Using Active Directory Security Groups to Grant Permissions to Azure Resources

18th of February, 2016 / / 4 Comments

The introduction of the Azure Resource Manager platform in Azure continues to expose new possibilities for managing your deployed resources.

One scenario that you may not be aware of is the ability to use scoped RBAC role assignments to grant limited rights to Azure AD-based users and groups.

We know Azure provides us with many built-in RBAC roles, but it may not be immediately obvious that you can control their assignment scope.

What do I mean by this?… [Keep reading] “Using Active Directory Security Groups to Grant Permissions to Azure Resources”

Azure AD Connect – “The specified domain does not exist or cannot be contacted” when adding an untrusted AD forest

16th of December, 2015 / / 6 Comments

I ran into a little issue while on site with a customer who required AAD Connect to be configured for use in a multi-forest environment with three forests. There was a forest trust between two of the forests, however the third forest did not have any trusts in place. Prior to implementing this solution, we ran up a test environment to do a run through and document the steps required for an implementation plan.

The test environment consisted of three Windows Server 2012 AD forests all at 2012 functional level – kloudy.net,… [Keep reading] “Azure AD Connect – “The specified domain does not exist or cannot be contacted” when adding an untrusted AD forest”

Consideration for multi-forest synchronisation with a resource Exchange forest

15th of December, 2015 / / 8 Comments

Azure AD Connect has come a long way from the early days of DirSync, and multi-forest directory synchronisation is a great step forward, with the ability to synchronise an account forest and Exchange resource forest to Office 365 meeting the needs of many organisations.

Joining linked mailboxes

To provide synchronisation of an account forest and an Exchange resource forest AAD Connect matches accounts across forests using the same attribute used by Exchange, matching the linked mailbox account’s msExchMasterAccount attribute value with the objectSID value of the account in the other forest to join them.… [Keep reading] “Consideration for multi-forest synchronisation with a resource Exchange forest”

Getting Started with the Azure Security Center

9th of December, 2015 / / 5 Comments

Microsoft recently announced the availability of the Azure Security Center which is designed to provide a single place to view your security stance for resources deployed to Azure.

In this post I’m going to walk you through what’s initially available and see how it can start helping you today.

Who ever said “no” to something that’s free?

The core features (today) are free. Yes – free. This isn’t just preview pricing either. During preview even the Standard Tier is free until early 2016.… [Keep reading] “Getting Started with the Azure Security Center”

Implementing a WCF Client with Certificate-Based Mutual Authentication without using Windows Certificate Store

23rd of November, 2015 / / 9 Comments

Windows Communication Foundation (WCF) provides a relatively simple way to implement Certificate-Based Mutual Authentication on distributed clients and services. Additionally, it supports interoperability as it is based on WS-Security and X.509 certificate standards. This blog post briefly summarises mutual authentication and covers the steps to implement it with an IIS hosted WCF service.

Even though WCF’s out-of-the-box functionality removes much of the complexity of Certificate-Based Mutual Authentication in many scenarios, there are cases in which this is not what we need.… [Keep reading] “Implementing a WCF Client with Certificate-Based Mutual Authentication without using Windows Certificate Store”

Windows Server 2012 R2 (ADFS 3.0): Migrating ADFS Configuration Database from WID to SQL

19th of November, 2015 / / 17 Comments

You already have a working ADFS setup which has been configured to use the Windows Internal Database (WID) to store its configuration database. However, things may have changed since you implemented it and you may now have one (or more) of the below requirements which will need an upgrade to SQL server.

  • Need more than five federation servers in the ADFS Farm (supporting more than 10 relying parties)
  • Leverage high availability features of SQL or
  • Enable support for SAML artefact resolution or WS Federation token replay detection.
[Keep reading] “Windows Server 2012 R2 (ADFS 3.0): Migrating ADFS Configuration Database from WID to SQL”

Modern Authentication updates for Office 2013 (MSI-based)

7th of November, 2015 / / 8 Comments

Earlier this year, Office 2013 Modern Authentication using the Active Directory Authentication Library (ADAL) moved to public preview. The steps to take part in the preview and to prepare the Office 2013 software are well documented, particularly by one of my fellow Kloudies (see Lucian’s blog here).

However, you may find that despite creating the registry keys and installing the required updates, Modern Authentication is still not working – something I recently encountered with MSI-based installations of Office 2013 SP1 in a Windows 7 SOE.… [Keep reading] “Modern Authentication updates for Office 2013 (MSI-based)”

Azure Security Fundamentals: Azure SQL Database

27th of October, 2015 / / 2 Comments

Microsoft Azure has many Platform-as-a-Service (PaaS) features, with one of the oldest being Azure SQL Database (which has had many variations on that name in it’s time!)

Over the last few months Microsoft has released a raft of updates to Azure SQL Database that bolster its security chops. As a result I thought it would be good to cover off some basic best practices along with an overview of the new features and how they can help you improve your security stance when implemented.… [Keep reading] “Azure Security Fundamentals: Azure SQL Database”

Solving self signed certificate blocking by inspecting web requests using Xamarin iOS

21st of October, 2015 / / 2 Comments

In iOS 9 Apple have turned on App Transport Security (ATS) as default. So if your iOS application is connecting to an insecure url resource then you’re out of luck as it will be blocked, an example of the most likely culprit is viewing a webpage without SSL encryption.

With the current application I’m working on I ran into trouble whilst loading a dev resource only to find it was using a self signed certificate and being blocked by the OS. … [Keep reading] “Solving self signed certificate blocking by inspecting web requests using Xamarin iOS”

Azure Security Fundamentals: Moving Co-Admins to RBAC

16th of October, 2015 / / 9 Comments

Anyone who has worked with Azure for long enough knows the raised eyebrow response you have gotten from security teams in the past when you describe how you can enforce separation of duties and least privilege when it comes to Azure subscription and service management. In a previously well-received blog post, one of my colleagues provided good guidance around subscription management as it applied to Azure at that time.

Essentially, the situation was:

  • Any Azure service management required full administrator or co-administrator access to a subscription which provided the user with full permission to do anything provisioned there-in.
[Keep reading] “Azure Security Fundamentals: Moving Co-Admins to RBAC”