15 Dec

New Azure Active Directory Features Released / Preview

The Azure AD team has announced general availability for some key features in Azure AD as well as new features that are now in preview, including:

Generally available:

  • Password write-back in Azure AD Sync: Users can now change their passwords in the cloud and have the change flow all the way back to your on-premises AD.
  • The Azure AD App Proxy: This proxy makes it easy to give your employees secure access to on-premises applications like SharePoint and Exchange/OWA from the cloud without having to muck around with your DMZ.

Public preview:

  • Question based security gates for use in password resets
  • Admins can add their own password SSO based SaaS apps to Azure AD
  • And probably the most exciting news of all – Administrative Units (AUs). AU’s are like OUs modernized for the cloud. They let you sub-divide your Azure Active Directory, enabling the separation of administrative duties and policy creation across a large company.

Also, Azure AD Premium is now available for direct online purchase, using a credit card, in the Office 365 admin portal (you do not need to be an existing Office 365 customer to buy).

More details on the above features can be read here.

09 Dec

Private Cloud Security Considerations Guides

Microsoft has released guides that speak to security considerations for Private Cloud. The intent of the guides is to provide you with design considerations and architectural view for designing effective security within a private cloud environment.

09 Dec

Microsoft Infrastructure as a Service Foundations

Microsoft has released a series of articles that are designed to provide IT departments and cloud service providers with information required to understand, develop, and implement IaaS infrastructures. The articles provide conceptual background that combines Microsoft software, consolidated guidance, and validated configurations with partner technologies such as compute, network, and storage architectures, in addition to value-added software features. Here’s the full list of articles:

09 Dec

Office 365 IMAP Migration Troubleshooter

IMAP migrations are sometimes used for organizations migrating from non-Exchange email systems, such as Google or Notes, to Office 365. IMAP migrations are often cumbersome and troubleshooting issues can be difficult. Microsoft has released a IMAP Migration Troubleshooter to assist customers migration from IMAP to Office 365. The IMAP Migration Troubleshooter is available as a guided walkthrough, and can be found here.

09 Dec

Office 2013 gets support for Multi-Factor Authentication and SAML identity providers

Microsoft is enabling Multi-Factor Authentication and SAML identity providers for Office 2013. This is achieved through the Active Directory Authentication Library (ADAL). The ADAL based authentication stack enables the Office 2013 clients to engage in browser-based authentication (also known as passive authentication) where the user is directed to a web page from the identity provider to authenticate. The updated authentication features are available in private preview starting with the November 2014 update.

Here are the scenarios for ADAL based authentication:

  • MFA for Office 2013 client applications
  • SAML based identity provider sign in
  • Smart card and certificate-based authentication
  • Outlook no longer requires basic authentication

The following post has more details on ADAL and the ADAL based scenarios.

02 Nov

New MDM capabilities coming to Office 365

Microsoft recently annoinced new Mobile Device Management (MDM) capabilities will be coming to Office 365′ including:

  • Help secure and manage corporate resources — Apply security policies on devices that connect to Office 365 to ensure that Office 365 corporate email and documents are synchronized only on phones and tablets that are managed by your company.
  • Apply mobile device settings—Set and manage security policies such as device level pin lock and jailbreak detection on devices to help prevent unauthorized users from accessing corporate email and data when a device is lost or stolen.
  • Perform a selective wipe of Office 365 data—Remove Office 365 corporate data from a device when an employee leaves your organization, while leaving their personal data, photos and apps intact.
  • Preserve Office 365 productivity experience—Unlike third-party MDM solutions that have replaced productivity apps with restrictive all-in-one apps for corporate email, calendars and documents, MDM for Office 365 is built directly into the productivity apps your employees know and love. You can set access policies to help secure company data while keeping employees productive.
  • Manage policies with ease—Administer mobile device policies directly from within the Office 365 administration portal, through an easy to use interface with wizard-based set up. View reports on which devices are connected to Office 365 and identify devices that have been blocked due to non-compliance.

