else in the team to decide what to do with the findings. It helps to get more accurate results. 

So, let's go ahead and see how it works. In my demo environment, I have linkedin application assigned to different groups and users. I like to know who has access to it and do permission changes if required.

 1. To start, log in to Azure portal as Global Administrator

2. Then make sure Access reviews onboarding process is completed. More info about this can be found in one of my previous blog posts http://www.rebeladmin.com/2019/02/step-step-guide-review-privileged-accounts-using-azure-pim/

3. To create a new access review job, go to Access Reviews | Controls

4. Then click on + New Access Review 

Azure VM now have serial console access via Azure portal. It is not depending on the virtual machine’s network or operating system state. This is ideal for recover machines/data, modify system configurations & troubleshooting. Azure serial console access is only available via Azure portal. It is using COM1 port of the virtual machine. This works for both Windows & Linux VMs. In my demo I am going to show how we can access windows VM via serial console. 

Prerequisite 

1. A VM created via New portal. This feature is not available for classic deployment model. 

2. A user with minimum of Virtual Machine Contributor role

3. Password based account for the VM

Once prerequisites are in place, we can start the configuration. In my demo setup, I am going to use a VM with Windows server 2019 datacenter version. 

1) Log in to the Azure portal as Global Administrator

2) Go to Virtual Machines and click on the selected VM. 

3) Then click on Boot diagnostics under Support + troubleshooting

4) In new window, Click on Settings and make sure Boot diagnostics are turned on. 

Azure AD B2B allows organizations to share company applications and other services/resources with external users. Before, this external user should have one of following to initiate connection with the organization who sents the B2B inivitation. 

1) Azure AD Account

2) Microsoft Account

3) Google Federation ( More info : http://www.rebeladmin.com/2019/02/step-step-guide-setup-federation-google-azure-ad-b2b/ )

Email one-time passcode authentication (OTP) feature now allow B2B users to authenticate using one time passcode if they cant use one of the above methods. Once OTP is issued it is only valid for 30 minutes. If user didn’t use it with in 30 minutes, he/she need to request new OTP code for authentication. Once authenticated, session will be valid for 24 hours.  

This feature is still under public preview. OTP users must use the https://myapps.microsoft.com/?tenantid=<tenant id> , https://portal.azure.com/<tenant id> or https://myapps.microsoft.com/<verified domain>.onmicrosoft.com when they authenticate. In above <tenant id> should replaced with the organization’s tenant ID. <verified domain> should replace using the default domain details. 

You can find the tenant id using, 

Azure Portal | Azure Active Directory | Properties | Directory ID  

Let’s see how we can enable this new OTP feature. 

To do that,

1) Log in to Azure portal as Global Administrator

2) Go to Azure Active Directory | Organizational relationships 

3) Then go to Settings

Microsoft recently released the new combined registration experience for MFA and SSPR. This steamlined the registration experience and users can sign up by following up step-by-step process. This new portal also improve experience of managing user profile data. 

 To enable this new experience, 

1) Log in to Azure portal as Global Administrator

2) Then go to Azure Active Direcotry | User Settings

3) Then click on Manage settings for access panel preview features under Access panel

4) Click on All under Users can use preview features for registering and managing security info – refresh to enable preview features for all users. If needed we can apply this to selected group of users by using Selected option. 

Azure AD SSPR ( self-service password reset ) allow users to reset their own passwords according to policy define by their administrator. Before it was only allowed to use Email, Mobile phone, Office phone or security questions options to reset the passwords. If it was Azure AD admin they wasn’t able to use security questions option either. But now SSPR supports use of Microsoft Authenticator app notifications or a code from any mobile authenticator app or hardware token. This is applying for all the users including Azure AD administrators. In order to use mobile app or hardware token option, users need to sign up for at least 2 other methods ( Email, Mobile phone, Office phone or security questions).

