Azure AD

Azure AD

Azure AD

For companies who migrated to Azure before the pandemic, the cloud was the silver lining


In challenging times, innovative companies don’t panic, they pivot.

So when the coronavirus traveled the globe, disrupting everything from grocery shopping to tax preparation, resilient companies around the world responded with ingenious solutions that ensured the safety of their employees, met the needs of their customers and kept their IT operations humming.

For some, it meant quickly enabling employees to work from home instead of at the office, while others rushed to re-engineer their supply chains, so their customers could continue to buy the products they needed to stay safe and healthy. Their solutions were custom but the step that allowed them to react so rapidly was common: They had migrated their operations to Microsoft Azure.

Even before COVID-19, companies were hungry to enable secure remote work, achieve operational efficiency, address IT budget constraints and accelerate innovation, and migrating to the cloud was the critical first step to unlocking those accomplishments.

“Azure has always helped our diverse customers adapt to new ways of doing business,” says Jeremy Winter, director, Azure management and migration.

“While some are moving beyond crisis mode and others look to the cloud to stay resilient, we’re seeing an acceleration in business’ cloud migrations. We’ve spent a lot of time with customers who are both considering and executing migrations and understand the challenges they are facing. We also recognize that our customers are counting on us more than ever to recover and ultimately transform.”

Here’s how a handful of those Microsoft customers discovered during the health crisis that the cloud didn’t just have a silver lining – it was the silver lining.

A technician from Actavo arrives at a customer's home.


Dublin, Ireland-based Actavo is a multi-disciplinary, global engineering services business that designs, builds and maintains the vital infrastructure we rely on every day.

Among their many services, they design, construct and maintain networks for the telecommunications and utilities industries; design, construct and install modular buildings; provide scaffold and rope access solutions along with the installation of insulation and removal of asbestos in the industrial sector; and provide hundreds of in-home technicians to companies who provide residential services like gas boiler repair, satellite installation or broadband internet installation to a half-million homes every year.

With so many essential industries relying on their round-the-clock support, even before the pandemic Actavo sought to increase operational efficiency and improve agility by migrating to Azure.

“Moving to the cloud gave us the versatility to be able to scale up and scale down in any country where we needed to operate, but it also gave us the robustness from a disaster recovery perspective,” says Willie Ryan, global Environmental Health and Safety and IT director.

A novel coronavirus may not have been the disaster that Actavo had in mind, but when it arrived, the decision to migrate to the cloud proved even more valuable. With the new, versatile infrastructure in place, Actavo was able to quickly pivot to remote work for its employees, ensuring that they could continue to support their clients around the world.

“We’ve got a very solid platform, and that was quite evident as we came through COVID and the pandemic, in terms of, we moved from an on-prem operation to everybody working from home, seamlessly, quickly, easily, without any major headaches,” Ryan says.

“Within the space of a week we were able to tick a box that said, ‘If lockdown comes, we’re ready to go.’ The lockdown announcement came at five o’clock on a Friday afternoon. We actually had everybody that needed to be working at home, working at home on Monday morning.”

Silvan Schriber, head of corporate development for Additiv


Additiv partners with the world’s leading financial institutions to help them digitalize their wealth management activities. Their ability to advocate for change and innovation in an industry that is highly regulated is dependent on building trust with their clients by adhering to the highest standards of security and compliance.

So when the company moved its enterprise software offering for its clients to the cloud, they worked with Microsoft to ensure a seamless transition that would strictly adhere to regulations across multiple locations – a prerequisite for a global company that is headquartered in Switzerland and has offices and clients on three continents.

Now, Additiv can offer its clients innovative, flexible software-as-a-service solutions that can scale easily and that adapt to their specific needs, no matter where they’re located. “Digital collaboration means breaking down these virtual borders, and Azure allowed us to integrate better so that our clients can provide a holistic solution to their customers out of the cloud,” says Silvan Schriber, head of corporate development.

“The benefits of Azure for Additiv are 100 percent trust that the solutions adhere in each location to regulations,” he adds. “So it helps us in centrally managing our solutions and placing them in each country of our clients, with virtually the click of a button.”

That consistency and efficiency will be critical as Additiv’s financial services customers increasingly embrace digital strategies and omni-channel distribution to reimagine their businesses post-pandemic.

“The pace of change pre-pandemic was rapid, but there’s no reason to think these trends won’t accelerate post-pandemic,” the company writes in a report published earlier this year. “… the companies that are faring best are those that are either digitally native or have invested the most in digital.”

An Albertsons storefront.
Azure migration helps Albertsons Companies deliver a better shopping experience. (Photo courtesy of Albertsons Companies)

Albertsons Companies

Long before this past spring, people were changing the way they shop for groceries, and Albertsons Companies – one of the largest food and drug retailers in the United States with some 2,200 stores operating under banners including Albertsons, Safeway and Vons – was evolving along with them.

