The final push to GA "Azure AD in new Azure Portal": We need your help!
Hello folks, We`re making our final push to the General Availability of "Azure Active Directory in the new Azure Portal", and we need your help to make sure it is great for you. As Alex Simons shared: "Last September we shared the first preview of the new administration experience for Azure Active Directory in the new Azure portal. Since then, we’ve added lots of new functionality, including reporting, app management, conditional access, B2B, and licensing. Many of you are using the new experience regularly – in fact, over half a million of you are using it, from almost every country in the world, with usage increasing by about 25% each month. We appreciate all your positive feedback, and love the constructive feedback that’s helped us make an even stronger product. But there are still a LOT of you using the old portal. Late last week we turned on the another set of feature updates, and the new experience now has all of the features identity admins frequently use. With that update, we’ve entered our final push to GA the UX in the next ~60 days. And that’s where we need your help: We need everyone to move over to using the new portal for production tasks so we can uncover any last minute lingering issues." Please, do read Alex` blog post for more details and send us your feedback in the ‘Admin Portal’ section of our feedback forum. Let us know what you think!
SCIM provisioning - custom app authentication
Hi, in the documentation for https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#handling-endpoint-authentication, two methods are given: 1) a "long-lived token" (i.e. a secret key that has to be pasted in-clear by the admin) 2) "Microsoft Entra bearer token" - similar to other services (e.g. callbacks for MS Teams bots), Microsoft sign the outgoing calls, and the app being provisioned can validate them against Microsoft's public keys To me, option (2) is by far the best - each message is signed individually, there is no manual handling of secrets etc. As said in the documentation - "Apps that use Microsoft Entra ID as an identity provider can validate this Microsoft Entra ID-issued token." - great! So why on earth does it then say "The token generated by the Microsoft Entra ID should only be used for testing. It shouldn't be used in production environments." ? Why not? The whole system of Entra bearer tokens is only for test? And production should go back to secret keys, with all the problems they have? It doesn't seem right.. What am I missing here?
23H2 Passkeys: default to security key instead of mobile devices
Microsoft invested time & money to introduce Passkeys in Windows 11 23H2, as it should. Unfortunately, it defaults to a mobile device (iPhone, iPad or Android device) everytime you try to log on. This is very annoying for everybody that is using a Security Key (FIDO2). Before we just needed to enter our PIN but now we need multiple clicks to log on. I'm not aware of a solution to manage these options (manually or through Intune). Is anyone aware of a solution? I'm quite amazed Microsoft didn't think of this.Upcoming improvements to the Azure AD sign-in experience
We’d like to give you an early heads up on some visual design updates that are coming to the Azure AD sign-in experience. Customers gave us a LOT of feedback last time we updated the sign-in. It was clear that you wanted us to provide more notification, earlier in the process with more information. We’ve learned and this time we’re giving you more time and info than ever before. Our next set of changes aims to reduce clutter and make our screens look cleaner. A visually simpler UI helps users focus on the task at hand – signing in. This is solely a visual UI change with no changes to functionality. Existing company branding settings will carry forward to the updated UI. There will be no change to SSO or "Keep me signed in functionality". Read more about the changes in the Enterprise Mobility & Security blog.Using AzureAD Join to rebuild my PC in under an hour
Hi Everyone! I just wrote a new blog post on how I use Microsoft 365 (specifically Azure AD Join) to rebuild my PC in under an hour and a little bit about my workstyle that allows me to do this and would like to share with the community. If you have feedback or questions or ideas on things I should add - please let me know! Link: How Microsoft 365 Enables Me to Rebuild My PC over LunchHow to stop disabled user accounts from syncing with Azure AD Connect
Hello again, I was experimenting these days using Azure AD Connect, the tool that let's you synchronize your on-premises AD accounts to Azure AD. So I thought: what happens when you have some disabled user accounts in your on-premises AD environment? Do you really need them to synchronize? Probably not. So we'll see what you have to do in case you don't want to bring up to Azure AD your disabled user accounts. Please read the rest of the article here.Azure Active Directory Guest User Lifecycle Management (Access Reviews)!
