Forum Widgets
Latest Discussions
Active Directory Vs Azure Active Directory
Active Directory (AD) and Azure Active Directory (AAD) are both identity management solutions from Microsoft, but they serve different purposes. In this blog post, we’ll explore the differences between AD and AAD and when you might want to use one over the other. Active Directory (AD) Active Directory is a service provided by Microsoft that is used to manage users, computers, and other resources in a Windows-based network. It was first introduced in Windows 2000 and has since evolved into the core identity management solution for most organizations that use Windows-based systems. AD is a domain-based directory service, which means that it is designed to work within a single organization’s network. AD stores user and computer account information, authentication and authorization data, and security policies. It also provides services such as Group Policy, which allows administrators to configure and enforce policies for users and computers in the domain. AD is typically deployed on-premises and requires a domain controller to operate. Domain controllers are servers that store and manage AD data and provide authentication and authorization services to users and computers in the domain. Azure Active Directory (AAD) Azure Active Directory is a cloud-based identity management solution that is used to manage users and groups, control access to cloud-based applications, and integrate with other cloud-based services. It is a multi-tenant directory service, which means that it can be used by multiple organizations at the same time. AAD provides many of the same features as AD, such as user and group management, authentication and authorization, and security policies. However, AAD is designed to work with cloud-based applications and services, and it does not require a domain controller. AAD is often used in conjunction with other cloud-based services, such as Office 365, Azure, and other SaaS applications. AAD provides a single sign-on (SSO) experience for users, which means that users only need to log in once to access all of the cloud-based applications and services that they have access to. When to use AD vs AAD AD is still the go-to solution for managing identity and access in on-premises Windows-based networks. If you are running a Windows-based network and you need to manage users, computers, and other resources within your organization, then AD is the right choice. AAD is best suited for organizations that are using cloud-based services and applications. If you are using Office 365 or other cloud-based services and you need to manage users and control access to those services, then AAD is the right choice. It is also possible to use both AD and AAD in a hybrid environment. In this scenario, AD is used to manage on-premises resources, while AAD is used to manage cloud-based resources. This allows organizations to maintain a consistent identity and access management strategy across their on-premises and cloud-based environments. Active Directory and Azure Active Directory are both powerful identity management solutions, but they serve different purposes. AD is designed for on-premises Windows-based networks, while AAD is designed for cloud-based services and applications. Depending on your organization’s needs, you may choose to use one or the other, or a combination of both in a hybrid environment.23KViews2likes0CommentsPrivate Network is currently disabled in my tenant
Hi All, I am interested to test the Entra ID private access, but when I go to the connectors, it shows as "Private Network is currently disabled for your tenant.". Does anyone knows what is the reason for this and How should I overcome this? Thanks in advance, DilandilanmicDec 23, 2023Iron Contributor18KViews0likes8Comments'Microsoft App Access Panel' and Conditional Access with SSPR combined registration bug
Currently, enabling self-service password reset (SSPR) registration enforcement causes the app 'Microsoft App Access Panel' to be added to the login flow of users who have SSPR enabled. This app is not able to be excluded from Conditional Access (CA) polices and is caught by 'All cloud apps', which breaks secure zero-trust scenarios and CA policy configurations. Best way to demonstrate this is through examples... ----Example 1---- Environment: CA Policy 1 - 'All cloud apps' requiring hybrid/compliant device, but excluding [App] (for all non-guest accounts) CA Policy 2 - [App] requiring MFA only (for contractor accounts, etc) CA Policy 3 - [App] requiring hybrid/compliant device (for internal accounts, etc) SSPR registration enforcement (Password reset > Registration) - set to 'Yes' MFA registration enforcement (Security > Authentication Methods > Registration campaign) - set to 'Enabled' Scenario: A new user requires access to web [App] on an unenrolled device and is assigned an account that falls under CA Policy 1 and 2, however [App] is excluded from 1 and shouldn't apply to this login. When accessing [App] for the first time, users must register SSPR/MFA. They see the below message, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/passwordreset/register.aspx: Then they see this screen, which will block the login and try to get the user to download the Company Portal app: While behind the scenes, the login to [App] is being blocked by 'Microsoft App Access Panel' because it is seemingly added to the login flow and caught in CA Policy 1 in Req 2/3: CA Policy 1 shows as not applied on Req 1, CA Policy 2 shows as successful for Req 1/2/3 and CA Policy 3 shows as not applied for Req 1/2/3. Creating a CA policy for the 'Register security information' user action has no effect on this scenario and also shows as not applied on all the related sign-in logs. ----Example 2---- Environment: Same as above, but SSPR registration enforcement - set to 'No' Scenario: Same as above, but when accessing the [App] for the first time, they see the below message instead, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/proofup.aspx: Then they are directed to the combined SSPR/MFA registration experience successfully: The 'Microsoft App Access Panel' doesn't show in the sign-in logs and the sign-in is successful after registration. From the two examples, it seems to be a bug with the SSPR registration enforcement and the combined registration experience. ----Workarounds---- 1 - Prevent using 'All cloud apps' with device based CA policies (difficult, requires redesigning/thinking/testing policies, could introduce new gaps, etc) 2 - Turn off SSPR registration enforcement and turn on MFA registration enforcement like in example 2 (easy, but only enforces MS MFA App registration, doesn't seem to re-trigger registration if the MS MFA App is removed, no other methods are supported for registration, and doesn't remind users to update) 3 - Disable SSPR entirely for affected users (medium depending on available security groups, and doesn't allow for affected users to use SSPR) ----Related links---- Be able to exclude Microsoft App Access Panel from Conditional Access · Community (azure.com) Support conditional access for MyApps.microsoft.com · Community (azure.com) Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal" - Microsoft Community Hub MS, please either: 1 - Allow 'Microsoft App Access Panel' to be added to CA policies so it can be excluded 2 - Prevent 'Microsoft App Access Panel' from showing up in the CA login flow when SSPR registration enforcement is enabledsecure-logicNov 29, 2023Copper Contributor14KViews1like14Commentsgetting at On Premises user attributes in Powershell/Graph?