These new MDM capabilities, set to roll out in the first quarter of 2015, will help you manage access to Office 365 data across a diverse range of phones and tablets, including iOS, Android and Windows Phone devices.

The announcement can be found here

 
02 Nov

Free Office 365 Performance Management Course

Microsoft published a new course on Office 365 Performance Management at the Microsoft Virtual Academy, which contains 11 modules across planning and troubleshooting areas including:

  1. Office 365 Performance Management Course Introduction
  2. Office 365 Datacenters and Network
  3. Planning for Office 365 Internet Capacity – Exchange Online
  4. Planning for Office 365 Internet Capacity – Lync Online
  5. Planning for Office 365 Internet Capacity – SharePoint Online
  6. The Baselining Model for Internet Capacity Planning
  7. Best Practices & Real Customer Projects Planning Internet Capacity
  8. Planning for Office 365 Firewalls Whitelisting
  9. Performance Troubleshooting Process and Tools Used
  10. Performance Troubleshooting Tests
  11. Troubleshooting SharePoint Online Customizations
The course can be found here
22 Sep

Azure Active Directory Integration Feature Comparison

With Microsoft’s recent release of Azure Active Directory Sync (AAD Sync), there are now three options for synchronizing your directory with Azure Active Directory, including:

  • Azure Active Directory Synchronization Tool (DirSync)
  • Azure Active Directory Synchronization Services (AAD Sync)
  • Forefront Identity Manager 2010 R2 (FIM)

The release of AAD Sync is significant for organizations that have multiple forests / multiple Exchange Organizations and want to leverage a single Tenant. At present, AAD Sync will likely replace DirSync. However, there are feature differences between the tools, as well as DirSync features that are not supported in AAD Sync (specifically – Password Hash Sync) yet.

For a complete comparison of features between the Azure Active Directory Integration options, go here.

20 Sep

Group-based License Management comes to Azure AD and EMS

You can now assign a security group and Azure AD will automatically assign licenses to all the members of the group. If a user is subsequently added to, or removed from the group, a license will be automatically assigned or removed as appropriate. 

You can use groups you synchronize from on-premises AD or manage in Azure AD. Pairing this up with Azure AD premium Self-Service Group Management you can easily delegate license assignment to the appropriate decision makers. You can be assured that problems like license conflicts and missing location data are automatically sorted out.

For more information, refer to this post

20 Sep

Azure Active Directory Basic Released

Microsoft released Azure Active Directory (AAD) Basic last week. AAD Basic bridges a gap between Azure AD (Free) and Azure AD Premium. It is geared towards the needs of employees that are deskless, who typically do not have an office or corporate PC. Microsoft views retail store employees, baristas, and bank tellers (and other similar roles), as those that fit this profile. Most of these employees were never even represented in the organizations on-premises Active Directory as they didn’t use a PC or access corporate applications. AAD Basic provides essential features like company branding, group-based application access and self-service password reset.

For a complete comparison of features between AAD Free, AAD Basic, and AAD Premium, go here.

Note, AAD Basic is available for purchase through the volume-licensing channel.

20 Sep

Azure Active Directory Synchronization Services Released

Microsoft released Azure Active Directory Synchronization Services (AAD Sync) last week. AAD Sync is a replacement for DirSync, and comes with some welcome new features such as multi-forest support. Finally, we now have the ability to connect a single tenant to multiple Active Directory forests.Here’s a list of the new functionality introduced by AAD Sync:

  • Active Directory and Exchange multi-forest environments can be extended now to the cloud.
  • Control over which attributes are synchronized based on desired cloud services.
  • Selection of accounts to be synchronized through domains, OUs, etc.
  • Ability to set up the connection to AD with minimal Windows Server AD privileges.
  • Setup synchronization rules by mapping attributes and controlling how the values flow to the cloud.
  • Preview AAD Premium password change and reset to AD on-premises

Some of the features coming to AAD Sync include:

  • Extended attributes
  • Write-back of users, devices and groups
  • Support for non-AD directories.