“I believe that every customer – from millennials to baby boomers – is transforming how they shop,” says Ramiya Iyer, senior vice president of Data, Digital & Merchandising at Albertsons Companies. “The retail industry is undergoing its own transformational journey to meet customers where they are and be relevant to them. It’s imperative that we do that to succeed and grow as a business.”

To stay competitive and give customers the modern, convenient shopping experience they had come to expect, Albertsons migrated from an aging on-premises server farm to Microsoft Azure.

The move allowed them to take advantage of artificial intelligence (AI) and cognitive services, and empowered an environment where developers can innovate and efficiently test new ideas, propelling Albertsons to introduce apps that make shopping faster and more convenient.

“With Azure, we can bring new ideas to market faster and deliver releases on shorter time cycles,” says Param Deivreddy, vice president, IT architecture. “We think Azure also encourages exploration and innovation, because you don’t have to spend a huge amount on infrastructure to quickly test a new idea.”

The company’s easy-to-use apps offer the kinds of personalized and streamlined experiences digitally savvy shoppers demand, allowing them to create shopping lists, easily find the products they want, skip long check-out lines, even save time at the fuel pump by claiming rewards, activating the pump and paying for gas with a tap of the phone.

“Grocery shopping shouldn’t be a chore,” says Iyer. “We want to provide our customers with a totally frictionless experience that lets them enjoy the food they’re putting on the table with a minimum of fuss and stress.”

An H&R Block storefront.
Cloud computing allows H&R Block to ramp up during tax season and enables employees to serve customers from home. (Photo courtesy of H&R Block)

H&R Block

Few things in life are certain, but as the adage goes, taxes are one of them. Even during a health crisis, Americans are responsible for filing their annual return, and millions of them lean on Kansas City, Missouri-based H&R Block to navigate the process.

To streamline its operations and improve its ability to ramp up during tax season, H&R Block migrated its computing workload to Microsoft Azure, a move that would, “help the company better process millions of tax returns annually while allowing the firm to build financial software products with greater speed, quality and security,” writes CIO’s Clinton Boulton in a recent interview  on cloud migration with H&R Block CIO Alan Lowden.

“It’s what we need to do to enable our strategic vision of putting customers at the center,” Lowden tells CIO. “We have to give them a convenient experience of serving them any way they want to be served.”

So this past tax season, H&R Block was able to spring into action to support their customers while protecting the safety of their employees and the communities they serve. To keep their workforce safe during their busiest season – which was even longer this year to give taxpayers more time to file – they shifted to a work-from-home model that allowed 80,000 tax professionals to serve customers virtually.

That quick pivot wouldn’t have been possible if the company hadn’t migrated to Azure. Because they didn’t need to buy new hardware, or set up or configure additional infrastructure, they were able to make the critical change to remote workstations in less than two weeks. The company’s tax pros were able to provide the expertise their customers needed, and the even more critical refunds they were counting on.

When the demands of tax season return to normal, H&R Block will continue to inspire confidence in their customers through a seamless experience – wherever they like, however they like.

“Now we can present tax tips and offerings to our clients that are most relevant to them,” says Aditya Thadani, vice president of architecture and information management at H&R Block. “Migrating our platforms to Azure has really allowed us to serve our clients better.”

Source Microsoft

read more
Azure ADAzure VM

Microsoft Sustainability Calculator Aims to Help Cloud Customers Manage their Carbon Footprint

no thumb

Microsoft has announced a new tool that will help cloud customers better understand their carbon emissions. Called the Microsoft Sustainability Calculator, the product has landed in private preview ahead of a future launch.
According to Redmond, the aim of the Microsoft Sustainability Calculator is to give customers more oversight across their carbon output. More specifically, to become more transparent about what their environmental impact is.
“It’s challenging to make and meet meaningful carbon reduction goals without the ability to measure carbon emissions,” Microsoft says.

Microsoft has announced a new tool that will help cloud customers better understand their carbon emissions. Called the Microsoft Sustainability Calculator, the product has landed in private preview ahead of a future launch.

According to Redmond, the aim of the Microsoft Sustainability Calculator is to give customers more oversight across their carbon output. More specifically, to become more transparent about what their environmental impact is.

“It’s challenging to make and meet meaningful carbon reduction goals without the ability to measure carbon emissions,” Microsoft says.

By leveraging AI technology, the calculator provides accurate accounting for carbon usage. It highlights the impact caused by Microsoft cloud service across an organization’s footprint. Armed with the information, company’s can make concise decisions about their environmental impact.

For example, the Microsoft Sustainability Calculator measures the impact of moving regular applications to the cloud and how this can reduce the carbon output of a company.

Carbon Negative

It looks like the tool goes hand-in-hand with Microsoft’s own push to be carbon negative by 2030. Redmond made that pledge earlier this year. The decision followed a 2017 commitment to cut 75% of its carbon emissions by the same date and builds on 2019 revisions of 70% renewable energy by 2023.