To enable mobile app option, 

1) Log in to Azure portal as Global Administrator

2) Go to Azure Active Directory | Password Reset 

3) Go to Properties and make sure you have SSPR enabled

Azure AD has near 35 different Directory roles. Each of these roles have different level of privileges. Using Azure PIM access reviews, we can review access and activities of member’s in these privilege groups and adjust their memberships accordingly. let’s see why it is important to review access of privilege accounts periodically. 

• Too much administrators – How many of you aware of all the administrators (including local admins) of your local AD infrastructure? I got you isn’t it! in local AD environment it is handful of privilege user groups, but Azure AD have near 35 roles. So, yes it will be difficult to keep track of the administrator with out proper review. 

• Not doing what they supposed to do – Azure AD roles have predefined level of privileges. you may assign a higher privilege role to member as he/she can’t match privilege available under existing roles. How we know they are only doing what they supposed to do? using access reviews we can track down their activities and make sure they not misuse the privileges. 

• Audit takes time – We can review the group memberships & their activities manually. But it takes time. if its manual tasks and also if it takes time most probably administrators will not do it more regularly. PIM access review is fully automated so you can schedule it run according to your requirements.  

Now it is time to look in to implementation. In my demo I am going to create an access review for Global administrator role. To do this, 

1. Log in to Azure portal as Global Administrator

2. Go to All Services and search for azure ad PIM then click on it.

 

 

3. If this is your first-time using PIM, you need to click on onboard and complete the process. 

 

 

 

4. Then click on Azure AD Roles under Manage

In on-premises Active Directory environments, we use “trusts” to establish identity infrastructure collaboration between businesses. In that way, partner organization can use their own user accounts to authenticate in to trusted organization resources. When it comes to cloud/hybrid identity, Azure AD B2B allow organizations to establish cross-organization identity connections. Unlike on-premises, it is not required additional infrastructure changes. In my previous article about Azure B2B explains how we can allow external users to authenticate in to cloud app using their own accounts. You can find it here http://www.rebeladmin.com/2018/11/cross-organization-collaboration-azure-ad-b2b/ . However, when external user’s sign up process it is asking to create “Microsoft Account” to continue. 

If users are having Google Accounts, now Azure AD B2B can initiate federation with google to allow users to use their own google accounts to authenticate instead of Microsoft Accounts. In this demo I am going to demonstrate how we can initiate federation with google. 

Prerequisites

• Valid Azure AD B2B Subscription – If the guest users are going to use Azure AD paid services, make sure you have enough licenses allocated. More info about licensing can find here https://docs.microsoft.com/en-us/azure/active-directory/b2b/licensing-guidance

• Shared Google Account – During the setup we need to create credentials at Google APIs. To do that we need to use existing google account. It is recommended to use separate google account for this instead of existing user account. 

To start the configuration,

1. Go to https://console.developers.google.com and log in with the Google account you have selected for the task. 

2. In Dashboard, Click on Create to start new project. 

3. Then in new window, give unique name to project and click on Create.

4. Once project is created, select it from the project drop down box. 

5. Then click on Credentials. 

Windows server 2019 was available for public (GA) from early oct 2018. In past i have written many articles about domain migrations by covering different Active Directory versions. So, it is time me to write about AD 2019 migrations. In this demo I am going to demonstrate how to migrate from Active Directory 2012 R2 to Active Directory 2019. The same procedure is going to apply for any AD version from Windows Server 2008.   

Migration itself is very straight forward task. But there are other things you need to consider before you do an AD migration. In below I listed a checklist you can use in many occasions.

• Evaluate business requirement for active directory migration 

• Perform Audit on Existing Active Directory Infrastructure

• Provide Plan for implementation Process

• Prepare Physical / Virtual resources for Domain Controller

• Install Windows server 2019 Standard / Datacenter

• Patch Servers with latest Windows Updates

• Assign Dedicate IP address to Domain Controller

• Install AD DS Role

• Migrate Application and Server Roles from the Existing Domain Controllers.

