Microsoft @ EduGeek Conference 2014 (EDIT) - Azure AD & Office 365 Updates

  • Article

Edit2014Roundel

I had the pleasure of presenting at the EduGeek Conference 2014 in Preston where I gave a brief overview into Microsoft Azure Active Directory & Remote App and I just wanted to follow up with a article which covered what I spoke about, provided you with further information and also some events/regular conference calls that I would recommend you get involved with should you get the chance in the near future.

Office 365 Updates

Over the next few weeks you will start to see a bunch of changes that will be deployed to the Office 365 Management Portal. In these updates you will find changes that we hope will allow you carry out common administrative tasks in a much more streamlined and efficient approach as well as getting what you need to get done faster.

You can find some print screens of the updates that are to come here:

 

adminmayupdate_01

 adminmayupdate_02

adminmayupdate_03

More Information can be found on the Office 365 Blog: https://blogs.office.com/2014/05/21/simplifying-the-office-365-admin-experience/

furthermore, you may have recently seen the announcement in regards to increase in storage for OneDrive for Business Customers. Currently you are allocated a 25GB storage limit and these is being reduced to a massive 1TB per user! :-)

Azure Active Directory Premium

Microsoft announced the general availability of Azure Active Directory Premium on March 27th and with this new 'premium' service it allows you to do so much more with your Azure Active Directory Premium. I'm excited to go through the following features with you, and provide you with further information on how to go about deploying them in your environment.

  • Company Branding
  • Self Service Password Reset (SSPR)

If you setup company branding this is an example of what the sign-in page would look like for your users:

AAD_CompanyBranding

If you were to forget your password to login to online services, and you have SSPR activated for user accounts these are the steps you would following in order to achieve this

SSPR_Stage1 SSPR_Stage2 SSPR_Stage3 SSPR_Stage4 SSPR_Stage5

Sync & Identity Federation Developments

Over the past few weeks we have had some superb developments in the Azure AD Sync space with the announcement of AAD Sync (Azure Active Directory Sync) this brings some great new features to the field such as

  • Multi-Forest Support
  • Password Write-Back
  • Advanced Provisioning, Mapping & Filtering Rules
  • Multiple On-Premise Exchange Organization to Single AAD

We have also introduced the supportability for 'Backup Password Hash' which basically means if you are using federated identity at present you will be aware that should your AD FS service become unavailable your users will no longer be able to access federated services such as Office 365 as the authentication endpoint will no longer be available. In order to prevent downtime in this case, we have introduced backup password hash which basically means you can configure Password Sync on your Directory Sync Server which means that the password hash's are synchronized and updated in Azure Active Directory and then should your federated identity provider come unavailable, you will be able to switch you domain namespace over to MANAGED which means that your users will authenticate using the Password Hash that has been synchronized.

AlternateLoginID

Users can sign in to Active Directory Federation Services (AD FS)-enabled applications using any form of user identifier that is accepted by Active Directory Domain Services (AD DS). These include User Principal Names (UPNs) (johndoe@contoso.com) or domain qualified sam-account names (contosojohndoe or contoso.comjohndoe).

Oftentimes, you want your end users to only be aware of and know their email addresses when signing in. However sometimes for various reasons your AD DS environment is not able to ensure that user UPNs match their email addresses. Also, SaaS providers such as Office 365 with Azure Active Directory (AAD) require user login IDs to be fully internet routable since the non-routable domain names cannot be verified. In other words, if your on-premises UPNs are using non-routable domains (i.e. "contoso.local", fabrikam) or your cannot change your existing UPN's to match your cloud domain due to application dependencies on your on-premises UPN, you cannot use your on-premises UserPrincipalNames to authenticate your users with AAD.

To solve this problem, you can enable the alternate login ID functionality. This allows you to configure a sign-in experience where this alternate login ID is an attribute of a user object in AD DS other than the UPN.

TechNet Article on how to configure this can be found here: https://technet.microsoft.com/en-us/library/dn659436.aspx

Cloud Application Identity

If you are an Office 365 Customer you may not be aware, but the identity platform that you utilize as part of this service as actually Windows Azure Active Directory this means that you actually have the ability to benefit from all of the 'FREE' features that come with Azure Active Directory and likewise, if you purchase Azure Active Directory Premium this also. You can review the differences between the two different versions here:

https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx

Many organizations rely upon software as a service (SaaS) applications such as Office 365, Box and Salesforce for end user productivity.