“While the world will need to reach net zero, those of us who can afford to move faster and go further should do so,” Microsoft President Brad Smith said of the new commitment. “That’s why today we are announcing an ambitious goal and a new plan to reduce and ultimately remove Microsoft’s carbon footprint.”

Source Winbuzzer

read more
Azure AD

Microsoft and Hitachi Announce Partnership Based on Azure Cloud Integration


Microsoft has announced an expansion of its partnership with Japanese multinational Hitachi. Specifically, the companies are entering a new era of deeper collaboration as part of a multi-year strategic alliance.

Leading the goals of the partnership is to drive transformation in logistics and manufacturing across North America, Southeast Asia, and Japan.

On its end, Hitachi, will integrate its solutions into Microsoft’s cloud services. For example, the IoT industrial controllers HX Series and Lumada platform will now integrate with Microsoft Azure, Dynamics 365, and Microsoft 365.

“We are delighted to expand our partnership with Microsoft and combine our OT, IT and products excellence to provide manufacturing and logistics companies with digital solutions. We use Lumada to provide total seamless solutions to solve challenges by connecting cyberspaces with physical spaces. Through this collaboration with Microsoft, we will be able to accelerate our customers’ digital transformation and continue to deliver social, environmental and economic value,” said Jun Abe, Vice President and Executive Officer, CEO of Industry & Distribution Business Unit, Hitachi Ltd.


Both companies will also work to combine Lumada and Azure into a new industry data platform. In a blog post to announce the alliance, Microsoft says Hitachi will bring the following benefits to its Microsoft Azure platform:

  • “Increase manufacturing productivity: Using Hitachi Digital Supply Chain as well as Azure IoT to analyze 4M data collected from manufacturing sites for the visualization and analysis of production processes to optimize factory operations and increase productivity.
  • Optimize logistics with data analytics: Increasing the logistics efficiency and reducing operational costs by analyzing traffic congestion, storage locations and delivery locations, and enabling smart routing to save miles and deliver faster through advanced digital technologies such as Azure Maps and Hitachi Digital Solution for Logistics/Delivery Optimization Service.
  • Predictive maintenance and remote assist: Enabling predictive maintenance, real-time remote assistance and remote training scenarios for first-line workers, leveraging HoloLens 2 and Dynamics 365 Remote Assist as well as other smart devices.”

Those solutions will make their debut next month in Thailand and will arrive in Japan and North America later in the year.

“Building resilient and flexible digital supply chains is critical to grow a business and meet customer needs in today’s fast-changing environments. By expanding our collaboration with Hitachi, we’ll unlock new opportunities for manufacturing and logistics companies as they strive to lead in their industries and pioneer with a data-driven mindset and digital capabilities,” said Çağlayan Arkan, Vice President Manufacturing at Microsoft.

Source Winbuzzer

read more
Azure AD

How to quickly install and configure Azure AD Connect


One of the fundamental components of setting up Office 365 is installing Azure AD Connect. This tool is used to connect your on-premises Active Directory to Azure AD.

It works by synchronizing a copy of objects in the directory, such as users, groups, contacts and devices from Active Directory to Azure AD every 30 minutes. When you use Azure AD Connect, your local Active Directory remains the master copy and only selected attributes, such as those needed to support Exchange Hybrid, are written back.

Azure AD Connect supports many topologies, including a single Active Directory, multiple Active Directories and even multiple Office 365 tenants.

Before we begin, it’s worth outlining that there is a variety of configuration options available and these should be considered if you have more than basic requirements. For example, if you cannot synchronize hashes of passwords to the cloud, then you may wish to consider options like pass-through authentication. If you still run older clients or do not plan to use Hybrid Azure AD join to provide single sign-on to PCs, then you might wish to configure Seamless Sign-On.

In this guide, we’re not going to cover every option for installation of Azure AD Connect, as there’s a variety of ways to configure it.

The key purpose of this guide is if you are installing and configuring Azure AD Connect to support using a tool like Microsoft Teams, and plan to update your configuration to support wider needs in the future. We’ll show you how to install it in a similar way to the Express option which uses the most common deployment settings.

Prerequisites for installing Azure AD Connect

Before you begin, ensure you meet the pre-requisites for installation. As a minimum, you need Windows Server 2012 or later, on a domain-joined server (or domain controller) with .NET Framework 4.5.1 and PowerShell, with at least 4GB RAM and a 70GB HDD. The server will need access to the internet, in particular access to the Azure AD Connect service. IP ranges are listed here.

It is always recommended to analyze your Active Directory for issues that will prevent accounts synchronizing to Azure AD. The best way to do this, is to use the IDFix tool. The process to run this is documented here. In particular, it is common to ensure that the User Principal Name matches user’s email addresses for easy sign-in and to meet the requirement of matching one of your Office 365 tenant’s custom domains.

And, if you haven’t already, follow our guide on adding a custom domain to match (at a minimum) your primary SMTP domains (the ones you’ll use for sign-in) and if you will be migrating mailboxes to Exchange Online, all domains you use to receive email.