In the Entra admin center, there are many attributes on each user that start with the name 'On Premises'. I would like to extract this info for my users and report on it. The download function in the admin center does not export these attributes. I'm guessing I can get to them somewhere via graph/powershell but I have yet to find the 'on premises' fields I'm looking for. I am mostly trying to report on 'On Premises user principal name'. Does anyone know how to get at this bit of info? THX>SolvedWick_man11Jul 13, 2023Copper Contributor11KViews0likes3CommentsExcessive MFA prompts for a specific user
One specific user in my tenant is prompted for MFA multiples times/day. Our conditional access policies specify that a user must re-authenticate every 90 days with MFA. All other users do not get prompted daily without a new risk factor like new device/unknown IP address. I have tried the following: Re-registered authentication methods and revoked previous multifactor auth sessions. Enabled Multifactor Authentication in Security Defaults for this user (Rather than conditional access) Exempted this user from the standard CA policy, and created a new one. None of these steps have helped. Microsoft support was no help. Some other information: This user uses 1 to 2 IP addresses throughout the week. (Home and office) This user is using the same devices every day. We have replaced the devices and issue persists. There are at least 1, up to 5 prompts daily. No other users are experiencing this issue, and MFA behaves as expected. Azure Identity Protection lists the risk for this user as none. Zero risk detections within the last 90 days. Any suggestions are appreciated.Tim_HealeyJul 17, 2023Copper Contributor11KViews0likes7CommentsMicrosoft ADFS direction is it end of development
I have seen multiple articles where Microsoft suggests migrating to Azure AD from ADFS for brownfields and for Greenfields it is suggested to use Azure AD because of multiple capabilities. I headed multiple places that ADFS is on end of support, and some suggest it is end of development can anyone provide information THe below article Microsoft says to migrate to Azure AD https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-overviewChandrasekhar_AryaJun 23, 2023Steel Contributor10KViews0likes0CommentsPIM License requirement
Hello Team, I have a doubt regarding Azure AD PIM Licensing. According to the documentation: "Licenses you must have Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have employees that will be performing the following tasks: Users assigned as eligible to Azure AD or Azure roles managed using PIM Users who are assigned as eligible members or owners of privileged access groups Users able to approve or reject activation requests in PIM Users assigned to an access review Users who perform access reviews " In my tenant, The Azure AD P2 (Microsoft Entra ID P2) license is assigned at the tenant level. Now my question is - 1. I have 30 users that will be added to some privileged role and will be managed via PIM. In My tenant I have 40 E5 licenses. Do 30 Azure AD E5(P2 will get automatically provisioned) licenses need to be assigned to these individual 30 users who will be in scope of PIM? or no need to assign as the tenant has already Azure AD P2 license activated at tenant level. 2. If I do not assign the license to the users individually, will I breach any compliance policy from Microsoft? Please help me here.DipronildeyOct 10, 2023Copper Contributor9.9KViews0likes3CommentsAzure AD extension attributes from AD Connect
I'm struggling with finding my data in AAD. We've been running Azure Connect for years to bring the data from our on-prem AD over to our AAD instance. Back last spring, I expanded the scope of the fields we were bringing over; in Azure Connect I configured it to also send the uid from AD, where we were storing a value that I needed for SSO for a specific application. I was able to configure the claims rules for the enterprise application that I configured in AAD to send the value along to the app, and SSO works fine. My problem is where that data is. I'll be referring here mostly to Powershell commands to look at the users. If I run a Get-Azureaduser a user -- I've tried several, all who can successfully use the SSO -- then pipe that along to select to expand the extension properties, the extension property isn't even in the list. The one place I have found it is if I run Get-AzureADApplication | Get-AzureADApplicationExtensionProperty It is in the list of defined extension properties, targetting users. Ideally, I'd like to be able to see the value for a given user from AAD, and set it through Powershell as well. Help? Why doesn't it show up in the extension attributes for our users?EStrong9Dec 02, 2023Copper Contributor9.6KViews1like9CommentsAzure AD Connect - sync computer(device) extensionAttributes to Azure AD
Hi, is there any way to synchronize extensionAttribute from onprem AD to Azure AD? I can sync these attributes for "user" or "group". But I can't do it for computer(device). See screenshot below. ThanksKatakKatakJun 19, 2023Copper Contributor9.4KViews0likes6CommentsIdle session timeout Conditional access policy for unmanaged devices
What is the default time period for this policy in Conditional access policy for Idle Session timeout" policy as I was looking for way to create this policy for unmanaged devices in the tenant and when I checked it there is not filter or checkbox where we can enter or give time period for idle sessions on unmanaged devices? Here is the link I was looking for to created the policy for unmanaged devices: https://learn.microsoft.com/en-us/microsoft-365/admin/manage/idle-session-timeout-web-apps?view=o365-worldwide#turn-on-idle-session-timeout:~:text=Idle%20session%20timeout%20on%20unmanaged%20devices See below snap8.9KViews0likes11Comments
Resources
Tags
- Azure Active Directory (AAD)191 Topics
- Active Directory (AD)108 Topics
- Identity Management106 Topics
- Conditional Access90 Topics
- Access Management77 Topics
- Authentication59 Topics
- azure58 Topics
- Azure AD Connect57 Topics
- identity protection54 Topics
- MFA45 Topics