Choosing and using a Hardware Security Token for Azure AD Passwordless Authentication

Evaluation criteria for product selection can be a difficult process, especially for items that are rarely purchased. We’ve become accustomed to working out what we want from daily use items such as laptops, and mobile phones which does make that process easier when we refresh them every few years. However, choosing a hardware security token is maybe something you haven’t ever had to do.

So how do I choose a Hardware Security Token? This post outlines some selection criteria I’ve recently used to assist others with answering “Which Hardware Security Token do I need?”… [Keep reading] “Choosing and using a Hardware Security Token for Azure AD Passwordless Authentication”

Use Azure AD Apps to connect with Office 365 and Cloud Services securely

Azure AD apps provide a faster and secure way to connect to the Office 365 tenancy and carry out automation tasks. There are many advantages of using Azure AD apps and could be used to authenticate for various Microsoft services such as Graph, Office 365 Management Api, SharePoint etc.

In this blog, we will look at the steps to set up an Azure AD app for Office 365 Management API, however the steps are mostly the same for other Office 365 services too.… [Keep reading] “Use Azure AD Apps to connect with Office 365 and Cloud Services securely”

Azure Active Directory B2B Pending and Accepted User Reports

One of the benefits of Cloud Services is the continual enhancements that vendors provide based on feedback from their customers. One such item of feedback that Microsoft has heard often is the request to know what state a Guest user in Azure AD is in. In the last couple of days Microsoft exposed two additional attributes on the User objectClass in Azure AD;

  • externalUserState
  • externalUserStateChangeDateTime

B2B State Tweet.PNG

This means we can now query the Microsoft Graph for B2B users and understand if they have Accepted or are PendingAcceptance, and the datetime of the last change.… [Keep reading] “Azure Active Directory B2B Pending and Accepted User Reports”

Automating Azure AD B2B Guest Invitations using Microsoft Identity Manager

Update: Oct 30 '18 
Also see this post that adds support for Microsoft's updates 
to the Microsoft Graph to include additional information 
about Azure AD B2B Guest users.

Introduction

Earlier this year Microsoft released the Microsoft Identity Manager Azure AD B2B Management Agent. I wrote about using it to write to Azure AD in this post here. As detailed in that post my goal was to write to Azure AD using the MA. I provided an incomplete example of doing that for Guests.… [Keep reading] “Automating Azure AD B2B Guest Invitations using Microsoft Identity Manager”

Preventing double-app-loading behaviour with ADAL.js

Microsoft’s JavaScript implementation of its Azure Active Directory Authentication Library (ADAL.js) allows for some great client-side-only Single Page App (SPA) scenarios.
Unfortunately (as with most things auth-related), there are some gotcha’s to be aware of. One relates to how ADAL obtains refresh tokens in this crazy world of implicit auth.

Implicit Auth Flow

Implicit auth allows for the application developer to not have to host their own token authentication service. The ADAL.js and the Azure AD auth endpoint do all the heavy lifting:

It’s the bottom third of the diagram (after the token expires) that causes the issue I am addressing in this post.… [Keep reading] “Preventing double-app-loading behaviour with ADAL.js”

Azure AD Domain Services

I recently had what I thought was a rather unique requirement from a customer.
The requirement was to build Azure IaaS virtual machines and have them joined to a managed domain, while also being able to authenticate to the virtual machines using Azure AD credentials.
The answer is Azure AD Domain Services!
Azure AD Domain Services provides managed domain services such as domain join, group policy and Kerberos/NTLM authentication without the need for you to deploy and  manage domain controllers in the cloud.… [Keep reading] “Azure AD Domain Services”

Windows 10 Domain Join + AAD and MFA Trusted IPs

Background

Those who have rolled out Azure MFA (in the cloud) to non-administrative users are probably well aware of the nifty Trusted IPs feature.   For those that are new to this, the short version is that this capability is designed to make it a little easier on the end user experience by allowing you to define a set of ‘trusted locations’ (e.g. your corporate network) in which MFA is not required.
This capability works via two methods:

  • Defining a set of ‘Trusted” IP addresses.
[Keep reading] “Windows 10 Domain Join + AAD and MFA Trusted IPs”

Resolving the 'Double Auth' prompt issue in ADFS with Azure AD Conditional Access MFA

As mentioned in my previous post, Using ADFS on-premises MFA with Azure AD Conditional Access, if you have implemented Azure AD Conditional Access to enforce MFA for all your Cloud Apps and you are using the SupportsMFA=true parameter to direct MFA execution to your ADFS on-premises MFA server you may have encountered what I call the ‘Double Auth’ prompt issue.
While this doesn’t happen across all Cloud Apps, you will see it on the odd occasion (in particular the Intune Company Portal and Azure AD Powershell Cmdlets) and it has the following symptoms:

  1. User signs into Azure AD App (e.g.
[Keep reading] “Resolving the 'Double Auth' prompt issue in ADFS with Azure AD Conditional Access MFA”

Using ADFS on-premises MFA with Azure AD Conditional Access

With the recent announcement of General Availability of the Azure AD Conditional Access policies in the Azure Portal, it is a good time to reassess your current MFA policies particularly if you are utilising ADFS with on-premises MFA; either via a third party provider or with something like Azure MFA Server.
Prior to conditional MFA policies being possible, when utilising on-premises MFA with Office 365 and/or Azure AD the MFA rules were generally enabled on the ADFS relying party trust itself. … [Keep reading] “Using ADFS on-premises MFA with Azure AD Conditional Access”