Learn more: What is Azure AD Connect Cloud Provisioning and should you plan to use it?

In this guide we’ll show you how to user Alternate Login ID for rapid identity provisioning to Office 365 applications like Microsoft Teams. If you are planning to use Exchange Hybrid, however, then you should plan to move to matching against the User Principal Name at a later date. This can be achieved fairly simply, by staging the switch of User Principal Names to match user’s Primary SMTP address, then when complete updating Azure AD Connect to use the User Principal Name instead.

Steps for installation

Once pre-requisites are in place we’ll begin. First, download a copy of Azure AD Connect. You’ll find this at the Microsoft Download site.

Next, run the installation tool on the server you’ll install Azure AD Connect on to, then when given the opportunity, we’ll choose the Customize option, unless you want to install with the Express Settings, which include synchronizing all accounts:

Azure AD Connect Express Settings

Next, we’ll choose sign-in options. As mentioned above, we’ve got a variety of options available, and you need to select the right one for your organization.

However, most organizations should choose Password Hash Synchronization, then choose Next:

Azure AD Connect User Sign-In

Next, enter your Office 365 Global Administrator credentials. These will be used to create a synchronization account inside the Office 365 tenant, and not stored by the server:

Connect to Azure AD

We’ll then need to add our local Active Directory. In this guide, we’re assuming you are using a single AD to synchronise to Office 365. Choose Add Directory:

Azure Add Directory

At this point, use enterprise administrator credentials to add an Active Directory connection. The wizard will, like with Office 365, create a synchronization account with the pre-requisite permissions, then choose OK, then Next.

AD Forest Account

On the next page of the wizard, we’ll see the sign-in configuration already chosen and select the on-premises attribute to use as the Azure AD username.

If you plan to use Exchange Hybrid immediately, then you should select the default, userPrincipalName as described earlier in the article – and ensure you have run IDFix and aligned your primary SMTP address values to the UPN.

In the example below, you’ll see a warning that will show if you have a UPN suffix in your environment that is not routable, or not registered in your Office 365 tenant.

We see the warning below because the UPN suffix lab01.local is not routable and therefore cannot be verified in the tenant. However we do have the domain (which is also our Primary SMTP address registered), therefore we can select Continue without matching all UPN suffixes to verified domains.

Azure AD Sign-In Configuration

If you cannot match your User Principal Name value to your custom domains right now and don’t plan to enable Exchange Hybrid immediately – for example, if you are planning on just enabling Microsoft Teams, or other services like SharePoint or OneDrive, then you can workaround this using Alternate Login ID.

This is when your scenario matches the example user below. You’ll see on the left the email value is using the correct custom domain, however you haven’t yet been able to update the User logon name on the right to match the custom domain value.

New properties

To use Alternate Login ID as a temporary measure, use the User Principal Name drop-down to select the mail attribute:

Azure AD Connect Mail Sign-In

Next, we’ll select the Domain and OU filtering options. You may not wish to synchronize every object in your Active Directory to Azure AD and Office 365.

For mail routing and Exchange Hybrid in particular you will want to synchronize (at a minimum) every recipient including mailboxes, mail users, mail contacts and distribution groups.

However, you may not wish to synchronize leavers’ accounts, service accounts and built-in accounts and non-mail enabled security groups. Therefore, it’s useful to use the Domain and OU filtering to select the OUs that contain valid recipients.

In the example below, we know that all recipients are within the People OU, and we’ll only select the Sync selected domains and OUs radio box, then select the checkbox for the OU, then choose Next:

Domain and OU Filtering

After completing the configuration and selecting any optional features to enable, we are ready to configure and perform our initial sync.

Ready to configure Azure AD Connect

After the sync completes, navigate to the Microsoft 365 admin center to validate the synchronization task is completing successfully. You should see within Users and Groups copies of your Active Directory objects.

Active users

If things don’t look right, then navigate to the Azure AD Connect Health portal. This will provide you the option to monitor Sync errors that the service is experiencing. A good result should show no sync errors to the service. You’ll resolve sync errors by following the recommendations from IDFix.

Sync Errors

Source Winbuzzer

read more
Azure AD

AMD Gains Ground on Intel in Steam CPU Usage


AMD continues to become an increasingly potent rival to fellow chipmaker Intel. Since launching its Ryzen series of processors several years ago, AMD has made consistent gains against Intel’s market dominance. In the latest step forward for the company a recent survey shows AMD is making ground on Intel in the gaming realm.

Specifically, AMD processors are gaining CPU market share on Steam. Each month, Steam publishes its Hardware and Software Survey. This shows usage statistics across the platform, including operating system and other metrics… including processors.

Last month, Intel machines continued to be the most used on Steam, with 77.54 percent of users. However, AMD enjoyed a 0.74 percent boost and now has 22.45 percent of the usage market. Since January, the company’s share has increased by over one percent.

Of course, Intel still has a 55 percent lead so don’t expect AMD to take over. However, it is clear the gaming chip market is becoming more competitive. It’s a trend we have also seen across other areas away from gaming.