• Migrate FSMO roles to new Domain Controllers

• Add New Domain controllers to the Existing Monitoring system

• Add New Domain controllers to the Existing DR Solution

• Decommission old domain controllers 

• Raise the Domain and Forest Functional level

• On Going Maintenance 

As per the above figure therebeladmin.com domain has two domain controllers.  In here, the FSMO role holder is running windows server 2012 R2. Domain and forest functional level currently operating at Windows server 2012 R2. A new domain controller with Windows server 2019 will be introduce and it will be the new FSMO role holder for the domain. once FSMO role migration completed, Domain controller running windows server 2012 R2 will be decommissioned. After that forest and domain function level will raised to the windows server 2019. 

In the demonstration, REBEL-DC2012 is the domain controller with windows server 2012 R2 and REBEL-DC2016 is the domain controller with windows server 2019. 

 

When you introduce new domain controllers to the existing infrastructure it is recommended to introduce to the forest root level first and then go to the domain tree levels.

 

 

1. Log in to the Server 2019 as a member of local administrators group. 

2. Add server to the existing domain as member

 

 

3. After restart, log in to the server as Enterprise Administrator

4. Assign static IP address to the server

5. Launch the PowerShell Console as an Administrator

6. Before the configuration process, we need to install the AD DS Role in the given server. In order to do that we can use Following command. 

 

Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools

 

 

7. Configure the new server as additional domain controller.

 

Install-ADDSDomainController

-CreateDnsDelegation:$false

-NoGlobalCatalog:$true

-InstallDns:$true

-DomainName "therebeladmin.com"

-SiteName "Default-First-Site-Name"

-ReplicationSourceDC "REBEL-DC2012.therebeladmin.com"

-DatabasePath "C:\Windows\NTDS"

-LogPath "C:\Windows\NTDS"

-NoRebootOnCompletion:$true

-SysvolPath "C:\Windows\SYSVOL"

-Force:$true

 

 

There are no line breaks for the command and I have listed it as above to allow readers to identify on the parameters clearly.

 

Argument	Description
Install-ADDSDomainController	This cmdlet will install the domain controller in active directory infrastructure.
-NoGlobalCatalog	If you do not need to create the domain controller as global catalog server, this parameter can use. By default, system will enable global catalog feature.
-SiteName	This Parameter can use to define the active directory site name.  the default value is Default-First-Site-Name
-DomainName	This parameter defines the FQDN for the active directory domain.
-ReplicationSourceDC	Using this parameter can define the active directory replication source. By default, it will use any available domain controller. But if need we can be specific.

Once execute the command it will ask for SafeModeAdministrator Password. Please use complex password to proceed. This will be used for DSRM.

8. After configuration completed, restart the system and log back in as administrator to check the AD DS status. 

Get-Service adws,kdc,netlogon,dns

Will confirm the status of the AD DS service. 

Get-ADDomainController -Filter * |  Format-Table Name, IPv4Address, Site

Will list down the domain controllers along with the IP address and Sites it belongs to.

9. Migrate all five FSMO roles to the New domain controller using following command,

Move-ADDirectoryServerOperationMasterRole -Identity REBEL-DC2019 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster

In above the REBEL-DC2019 is domain controller running with windows server 2019. 

Once its completed, we can verify the new FSMO role holder using 

Netdom query fsmo

10. The new step of the process is to decommission the old windows domain controller which running with windows server 2012 R2. To do that execute the following command as enterprise administrator from the relevant DC. 

Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition

After execute the command it will ask to define password for the local administrator account.

Once its completed it will be a member server of the therebeladmin.com domain.

11. Next step is to raise the domain and forest functional level to windows server 2019. To do that can use the following commands.

To upgrade domain functional levels

Set-ADDomainMode –identity therebeladmin.com -DomainMode Windows2016Domain

To upgrade forest function levels

Set-ADForestMode -Identity therebeladmin.com -ForestMode Windows2016Forest

With windows server 2019, there is no domain or forest functional level called windows2019. It is still 2016.