AAD Sync can be downloaded here.

26 Jun

Azure Tenant Deletion

Microsoft recently reenabled the ability for customers to delete Azure tenants. This was possible in the early days of Office 365 but later disabled until more safeguards were imolemented to prevent the accidental deletion of tenants. To delete a directory in Azure, the following conditions must be met:

  • The only user in the directory is the global administrator who will delete the directory. Any other users must be deleted before the directory can be deleted. If users are synchronized from on-premises, then sync will need to be turned off, and the users must be deleted in the cloud directory by using the Management Portal or the Azure module for Windows PowerShell. There is no requirement to delete groups or contacts, such as contacts added from the Office 365 Admin Center.
  • There can be no applications in the directory. Any applications must be deleted before the directory can be deleted. Note: It is not possible to delete a directory if an application has been added from the Azure AD Application Gallery, even if that application is subsequently deleted. We are working to remove this limitation.
  • There can be no subscriptions for any Microsoft Online Services such as Microsoft Azure, Office 365, or Azure AD Premium associated with the directory. For example, if a default directory was created for you in Azure, you cannot delete this directory if your Azure subscription still relies on this directory for authentication. Similarly, you cannot delete a directory if another user has associated a subscription with it. To associate your subscription with a different directory, click Settings -> Subscriptions -> Edit Directory. For more information about Azure subscriptions, see How Azure subscriptions are associated with Azure AD.
  • No Multi-Factor Authentication providers can be linked to the directory.
06 Jun

Understanding Azure Active Directory

With the popularity of Office 365, and it’s use of Azure Active Directory (AD), I get a fair amount of questions pertaining to Azure AD. I thought I’d put together a post that provides an overview of Azure Active Directory, what it is, and what it isn’t.

Azure AD is used to manage access to Microsoft cloud applications, such as Azure and Office 365, as well as non-Microsoft Software as a Service (SaaS) applications. Azure AD is separate from your on-premises AD; it is not a replacement.

You can synchronize your on-premises AD with Azure AD so that user attributes and passwords are consistent between the two directories. Effectively, users can use the same credentials to access on-premises resources and cloud-based resources.

Azure AD can be used to provide a single sign-on experience across Microsoft cloud applications, such as Azure and Office 365, and non-Microsoft SaaS applications. Users can leverage a personalized web-based Access Panel to launch cloud applications.

Azure AD supports the use of Azure Multi-Factor Authentication, and additional offering from Microsoft, which supports the use of mobile apps, phone calls and text messages.

Beyond the above features, Microsoft has a premium version of Azure AD – called Azure AD Premium. The additional features available in Azure AD Premium include:

  • Self-service password reset
  • Self-Service Group Management
  • Group-based provisioning and access management to SaaS applications
  • Company branding
  • Advanced Security Reports and Alerts
  • Usage Reports
  • Enterprise scale SLA
  • In addition, Azure Multi-Factor Authentication for cloud and on-premises applications is included with Azure AD Premium. Azure AD Premium also grants you entitlements to Forefront Identity Manager Server and CALs.

    There are some limitations with the free version of Azure AD that do not apply to Azure AD Premium. Specifically:

  • Maximum of 500,000 objects in free Azure AD; no object limit in Azure AD Premium.
  • Up to 10 apps per user can reside in the Access Panel portal for SSO-based user access to SaaS; no app limit in Azure AD Premium.
  • For a full comparison of features between the free Azure AD and Azure AD Premium, see http://msdn.microsoft.com/library/azure/dn532272.aspx

    29 Apr

    Exchange, Lync, SharePoint, and Office 365 Guided walkthroughs

    Here is a consolidated list of guided walkthroughs for Exchange, Lync, SharePoint, and Office 365. Guided walkthroughs fall into one of two categories “troubleshooter” and “how-to”. A “troubleshooter” guided walkthrough helps you diagnose and resolve issues in your environment. A “how-to” guided walkthrough contains step-by-step information to help you perform a task, such as setting up a particular aspect of your environment.