That said, it is worth remembering this survey only looks at a single platform.

GPU Data

AMD also makes GPUs, but it’s success in this area is more limited. Steam says Nvidia remains the leading GPU maker amongst its users. In fact, Nvidia GPUs make up the top nine spots in terms of GPU usage. AMD is tenth and then the rest of the list holding at least one percent of the market is made of Nvidia products.

Source Winbuzzer

read more
Azure AD

What are Azure AD Security Defaults, and should you use them?


Azure AD Security Defaults arrived recently and make it easier to implement some of the most common security settings in your Azure AD directory, and Office 365 environment. They aren’t appropriate for everyone, but if you’ve not enabled multi-factor authentication yet, or haven’t disabled legacy authentication, then this might want to be something you consider.

Every Office 365 environment should be secure, and technically – they aren’t susceptible to vulnerabilities, are patched and up to date and regularly tested. But the default settings for an Office 365 tenant have been aimed at the lowest common denominator – organizations with legacy clients and with an expectation that organizations will buy add-on security features, like EM+S if they truly want security. This does mean that many, may Office 365 tenants are vulnerable to a number of attack vectors, including password spray attacks, because an attacker can repeatedly try and login to an Office 365 tenant using basic scripting to attempt a login, then if they successfully authenticate with a username and password, there isn’t an MFA mechanism in place.

Security Defaults replace Baseline Conditional Access policies, which do a similar job, and are offered free to all Office 365 subscriptions, whether or not you’ve paid for Azure AD Premium licensing. This is a change, as although per-user MFA could be enabled in Office 365, it didn’t include the Authenticator app, nor the straightforward enablement mechanism enjoyed by Conditional Access or service-wide Azure MFA.

Security Defaults enforces these settings:

  • Multi-Factor authentication for administrators and end-users, required within 14 days of the next sign-in after enablement
  • Legacy authentication will be blocked, restricting access from older clients, like Office 2010, IMAP, POP3, SMTP, ActiveSync clients that don’t support Modern Auth, and traditional methods of managing Exchange Online using Remote PowerShell.
  • Immediate MFA protection for “privileged” Azure AD actions via the Azure Resource Manager API (such as Azure Portal Access, Azure PowerShell and the Azure CLI).

These defaults are more secure than the baseline policies. Baseline protection policies were (and are) provided using the Conditional Access portal settings, and allowed selective enablement of MFA for administrators, MFA protection for (what Microsoft determine as) risky sign-ins for end users, blocks for legacy authentication and MFA for service management. Baseline policies were not only hidden away, but also never left preview – so many people won’t be using them in production.

Microsoft plan to enable Security Defaults for all new Azure AD tenants within the “next few months” – which should mean by the end of January 2020, a new Office 365 subscription will come with MFA enforced out of the box, and legacy authentication enabled. That’s important to know as it’s a big change.

How this might affect new Office 365 migrations

If you sign-up for an Office 365 subscription over the next few months and Security Defaults are enabled then this might be a surprise – even if you don’t have older clients like Office 2010 or use IMAP and POP3 clients.

One example of this is Outlook clients. When you migrate a mailbox, the expected behaviour is that Outlook will automatically reconfigure and connect to Exchange Online. Even with the latest Office 365 Pro Plus, signed in using Modern Authentication to Office 365 for licensing, you could still see an issue with Security Defaults enabled.

This is because when a mailbox is migrated, it continues to use the legacy authentication process as it follows the Autodiscover bread-trail to Exchange Online, and then fails when attempting to sign-in. This can be solved, either by switching off Security Defaults during your migration – or if you have control over your Outlook clients, you can deploy the registry key in this article.

In general though, you shouldn’t expect many technical issues at all if you are using up-to-date Office 365 Pro Plus clients and the Office apps on mobile. You’ll also find ActiveSync clients on iOS devices, the Gmail app and Samsung Mail apps all support Modern Authentication too (however, you’ll need to reconfigure those clients).

The biggest factor though maybe the user impact of enforcing MFA from every location.

No replacement for Azure AD Conditional Access

The down-side with Multi-Factor Authentication is the inconvenience to users. This of course, is necessary from unknown devices in unknown locations, but most organizations invest significant time and expense in ensuring that their devices and locations are secure, and as such trust their devices.

This is where Azure AD Conditional Access remains important. Conditional Access allows different levels of security for different people, apps, managed and unmanged devices and locations. You can choose where and when to enable MFA or even block access.

For example, you might choose to remove the need for a user to confirm it’s them via the Microsoft Authenticator app when they are signing in from their domain-joined, Windows 10 PC, using Office 365 Pro Plus at their computer in the Office.

You might also avoid regular prompts for MFA on their company issued mobile, too – and instead manage the device properly using tools like Intune. However you might require them to sign-in every so often if they are working from home on their company issued laptops. You might even block sign-in altogether to services containing sensitive business data from random web browsers on unmanaged devices.

