Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Azure AD Domain Service

How to setup Azure AD Connect cloud provisioning?

User names and passwords are the most common way of controlling access to applications. Nowadays we use more and more applications. These applications can be from on-premises or cloud. Unless there is a central identity management system, users will have to maintain different usernames, passwords to access these applications.
Azure Active Directory is a powerful, reliable cloud-based identity and access management service. It can use to manage identities and access for cloud applications as well as on-premises applications. If we already have a Windows Active Directory environment, using Azure AD connect we can sync on-premises identities to Azure AD. Azure AD Connect supports various Windows Active Directory topologies. More information about these supported topologies can be found here.
However, In Azure AD connect, synchronization and provisioning from AD are managed in the on-premises level. This can be a complex task especially if you have multiple AD forests. To simplify the hybrid identity synchronization process, Microsoft now has Azure AD Connect cloud provisioning. With this solution, Microsoft will manage provisioning from AD and synchronization as part of the service. In on-premises we only need to install light-weight agents which will act as a bridge between Azure AD and Windows AD.

Apart from the simplicity, Azure AD Connect cloud provisioning gives the following benefits,

• Allow Azure AD synchronization from multiple disconnected on-premises AD forests.
• Multiple agents will provide high availability for password hash synchronization.

What are the differences between Azure AD Connect and Azure AD Connect cloud provisioning?

Feature Azure AD Connect Azure AD Connect cloud provisioning
Synchronize multiple disconnected on-premises AD forests NO YES
Synchronize single on-premises AD forest YES YES
Synchronize multiple on-premises AD forests YES YES
Synchronization Based on Agents NO YES
Multiple Agents for High Availability NO YES
Synchronize with LDAP YES NO
Synchronize Users, Groups, Contacts YES YES
Synchronize device objects YES NO
Synchronize Exchange online attributes YES YES
Synchronize extension attributes 1-15 YES YES
Synchronize customer defined AD attributes YES NO
Support for federation YES YES
Seamless Single Sign-on YES YES
Support for Pass-Through Authentication YES NO
Support for Password Hash Sync YES YES
Support for writeback (passwords, devices, groups) YES NO
Azure AD Domain Services support YES NO
Exchange hybrid writeback YES NO

Azure AD Connect cloud provisioning Setup

In this blog post, I am going to demonstrate how to set up Azure AD Connect cloud provisioning with Windows AD. In my demo environment, I already have Windows AD configured with domain M365x620957.onmicrosoft.com

windows active directory configuration

Let’s go ahead and start the configuration process by installing the Azure AD Connect provisioning agent. [Read more…] about How to setup Azure AD Connect cloud provisioning?

Step-by-Step Guide: Azure Active Directory Password-less authentication using SM

As we know, passwords are no longer strong. In Verizon Data Breach Investigations Report (2017), it says, 81% of hacking-related breaches used either stolen or weak passwords. Multi-factor authentication can provide an extra layer of security to the sign-in process but it doesn’t eliminate the requirement for passwords. In one of my previous blog posts, I explain how we can enable Azure Active Directory Password-less authentication by using FIDO2 Security keys. This required additional hardware components. Apart from that method now we also can use SMS to authenticate into Azure Active Directory. The beauty of this method is that you not even need to know your user name to log in. Your phone number will be your user name. This not only reduces the security risk; it also simplifies the complexity in the login process. This feature is still in public preview but it is not too early to test.

Prerequisites

To enable Azure Active Directory Password-less authentication with SMS , we must have the following,

1. Valid Azure Subscription
2. Azure AD Tenant
3. One of the following licenses assign to Azure AD user who going to use this feature,
• Azure AD Premium P1/P2
• Microsoft 365 (M365) F1/F3 or Office 365 F1/F3
• Enterprise Mobility + Security (EMS) E3/E5 or Microsoft 365 (M365) E3/E5
4. Global Administrator Account

Limitation

• SMS based authentication has the following limitations.
• This cant be used with native office applications (except teams)
• SMS based authentication is not compatible with Azure multi-factor authentication
• Can’t’ use with federation. Users only can authenticate in the cloud.

In this post I am going to demonstrate how we can enable SMS based authentication for Azure AD. In my demo setup, I have a user called Debra Berger (DebraB@M365x620957.OnMicrosoft.com). She is using Enterprise Mobility + Security E5 Licences. I am going to enable SMS-based authentication for her account.

Let’s go ahead and enable the SMS based authentication first.

1. Log in to Azure Portal (https://portal.azure.com/) as a Global Administrator
2. Click on Azure Active Directory tile.

azure active directory tile

3. Then in the new window click on Security

azure active directory security settings

4. In the Security page, click on Authentication methods

azure active directory authentication methods

5. Then click on the Authentication method policy (Preview) | Text messages

Authentication method policy text message settings

6. In the new window, click on Yes under ENABLE. Then click on Select users under TARGET. After, click on Add users and groups and select Debra Berger from the list. Leave all other settings in default and click on Save to apply the settings.

enable sms-based authentication [Read more…] about Step-by-Step Guide: Azure Active Directory Password-less authentication using SM

Step-by-Step Guide to Restrict Azure AD Administration portal

In order to manage Azure AD, we use Azure Active Directory option in https://portal.azure.com. By default, any user under Azure AD can access this option event they do not have a Directory role. In my demo setup, I have a user called "Emily Braun". She doesn't have any Directory role assigned. 