Dear Azure Active Directory Friends, Collaboration in today's world, with a wide variety of Microsoft cloud services, is here to stay. As with everything, advantages also come with disadvantages, for example when it comes to managing guest users in Azure Active Directory (Azure AD). Guest users can be created/invited in various services, such as SharePoint Online, Teams or Azure AD. After some time, the question arises which guest users still need access or access to our organization and which do not? I answer this question with an Access Review. Before we start creating the Access Review, we need to talk about the prerequisites. In my example, the following requirements are present: 1. Azure AD Premium P2 (Was already present at the customer) https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#license-requirements 2. For this customer all guest users are in one group. 3. You must be a Global administrator or User administrator Let's start now by navigating to the Azure Active Directory and clicking on External Identities under "Manage". On the left side menu, navigate to "Lifecycle management" and click Access reviews. Click on "New access review". In "Review" please select Teams+Groups and then select "Select Teams + Groups. Click on "Select group(s)", a new blade will open, in the search box search for the group, highlight that group and click "Select" at the bottom. In "Select review scope" I select Guest users only, because in the selected group (in my example) there are only guest users. Click on Reviews. Now select the reviewer from the "Select reviewers. I will select Group owner(s) (for this there must be an owner from this group), you can of course make another selection, according to your needs. If the owner does not respond to the access review, you can select "Fallback reviewers". In order to work with group owner, the following must be configured. In the Azure AD portal open the Identity Governance page. In the left menu, under Access reviews, settings. On the Delegate who can create and manage access reviews page, set the (Preview) Group owners can create and manage for access reviews of groups they own setting to Yes. Now you can determine the duration of the review. Depending on the number of days you select, not all options are available for "Review recurrence".For example, if you select 7 days, you cannot select weekly for "Review recurrence", etc. (I select 3 days and one time). Once your settings are made, click on "Next:Settings". Now the individual settings can be made: 1. If you want to automatically remove access for denied users, set Auto apply results to resource to Enable. 2. Use the If reviewers don't respond list to specify what happens for users that are not reviewed by the reviewer within the review period. - No change - Leave user's access unchanged - Remove access - Remove user's access - Approve access - Approve user's access - Take recommendations - Take the system's recommendation on denying or approving the user's continued access 3. Use the Action to apply on denied guest users to specify what happens to guest users if they are denied. Remove user’s membership from the resource will remove denied user’s access to the group or application being reviewed, they will still be able to sign-in to the tenant. Block user from signing-in for 30 days, then remove user from the tenant will block the denied users from signing in to the tenant, regardless if they have access to other resources. If there was a mistake or if an admin decides to re-enable one’s access, they can do so within 30 days after the user has been disabled. If there is no action taken on the disabled users, they will be deleted from the tenant. 4. In the Enable review decision helpers choose whether you would like your reviewer to receive recommendations during the review process. 5. In the Advanced settings section you can choose the following - Set Justification required to Enable to require the reviewer to supply a reason for approval. - Set email notifications to Enable to have Azure AD send email notifications to reviewers when an access review starts, and to administrators when a review completes. - Set Reminders to Enable to have Azure AD send reminders of access reviews in progress to all reviewers. Reviewers will receive the reminders halfway through the duration of the review, regardless of whether they have completed their review at that time. At the end click on "Next: Review+Create". Give your review a name and click "Create". Now your Access Review will be listed. The owner or owners of the group (in my case, me) have now received an email. (Sorry the last two printscreens are in German). The group owner can now start the review by clicking on "Start review". It starts the browser, login must be made and then the group owner sees the details. Now the group owner can decide which guest users can still have access to the organization. I hope this article was helpful for you? Thank you for taking the time to read this article. Best regards, Tom WechslerIntro to querying Azure AD sign-in and audit logs held in Azure Monitor from PowerShell