Historically, IT staff needs to individually create and update user accounts in each SaaS application, and users have to remember a password for each SaaS application.  The application access enhancements for Windows Azure Active Directory introduces security and access governance controls that enable IT to centrally manage users' access across SaaS applications.

Windows Azure AD enables easy integration to many of today’s popular SaaS applications; it provides identity and access management, and delivers an access panel for users where they can discover what application access they have and single sign-on (SSO) to access their applications.

The architecture of the integration consists of the following four main building blocks:

  • Single sign-on enables users to access their SaaS applications based on their organizational account in Windows Azure AD
  • Account sync enables user provisioning and deprovisioning into target SaaS based on changes made in Windows Server Active Directory and/or Windows Azure AD
  • Centralized application access management in the Windows Azure Management Portal enables single point of SaaS application access and management
  • Unified reporting and monitoring of anomalous user activity in Windows Azure AD

You can find out more information about this here: https://msdn.microsoft.com/en-us/library/azure/dn308590.aspx

Tenant Deletion

Windows Azure Active Directory part of Microsoft Azure, and I am sure that it’s one feature that MANY of you out there have been waiting for, you know when you went ahead and created that random named directory during signup, or a colleague signed up on the companies behalf and his directory was named incorrectly, so you created a new one but then that was stayed around like a bad smell… because it was not possible for you to be able to delete an directory instance!

I wrote an article about this a few weeks ago and you can find that here: https://www.edutech.me.uk/active-directory/how-to-delete-windows-azure-active-directory-waad/

Accidental Delete

Accidental deletions can have a huge negative impact on your environment; especially, if they are synchronized to your Azure Active directory. One indicator for accidental deletions is a high number of staged deletions.
To minimize the impact of accidental deletions, the Directory Sync tool provides you with a feature that enables you to set a threshold for staged deletions. If the number of staged deletions exceeds your configured threshold, the Directory Sync tool considers the staged deletions to be accidental or unwanted deletions. In this case, all staged deletions in a processing cycle are not synchronized to Azure Active directory.

If you want to enable this feature you can do so by completing the following:

To enable the feature, you can use the directory synchronization Windows PowerShell cmdlet . The cmdlet is installed when you install the Directory Sync tool.

To enable prevention of accidental deletes, perform the following steps:

  1. On the computer that is running the Directory Sync tool, navigate to the directory synchronization installation folder.
    By default, it is located here: %programfiles%Windows Azure Active Directory Sync (the location depends on the version you have installed).
  2. Double-click DirSyncConfigShell.psc1 to open a Windows PowerShell window with the cmdlets loaded.
  3. In the Windows PowerShell window, type the following and then press ENTER
    Set-PreventAccidentalDeletes -Enable –ObjectDeletionThreshold <Integer>

Azure RemoteApp - Preview

A few weeks ago Microsoft announced Azure RemoteApp which is currently in preview and you can try this out today by downloading the Remote Desktop Application for your mobile device or/ by browsing to https://www.remoteapp.windowsazure.com/ and then click on Experience Remote App, and then download the RemoteApp client for Windows [or for your device].

RemoteAppExp

Once you have installed the RemoteApp Client you will be prompted with the following window:

RemoteAppStage1If you select on 'Get Started' and in terms of a demo if you sign-in with your Microsoft Account you will then be logged in for a short period of time to try out the service. Once you have authenticated you will be presented with the following screen.

RemoteAppStage2

You can then go ahead and run an application [these 3 are test applications only].

The great thing about RemoteApp is that the management is all done via the Management Portal where as traditionally if you were to set this up On-premise you will have to administer this via a Server Manager Snap-In. In terms of the applications you will need to ensure they can run on Windows Server 2012 R2 x64 Server Operating System. furthermore, you also have the benefit of running either the infrastructure in Cloud Only Mode or if you have an On-premise Element to the application then you can also run it in Hybrid Mode.

If you wish to try this out further in more detail, then I recommend you sign-up to RemoteApp Preview. In order to do this, Sign-In to your Azure Account Administration and Select Preview Features: https://account.windowsazure.com/PreviewFeatures

 

I hope that you found this information useful, and I also hope that if you attended the conference physically or virtually that you found my session of use and if you should have any further questions please be sure to let me know.

I look forward to speaking with any of you in the future,

Many Thanks,

James.