Then I log in to Azure portal https://portal.azure.com as the user and then go to Azure Active Directory option. It didn't block me accessing it. 

I can go to All users and see user account details. 

I even can see the Groups memberships details. 

 

Also, can view application assignments. 

As an end user I also can see the Azure AD Connect details. 

[Read more…] about Step-by-Step Guide to Restrict Azure AD Administration portal

Step-by-Step guide to add Additional Local Administrators to Azure AD Joined Devices

I am sure every engineer knows how “Local Administrators” works in a device. If it’s a device in on-premise Active Directory environment, either domain admin or enterprise will need to add it to Administrators group. if it’s a workgroup environment, another user with local administrator privileges will need to add additional users to Administrators group. 

If it is Azure AD join device, Azure Global Administrators and Device Owner have local administrator rights by default. 

localad1

localad2

Azure AD allow to define local administrators in device level. however, this is a global setting. If it is need to handle in device level, still you need to login from an account which already have local administrator rights and then add additional users. 

Let’s see how we can do this. 

1) Log in to azure portal as Global Administrator

2) Then click on Azure Active Directory and the Devices

localad3

3) Then click on Device Settings

localad4

4) By default, Additional local administrators on Azure AD joined devices setting is set to None. click on tab Selected to enable it. 

localad5

5) In my demo, I am going to make user RA886611@therebeladmin.com local administrator for devices. To do that click on Selected option. 

localad6

6) In new window click on Add members to add users. 

localad7

7) From the list find the relevant user and click on it to select. Then click on Select

localad8

8) Then click on OK

localad9

9) Finally click on Save to apply the settings. 

localad10

10) To Test this, I logged in to a Azure Domain Joined Device as RA886611@therebeladmin.com 

localad11

11) Now to test it, I trying to launch PowerShell console as Administrator. If it works, I shouldn’t get login prompt. 

localad12

12) As expected it didn’t ask for admin user name and password as logged in user now have local admin privileges. 

localad13

localad14

13) Also, when needed, using Remove Members option in Local administrators on devices page, we can remove the users from local administrator group. 

localad15

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Manage Azure Active Directory with PowerShell – Part 01

In this series of articles, it which will explain how to use PowerShell to manage your Azure Active Directory instance. In Part 01, I am going to show how to connect with Azure AD using PowerShell and show actions of some day to day operation related commands.

In order to use PowerShell with Azure AD, first we need to install Azure Active Directory Module in local computer. there is two version of Azure active directory PowerShell module. One was made for the Public Preview and the latest one released after announces Azure AD GA. You can download module from http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185

If you had the previous version installed, highly recommended to replace it with the new version.

Once installed let’s check its status.

Get-Module MSOnline

mson1

In order to list down all the commands associate cmdlets with the module we can use

Get-Command -Module MSOnline

mson2

Next step is to connect to Azure AD Instance. In order to do that we can use,

Connect-MsolService

It will prompt for the login details. Please use your Azure DC Admin account details. Please note login via Microsoft account not supported.

First, we can list down all the domain under the given subscription. To do that we can use,

Get-MsolDomain

mson3

As next steps I like to list down all the users in Azure AD Setup.

Get-MsolUser

mson4

It will list down all the Users in the Azure AD.

I also can search for a specific user based on text patterns. In below example I am searching users with Name which match text “Dishan”

Get-MsolUser -SearchString "Dishan"

Idea of my search is to find some object values for this user. I can combine above command to return all the object value.

Get-MsolUser -SearchString "Dishan" | Select-Object *

mson5

Now we know what are the objects been use and I can make more unique search.

Get-MsolUser | Select-Object DisplayName,whenCreated,LastPasswordChangeTimestamp

Above command will list me all the users with Display Name, Date and Time It was created, and Date and Time of Last Password Change Action.

mson6

Get-MsolUserRole another handy cmdlet. It can use to check the role of a user account.

Get-MsolUserRole -UserPrincipalName "dcadmin@REBELADMIN.onmicrosoft.com" | fl

The above command will find the role for the given user account.

mson7

Get-MsolGroup cmdlet can use to list, filter Groups in the Azure AD.

mson8

Using searchstring can search for the groups based on text patterns.

Get-MsolGroup -SearchString "AAD"

mson9

Get-MsolGroupMember can use to list down the members in the group.

Get-MsolGroupMember -GroupObjectId "77a76005-02df-48d5-af63-91a19ed55a82"

mson10

Remove-MsolUser cmdlet can use to remove the user object from the Azure AD. This can combine with searchstring to search for user and then remove the object same time.

Get-MsolUser -SearchString "user2" | Remove-MsolUser

Above command will search for the user object which have display name similar to user2 and then delete it.

mson11

In next post let’s dig further in to cmdlets which can use to manage Azure AD.

If there is any question, please feel free to contact me on rebeladm@live.com