    The consolidated list can be found here.

    29 Apr

    Microsoft Adds more storage for OneDrive for Business and helps with data migration

    Microsoft announced enhancements to OneDrive for Business, which are focused on data. Specifically:

      – Increased storage from 25GB to 1TB per user.
      – All Office 365 ProPlus customers will get 1TB of OneDrive for Business storage per user as part of their Office 365 ProPlus subscription.
      – They’ll help organizations migrate data from their existing solutions to OneDrive for Business

    More details can be read here.

    22 Apr

    Azure AD Sync – Replacement for DirSync

    Microsoft has released a preview of the new Azure AD (AAD) Sync. AAD Sync is a newly created “one sync service to rule them all”. In the first preview, Microsoft is focusing on the demand from large clients – enabling synchronization from multi-forest Windows Server AD Deployments. Within the next 6-8 months AAD Sync will replace DirSync, likely at no additional charge to Azure AD, Office 365, and Microsoft customers. Future versions of AAD Sync will expand on the capabilities of DirSync (support for combinations of directories and the ability or remap and swizzle on-premises attributes). Additionally, AAD Sync will enable Azure AD Premium customers to do things like self service group management. 

    The AAD Sync Preview allows you to:

    • Onboard your multi-forest Active Directory deployment to AAD
    • Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes (only 7!)
    • Configuring multiple on-premises Exchange organizations to map to a single AAD tenant
    17 Apr

    Exchange Server Deployment Assistant Updated

    Microsoft has updated the Exchange Server Deployment Assistant, which is a free web-based tool that helps you deploy Exchange 2013 or Exchange 2010 in your on-premises organization, configure a hybrid deployment between your on-premises organization and Office 365, or migrate completely to Office 365. The updated to the Exchange Server Deployment Assistant include: 

    • Support for the Exchange 2013 Edge Transport server role in all on-premises and hybrid deployment scenarios
    • Support for the new, automated process for requesting an Exchange 2013 or Exchange 2010 Hybrid Edition product key
    16 Apr

    Microsoft White Paper: Technical Considerations for Choosing Cloud-Based Productivity Solutions

    Microsoft released a white paper that provides technical considerations for choosing Office 365, questions you should ask other cloud hosting providers before choosing their services, and challenges some customers might face when choosing Google as their cloud productivity services provider. It’s definitely worth a read. The white paper can be found here

    03 Apr

    MVP Again for 2014

    I found out this week that I was awarded the Microsoft Most Valuable Professional (MVP) designation for 2014. This is the 7th year that I have been designated as a Microsoft MVP in the Directory Services expertise.

    03 Apr

    Azure Active Directory Premium Released

    Azure Active Directory Premium is now Generally Available. Azure Active Directory Premium is a service targeted at large enterprises and is available through volume licensing and/or an enterprise agreement. It is also available as part of Microsoft’s new Enterprise Mobility Suite (EMS) which includes Intune and Azure RMS as well.

    Azure Active Directory Premium provides the following:

    • Application access management for users and groups
    • Self-Service password reset
    • Self-Service group management
    • Multi-Factor authentication
    • Customized company branding
    • Rich security monitoring, analytics, alerts and reporting
     
    01 Apr

    OneDrive for Business now available as a Standalone Service

    Microsoft has made OneDrive for Business available as a standalone service. From Microsoft: 

    The new OneDrive for Business standalone plan is available via two promotional deals over the next six months, starting today, April 1st, through September 2014. *
    Here are the pricing details for the standalone plan:

    – Introductory promotional pricing: $2.50 per user per month (a 50% discount on standard pricing, $5 per user per month).*
    – For customers with Office with Software Assurance (SA) or Office 365 ProPlus: $1.50 per user per month.

    OneDrive for Business comes with most Office 365 and SharePoint Online plans at no additional cost. Customers who are already using Office 365 and OneDrive for Business today do not need to do anything – just keep loving it.