Loading...

UPN Change of user not updated in AAD (O365/Intune/other)

When you want to change the user UPN, in certain conditions, this UPN change will not be synchronized to AAD (Office365/Intune/other).. why?

When you have federated domains for Office 365, or rather AAD in general and you want to switch your users from one domain to another, you will notice that that object will replicate anymore to AAD (and thus Office 365). I noticed this a long time ago, and it seems Microsoft now also posted this as a known KB a few weeks ago..

(more…)

Read more

Selective password synchronization with AAD-Connect

In my previous post, I talked about the possibility of using Kerberos Constraint Delegation to avoid having passwords in AAD. However, sometime you want to have a few passwords in AAD-Domain Services to ensure that administrators can still login to the VM’s interactively (RDP) or users are able to use certain services that are not published with Kerberos or aren’t web services.

In this post we will look at editing the configuration of AAD-Connect to synchronize the passwords* of users that have an attribute in AD present so that some users (like administrators) will be able to login to VM’s joined to AAD-DS using their on-premises passwords.

* see note below

(more…)

Read more

ADFS behind Azure Traffic Manager

When you have ADFS hosted on Azure (as per my previous post), you might want to look at using Traffic Manager and then especially the probes and the endpoints..

So, this post is to help you to configure ADFS behind the Azure Traffic Manager and ensure proper failover on service unavailability.

(more…)

Read more

AAD-DS + KCD-PT + Federation (or how to avoid passwords on the cloud)

New (and only available within Azure) are the Azure Active Directory Domain Services. This service is based on Azure Active Directory and the data replicated into it. It provides Domain Services as a service to subscription administrators and can be very useful for many scenario’s where domain services are required, but security or management of domain controllers in the cloud is a concern.

In many documents, you will see that you need to replicate user password [hashes] into AAD to make it fully work.. but this post is about how you can avoid that using Kerberos Constraint Delegation with Protocol Transition….
(more…)

Read more

Redundant SRX Junos to Azure VPN with VNET Peering

Ever since playing with BGP I was looking for a way to make redundant tunnels. As the local internet provider here would only allow me a single IP address, I looked at the other side. What if we have two Azure regions that have a VPN tunnel to my SRX and between each other. Routing would be dealt with by BGP and thus, I should be able to connect to both VNET’s through each of the VPN tunnels.

(more…)

Read more

Azure Network Architectures (Marketplace FW's)

Many companies struggle with concepts of “cloud networks” and how it relates to their on-premises networks. How do you deploy a firewall in there, with multiple subnets? Do we need multiple VNET’s and what about those subnets? Well, this post is about what you actually need to understand prior to deploying 3rd party firewalls (and/or VNets) and how routing works inside a VNET, and finally the common mistake of comparing an Azure VNET to a Hyper-V/VMWare VNET.

(more…)

Read more

Juniper SRX Junos Azure BGP VPN Tunnel

Hosting applications in Azure usually requires some form of connection to the on-premises networks. You could use Point-to-Site dialup or ExpressRoute, but Site-2-Site VPN’s seems the most use technology, and certainly is cheaper than ExpressRoute connection.

But what if you want to use multiple links for failover? What if your local firewall fails or the internet connection itself? Well, that’s why Azure supports MultiSite VPN’s. While it is capable of having two tunnels from on-premises to Azure with preferences, there is no automatic failover support. That means that if tunnel 1 goes down, tunnel 2 is NOT automatically activated. You need to disable tunnel 1 in Azure itself and only THEN tunnel 2 comes up. Which is annoying, but there is another way to fully automate this.. BGP, Border Gateway Protocol.

(more…)

Read more

Azure 3rd party firewalls and VPN

A lot of customers on Azure want to use the 3rd party firewalls that are available in the Azure Marketplace. But when it comes to Site2Site VPN connections, sometimes it doesn’t work as expected. Especially when using different vendors on-premises.. Why? let’s find out…

(more…)

Read more

Azure for the Enterprise

Congratulations!, you got your Enterprise Agreement enhanced with Azure!, now what’s next, you got activation emails and you want subscriptions, but who manages subscriptions? what if the company is rather complex and you don’t want the IT admin in charge of all subscriptions let alone view the company global spending on Azure services? In short, what about the Enterprise Governance on Azure in an EA enrollment?

Apart from each service on the cloud to follow a governance and security model, it is vital that the “cloud” entry points also follow a governance model as determined by the company. After all, while cloud can encompass many services, itself is a service too that generates invoices which need to be controlled to avoid abuse and to ensure oversight is added. In this chapter, we describe the Azure model with regards to governance..

(more…)

Read more

ImmutableID – mS-DS-ConsistencyGuid – ADConnect

The good thing about new software is that bugs and ‘features’ are removed.. the bad is that sometimes what ever you have blogged about makes either no sense, or even worse it only applies half to it from that point on.

So as AADSync was replaced by AD Connect, I got emails about the configuration of the mD-DS-ConsistencyGuid configuration in AD Connect not correctly working anymore. So, in order to relieve me from those email (you can still send them no worries) but more to make everyone aware of how this works in AD Connect (tested version 1.1.189.0); part two of the mS-DS-ConsistencyGuid as the immutable ID.

(more…)

Read more