Now we have completed the migration from AD DS 2012R2 to AD DS 2019. Same steps apply when migrate from windows server 2008, Windows server 2008 R2, Windows server 2012 & Windows server 2016.

12. After the migration completes, we still need to verify if its completes successfully. 

Get-ADDomain | fl Name,DomainMode

This command will show the current Domain functional level of the domain after the migration. 

Get-ADForest | fl Name,ForestMode

Above command will show the current forest functional level of the domain. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Last month or so I have done few blog posts which explained about Azure information Protection (AIP)’s capabilities. In there, I mainly talked about how to protect sensitive data in organization when we know the data type, audience and permissions. 

Step-by-Step Guide: Protect confidential data using Azure information protection – http://www.rebeladmin.com/2018/12/step-step-guide-protect-confidential-data-using-azure-information-protection/ 

Step-by-Step Guide: Automatic Data Classification via Azure Information Protection – http://www.rebeladmin.com/2018/12/step-step-guide-automatic-data-classification-via-azure-information-protection/

Step-by-Step Guide: On-premise Data Protection via Azure Information Protection Scanner – http://www.rebeladmin.com/2018/12/step-step-guide-premise-data-protection-via-azure-information-protection-scanner/

Step-by-Step Guide: How to protect confidential emails using Azure information protection? – http://www.rebeladmin.com/2019/01/step-step-guide-protect-confidential-emails-using-azure-information-protection/ 

When we work with information, sometime we have to share information with internal/external peoples, organizations. Usually It is hard to apply strict data protection polices if it’s not sensitive data. With document tracking, we can review who access shared document, when and from where. It also allows to setup notifications so we know when someone access it. if the document is starting to appear in places where it shouldn’t, we can revoke the permissions as well. In this blog post I am going to demonstrate how we can do this. 

Prerequisites 

1. We need supported subscription first. This feature is available under Enterprise Mobility + Security E3 & E5, Office 365 Enterprise plans. Or else it is available as standalone solution https://azure.microsoft.com/en-gb/pricing/details/information-protection/

2. We need Microsoft Azure Information Protection Viewer app https://www.microsoft.com/en-us/download/details.aspx?id=54536&WT.mc_id=rss_alldownloads_all or Azure Information Protection client https://www.microsoft.com/en-us/download/details.aspx?id=53018 installed in the pc. It will allow to view, protect office documents using office apps. 

In my demo pc, I have installed Azure Information Protection client.

Once agent & subscription is ready,

1. Open up document that you like to share using office app (Word, Excel etc.) and then click on Protect | Custom Permissions  

2. It will open up new window, click on protect with custom permission. Then under select permissions, choose the permissions level you like to apply. 

Azure Cloud App Security is a great service to gain visibility in to your cloud apps and its data. It helps to identify security threats and take relevant actions to mitigate those based on policies. 

Using File Policies in cloud app security, we can scan and find sensitive information stored in cloud apps. Once these information are found we can associate different actions to it such as send alert, apply classification, change permissions etc.… . It also allows to move data found by a file policy in to a separated folder with limited access. This called as Admin Quarantine. When this is enabled under a policy,

• File will move to the admin quarantine folder

• system will delete original file

• System will place a tombstone file in original location. This file includes data which will help to releases the file. 

Prerequisites 

• In order to use cloud app security, we need E5 licenses. More details about licenses available here https://www.microsoft.com/en-gb/cloud-platform/enterprise-mobility-security-pricing

• Before start with polices, we need to get cloud apps connected. You can find more details under https://docs.microsoft.com/en-us/cloud-app-security/enable-instant-visibility-protection-and-governance-actions-for-your-apps . In this demo I am going to use Office 365 and I already got it configured as connected app. 

In this demo I am going to setup file policy to recognize files with credit card details. If policy finds a matching file it will automatically move it to admin quarantine. 

To configure,

1) Log in to cloud app security portal on https://portal.cloudappsecurity.com as Global Administrator 

2) Then go to Control | Policies

3) To create new policy, click on Create policy and from drop down list select File Policy