There’s a lot more to Conditional Access than the above snippet – a lot more – but those are some of the core scenarios that most companies look to achieve and Security Defaults doesn’t cover.

The greatest pity about Security Defaults is that the most basic functionality organizations need – to define locations where MFA isn’t necessary – isn’t included.

This will be especially frustrating for some organizations where they have simple use-cases, like shop-floor workers in manufacturing where employees are not allowed mobile devices and the uplift to Azure AD Premium for each user doesn’t provide enough value to justify it for those type of workers. In those cases, we’ll probably see those organizations left unprotected.

Perhaps Microsoft will do as they did with the Authenticator app, and bring the basic trusted IP address range for skipping MFA.

Enabling (and Disabling) Security Defaults

You can enable Security Defaults if you aren’t using Conditional Access today. If you do have CA policies, then you won’t be able to enable Security Defaults.

Before you do anything, make sure you perform user communications so people know the change is coming – and ensure you won’t prevent access from legacy clients or applications. It’s an all-or nothing switch; so you can’t put in place exceptions for users or legacy applications  like you can with conditional access.

To enable Security Defaults, sign-in as a Global Administrator to the Azure AD Portal and navigate to Azure Active Directory and scroll down to Properties. From there, select Manage Security Defaults:

You’ll then see the option to enable Security Defaults. It’s an all or nothing switch – it’s either enabled or disabled:

The good news with Security Defaults is that should you decide you need Conditional Access policies, you don’t need to switch off Security Defaults before you define your CA policies. When you configure your CA policies, you’ll be informed you can continue to create them – once you’ve created your policies you can switch off Security Defaults and enable the CA policies you’ve defined.


Security Defaults are a good addition to Azure AD, and therefore Office 365 and will ensure many more organizations are secured by default. It’s a pity they don’t include all of the basic functionality most organizations should have – but they are a great start by Microsoft on helping all customers – not just those with Azure AD Premium licensing – to secure their identity.

Source Practical365

read more
Azure AD

Microsoft Fixed an Azure Security Vulnerability before Researchers Could Report It


Microsoft beat security researchers to the ball in a dangerous Azure vulnerability. A CyberArk blog post titled ‘I Know What Azure Did Last Summer’ discloses a bug in the tech giant’s cloud platform that was exploitable for up to two weeks.

According to researcher Omer Tsarfari, the September issue lay in the way the Azure portal was parsing JavaScript that’s used in the Azure Portal’s Extension Manifest. An attacker with a HTTP server with the “urehubs” hostname and a signed root CA certificate could grab the access tokens of anyone who logged into the Azure portal.

The researchers were able to exploit this bug in the wild to grab an Azure token from an external organization. As a precaution, CyberArk then bought 72 urehub domains with various suffixes. Tsarfari says the bug could have led to complete takeovers of Azure environments.
“While there is a lot of honey in the Cloud Computing solutions, there is also a sting to be aware of. Relying on “someone else’s computer” also means relying on someone else’s security measures. We’ve seen a lot of attacks that have focused on cloud configuration weaknesses – and seeing and understanding these vulnerabilities helps us fortify our cloud environments,” he cautioned. “But, what about the vulnerabilities we don’t know of? Are we ready for those?”
A Speedy Fix
Thankfully, Microsoft also took action. The organization says it managed to discover and fix the bug before the researchers could report it.
“This issue was identified internally and we deployed a fix to address it,” a spokesperson told ThreatPost.

Tsarfati tells a different story. According to ThreatPost, he wrote that Microsoft’s fix of the vulnerability, just a day after his frim created a working POC, was unintentional. The company added three lines of code, adding a URL to the JavaScript file’s HREF attribute that mitigated the issue. This was all done server-side, so admins have no need to worry if they haven’t been attacked already. However, Tsarfarti believes Microsoft’s indecision when it comes to URI schema could still come back to bite in the future.
“Regarding the URI formats in the ExtensionsManifest, I think that it might be worth sticking to one URI format, as not doing that could be a root cause for many other bugs that could pop up over time,” he said.
Good enterprise security practices will always help to mitigate the damage of such vulnerabilities, but the trust, ultimately, has to be with Microsoft. This time, it has at least caught it early on.

Source Winbuzzer

read more
Azure AD

Microsoft Is ‘Investigating’ Claims That It Benefits from Forced Labor in China


Microsoft has responded after a report that claims the company benefits from forced labor in China. A publication by the Australian Strategic Insitute (APSI) published on Saturday alleges the Chinese government has performed a mass transfer of Uyghur and other ethnic minorities from Xinjiang to factories across the company in what appears to be forced labor.

These factories supply 83 well-known brands, including tech giants like Apple, Microsoft, Samsung, Huawei, Google, and Sony. Over 80,000 Uyghurs were transferred to factories across China between 2017 and 2019, the ASPI says, with some of them sent directly from detention camps. Evidence shows the workers are under constant surveillance, have limited freedom of movement, live in segregated dorms, and are forbidden from religious observances.