Some questions I'm asked frequently about Azure AD - how can I see and retain more than 30 days of audit events from Azure AD features? And how can I get that audit history programmatically, without needing to sign in as a highly-privileged Azure AD administrator, in order to download records for a report to or answer an auditor’s inquiry? Last year we announced that organizations with Azure AD Premium and an Azure subscription could start to build custom reports on their Azure AD audit and sign in logs, by configuring Azure AD to send those logs to Azure Monitor. We also built several reports for sign in analysis as Azure AD workbooks, and showed to set triggers for alert notifications. Once you've configured Azure AD to send logs to Azure Monitor, you can also access those logs through PowerShell, sending queries from scripts or from the PowerShell command line, without needing to be a Global Admin in the tenant. Because Azure services have changed their name in the past few years, it's sometimes challenging to figure out which PowerShell command to use. So I've written down a few steps I used when learning how to query Azure AD logs that have been sent to Azure Monitor. Before you begin, if you haven't already configured this integration between Azure AD and Azure Monitor, you'll need to follow the steps to Integrate Azure AD logs with Azure Monitor logs. Next, you'll want to ensure you (or the user or service principal who will be authenticating to Azure AD) are in the appropriate Azure role in the in the Log Analytics workspace, either the Log Analytics Reader role, or the Log Analytics Contributor role. You can set this role assignment in the Azure Portal by locating the Log Analytics workspace, clicking on "Access Control (IAM)" and clicking Add to add a role assignment. Then, launch PowerShell, and then install the Azure PowerShell module, if you haven’t already, by typing install-module -Name az -allowClobber -Scope CurrentUser Now you're ready to authenticate to Azure AD, and retrieve the id of the Log Analytics workspace you’ll be querying. If you have only a single Azure subscription, and a single Log Analytics workspace, then authenticate to Azure AD, connecting to that subscription and retrieving that workspace, by typing Connect-AzAccount $wks = Get-AzOperationalInsightsWorkspace It's important to note that Get-AzOperationalInsightsWorkspace operates in one subscription at a time. If you have multiple Azure subscriptions, then you'll want to ensure you connect to the one which has the Log Analytics workspace with the Azure AD logs. The cmdlets Connect-AzAccount $subs = Get-AzSubscription $subs | ft displays a list of subscriptions, and then find the id of the subscription which has the Log Analytics workspace. You can re-authenticate and associate your PowerShell session to that subscription using a command such as Connect-AzAccount –Subscription $subs[0].id . (And to learn more about how to authenticate to Azure from PowerShell, including non-interactively, see Sign in with Azure PowerShell. ) If you have multiple Log Analytics workspaces in that subscription, then the cmdlet Get-AzOperationalInsightsWorkspace returns the list of workspaces, so you can find the one which has the Azure AD logs. The CustomerId field returned by this cmdlet is the same as the value of the "Workspace id" displayed in the Azure Portal in the Log Analytics workspace overview. $wks = Get-AzOperationalInsightsWorkspace $wks | ft CustomerId, Name Finally, once you have a workspace identified, you can use Invoke-AzOperationalInsightsQuery to send a Kusto query to that workspace. These queries are written Kusto query language. For example, you can retrieve old sign in records from the Log Analytics workspace, with a query like $sQuery = "SigninLogs | where TimeGenerated > ago(3653d) | order by TimeGenerated asc | limit 10" $sResponse = Invoke-AzOperationalInsightsQuery -WorkspaceId $wks[0].CustomerId -Query $sQuery $sResponse.Results | ft TimeGenerated,userDisplayName,UserPrincipalName Or audit records with $aQuery = "AuditLogs | where TimeGenerated > ago(3653d) | order by TimeGenerated asc | limit 10" $aResponse = Invoke-AzOperationalInsightsQuery -WorkspaceId $wks[0].CustomerId -Query $aQuery $aResponse.Results |ft TimeGenerated,Category,OperationName,Result I hope to find more interesting examples of Kusto queries for the Sign in and Audit logs in future. Thanks!