“Microsoft is committed to responsible and ethical sourcing. We take this responsibility very seriously and take significant steps to enforce our policies and code of conduct in support of human rights, labor, health and safety, environmental protection, and business ethics through our assurance program,” said a Microsoft spokesperson to Windows Central on Monday. “All forms of forced labor are specifically banned by our Supplier Code of Conduct. We are investigating the claims and will take appropriate action if breaches of our code of conduct exist.”
This follows reports in mid-2019 that companies like Microsoft, Amazon, and Google are looking to move production outside of China. As the trade war between it and the US continues and the atrocities against the Uyghur people becomes clear, it’s more and more difficult for tech giants to justify the use of workers in the country for cheap labor.
Ensuring their a product is ethically sourced from start to finish is a difficult undertaking, but it’s something companies must bear and respond to criticism on. Microsoft is at least looking into the issue, but human rights organizations will undoubtedly want to know what action it’s taking and how it plans to prevent problems in the future.

Source Winbuzzer

read more
Azure AD

AMD Confirms Ryzen Threadripper 3990X Works on Windows 10 Pro Without Performance Dips


Since the launch of AMD’s Ryzen Threadripper 3990X, it was believed the monster CPU would not run on Windows 10 Pro. That because the CPU was believed to be too powerful and would need Windows 10 for Workstations or Windows 10 Enterprise. However, AMD has today said the Pro SKU also works, and there’s also some good news for Linux users.

If you’re unfamiliar with the Ryzen Threadripper 3990X, it is part of the company’s 3000 series and is among the most powerful CPUs ever made. It is capable of running triple A graphically intensive games without a coupled dedicated GPU.

When the 3990X launched last month, most believed Windows 10 Pro would not handle the CPU. Furthermore, Linux also seemed to be off the cards. Today, AMD has confirmed that is not the case and is backing the Threadripper on those OS’s.
“We wanted to clarify that AMD officially recommends Windows 10 Professional or Linux for the AMD Ryzen Threadripper 3990X. Higher editions/versions of Windows 10 confer no additional performance or compatibility benefits to the processor.
“We do understand that this suggestion has been made in some articles, and our team is presently testing this further, but this is the official recommendation.”
There is a caveat to consider. Namely, the Threadripper 3990X won’t show all its 128 threads across 64 cores on the Windows 10 Pro Task Manager. However, this will not affect the overall performance of the CPU on the platform.
It is worth noting AMD recommends running Windows 10 Pro version 18362.592 or higher for the best performance experience.
Over on the Linux side of the OS fence, users can now splash out (over $3,000) on the Ryzen Threadripper 3990X and know its performance won’t be hampered.

Source Winbuzzer

read more
Azure AD


Entitlement management – Connected organizations
Welcome back! So far in this series, we covered the concepts behind entitlement management and created a sample access package in the first article. In the second part, we expanded on some additional settings, looked at how things work from the end user’s perspective, and covered topics such as auditing in reporting. Now, we will explore one of the main reasons why you might want to use entitlement management – the ability to grant access to users from “connected” organizations and manage their lifecycle within your own directory.
Connected organization
We’ll start by introducing the concept of Connected organization. Any organization you have a relationship with can become a Connected organization, regardless of whether they are already using Azure AD or not. In our scenario, we can imagine that part of the work that needs to be completed for the successful delivery of Project Tango will be executed by an external company. To make things simpler, we will cover the scenario where the external company already uses Azure AD, but will provide notes for other scenarios throughout the text.
To add a new Connected organization, navigate to the Azure AD blade -> Identity governance -> Connected organizations and press the Add connected organization button. The familiar wizard interface will guide us over the creation process. On the first page, Basics, you can enter the Name and Description, then continue to the Directory + Domain page. Here you will press the Add directory + domain link and provide a domain name to search for.
You can use any of the domains verified in the (external) organization, or their default, domain. If the organization is found, the corresponding Name will appear for you to verify, and if they are using Azure AD, the corresponding Authentication type will be configured. If they are not using Azure AD, the Authentication type will change to One-time pass code, the new B2B feature allowing users to redeem their invitation by providing a code sent to their email address. Another possible scenario here is direct federation. Only a single directory/domain can be added at a time, so you might need to repeat the process in case you have multiple organizations to add.

Add connected organization

The next step is to configure Sponsors. Those are basically users that are responsible for managing some of the tasks related to collaboration between users of the two organizations, such as issuing approvals for assigning a package. Two types of sponsors exist, internal or external, which you configure via the corresponding Add internal sponsors/Add external sponsors links. While both types are optional, it’s recommended that you do configure at least one sponsor. If you choose to configure an external sponsor, it is important to understand that they must already exist in your directory as a Guest user, that is you cannot select a user directly from the external organization. The UI actually allows you to select regular (internal) users as the external sponsor, a small improvement here would be to filter the view and only present Guest users.

Lastly, on the Review + Create page, you can go over the configuration one last time and if everything checks out press the Create button to provision the new connected organization. You can change the settings later by selecting the corresponding entry from the list of connected organizations. One small annoyance found here is that you can only see the “Name” of the connected organization when it is of type Azure AD, not the actual (default) domain you pointed to when configuring it. This can cause confusion later on, as the “Name” is a free-form field, unrelated to the default domain and can have any value. Similarly, multiple organizations can have the same “Name”.

Assigning packages to users from connected organization

Now that we have at least one connected organization configured, we can proceed to provision some access packages that assign resources to users from said organization. Please note, that the catalog with the corresponding resources must be Enabled for external users, by toggling the corresponding setting on the catalog overview page.

To make things a bit easier and avoid repeating steps from our previous articles, we will select the already existing Project Tango package and create a new policy, this time using the For users not in your directory option. Doing so presents the choice between Specific connected organizations, where you select one or more pre-configured organizations; All connected organizations, which as the name suggests applies to all organizations; and All users, which includes any additional connected organizations you configure in the future.

Another important part to note is that any packages that have a policy associated with a given connected organizations will be accessible by any user within said organization. This will also include users from any additional (sub)domains within the corresponding Azure AD directory. If you select one of the other available choices here, the package will be eligible for even broader scope of external users. One way to restrict access is to use the Azure AD B2B policy controls to specify a list of allowed/blocked domains. Alternatively, you can control this via approvals and access reviews.

Read more: How to Manage Guest User Access in Azure Active Directory

After making the selection, proceed with configuring the rest of the policy settings. Since you are effectively provisioning access for external users, it’s a good idea to diligently configure the Approval settings, where you can request that both the External sponsor and Internal sponsor you configured when adding the connected organization have their say in the process (two-stage approval). Justification, alternate approvers and fallback settings can also be configured as needed. Same applies to the Lifecycle policy settings, which you should also configure with care. Since no additional controls are presented here, refer to our previous articles or the official documentation for more information on these.

External user experience

We now have a connected organization configured and a policy that makes one of our access packages eligible for users within said organization. In order for users from connected organizations to request access to a package, they will need to be given a link to it, as access packages from connected organizations do not show under the My Access portal. Alternatively, access for external users can also be granted directly by a user with sufficient permissions via the corresponding page in the Azure portal, as with the other scenarios we examined.

Once the person opens the link sent to them, the process is pretty much the same as that for internal users, with the slight difference that you cannot view the set of resources included in the package until you get the actual approval. When submitting the request, you will also see a privacy notice, which you must accept.

Once the request is approved and the corresponding access package has finished provisioning, the list of resources will be populated, and the external user can access them. As part of the process, a Guest user object is provisioned/invited to the directory. This representation of the user object within your own directory is what allows you to assign access and otherwise govern the lifecycle for such external users. Unlike the “regular” Guest user invitations process though, no email invitation will be sent, however the user will receive a notification that he has been granted access as part of the access package.

At this time, the user can click on any of the links in the (now updated) list of resources or access the corresponding resource directly. The first time they do this, they will have to complete the invitation process by consenting to the below prompt:

Another way for the user to access the corresponding resources is via the My apps portal. In our scenario, they should expect to see the two Azure AD integrated applications we’ve added as part of the package, and under the Groups page, he should also be added as members of the specified groups. Since the tenant has some groups with dynamic membership rules configured as well, the external user will become a part of their membership where applicable.

Final remarks and series summary

Before we close off the series, we should also mention some important settings related to Managing the lifecycle of external users. Those settings control what happens when access lapses for all of the access packages previously assigned for the user and allow you to block the user or remove him from the directory altogether. Additionally, you can specify the number of days before the user is removed. You can find the corresponding settings under the Azure AD blade -> Identity Governance -> Settings as pictured below:

So, there you have it, our not so short review of the entitlement management feature in Azure AD. Over the course of three articles we introduced the concepts behind the feature, and examined a sample scenario where an access package that grants access resources needed for a given project was created and later assigned to users. Apart from managing the set of resources and user assignments, the feature comes with built-in approval workflow, lifecycle controls (including managing the lifecycle of external users), robust auditing and reporting capabilities as well as PowerShell and Graph API support (albeit in preview). In a world where “minimum viable products” are becoming the norm, it’s refreshing to see Microsoft releasing a fully functional and highly customizable solution.

That’s not to say that entitlement management is perfect or without limitations. We mentioned already that only cloud-authored Azure AD groups are supported, meaning you cannot use Access packages to grant access to on-premises or Exchange Online groups. This argument can be extended to cover other resource types, but I suppose those will be covered when we get Graph API support for the corresponding workloads. Another restriction that you should be aware of is that multi-geo SharePoint Online locations are not supported, you can only grant access to sites within the default geo-location. Some of the choices presented when selecting different resources in the UI can also be handled better. Lastly, the Azure AD Premium P2 license requirement for every user that requests a package might also be a problem for some organizations.

Source Practical365

read more
1 2 3 5
Page 1 of 5