Azure

Showing posts with label Azure. Show all posts

Congratulations 2019-2020 Microsoft MVP!

Monday, July 1, 2019

Once again I am deeply honored to receive the Microsoft MVP Award in the Office Servers and Apps category for 2019-2020. This is my eleventh consecutive year for this award.

The MVP Award is an important recognition to me and I'm very pleased to receive it. It includes several benefits, but the most important one to me are all the interactions with the great product groups at Microsoft. These relationships allow me to reach out to specific product team members to provide feedback and get clarification on product features and behaviors.

It's a mutually beneficial partnership -- under NDA, Microsoft is able to talk with MVPs about product futures, provide access to technology adoption programs (TAPs) to try out new software, and solicit our feedback. As MVPs, we are able to provide important and honest feedback to the product teams about how new features and behaviors will affect our customers, beta test new software and file bug reports, and be advocates for you, the customer.

This also adds value to my IT consulting business, EXPTA Consulting. It's evidence that Microsoft values my technical leadership and real-world experience, which I bring to each and every engagement, and customers know that I provide the best results as their trusted advisor.

User-based MFA vs. Conditional Access MFA

Monday, October 1, 2018

Thank you to everyone who attended my two sessions, "How to add MFA to your Exchange Online/on-premises mailboxes in 20 minutes or less" at Microsoft Ignite 2018 in Orlando! The first session was recorded and is available on YouTube. I wanted to post a follow-up article to those presentations.

There are two ways to configure users for multi-factor authentication (MFA) in Azure Active Directory -- user-based MFA and using conditional access. In my demos I used user-based in the interest of time, but most customers will usually use conditional access in production.

When you configure a user for user-based MFA, users are always prompted for MFA whenever they access a cloud resource, such as Exchange Online, SharePoint, Teams, etc. It's either on or off. You can configure a user for user-based MFA from the Azure AD Portal. Click Multi-Factor Authentication at the top of the Users blade.

This will open a new tab for the user-based MFA configuration page.

From here you can enable users for MFA. As mentioned above, this will configure the user for MFA every time they access a cloud resource. It also will break access for any apps or protocols that don't support MFA, such as ActiveSync.

A better option is to use conditional access. Users will be prompted for MFA when the conditional access policy applies to them. Users do not (and should not) be configured for user-based MFA for conditional access (CA) policies to work. If user-based MFA is enabled, it will override the CA policies for that user.

You configure CA rules from from the Conditional Access blade in the AAD portal.

Configure the Assignments for the CA policy (who and which apps get it) and configure the Access Controls to Grant access and Require multi-factor authentication.

MFA will now happen whenever the CA policy is triggered. For further information please see the article, "Quickstart: Require MFA for specific apps with Azure Active Directory conditional access".

Note that there are two places to configure trusted networks and IP addresses, where MFA will not be used - one for user-based MFA and another for conditional access. These two settings are unique for each configuration and do not affect each other. You configure can configure both CA named locations and user-based MFA trusted IPs in the new Conditional access > Named locations blade.

Congratulations 2018-2019 Microsoft MVP!

Sunday, July 1, 2018

I'm very pleased to announce that I have been given the Office Servers and Services Microsoft MVP Award again for 2018-2019. I have been awarded every year since 2009, so this will be my 10th consecutive year.

The MVP Award is an important recognition to me and I'm honored to receive it. It includes several benefits, but the most important one to me are all the interactions with the great product groups at Microsoft. These relationships allow me to reach out to specific product team members to provide feedback and get clarification on product features and behaviors.

It's a mutually beneficial partnership -- under NDA, Microsoft is able to talk with MVPs about product futures, provide access to technology adoption programs (TAPs) to test new software, and solicit our MVP feedback. As MVPs, we are able to provide important and honest feedback to the product teams about how new features and behaviors will affect our customers, beta test new software and file bug reports, and be advocates for you, the customer.

This has been somewhat of a nerve-racking award cycle. As Microsoft truly morphs into a cloud services company, its priorities are changing faster than ever before. Longtime MVPs have been notified that they were not going to be awarded this year because their community events do not align with Microsoft's vision. Entire groups that focus on on-premises technologies have been cut from the MVP program. I understand why, but I am sorry to see them go.

Another program change is that the re-award cycle changed from quarterly to yearly. I used be awarded on April 1 every year (I always worried that my award email was an April Fool's joke), but now all MVPs are awarded the same date, July 1. That means that the MVP leads have to review hundreds or thousands of MVPs at the same time. That takes a lot of work by them and I appreciate it.

If you think that you or someone you know deserves to be an MVP, you can learn what it takes to be an one and nominate them from the Microsoft MVP Site. Microsoft reviews and awards new MVPs every month, with a renewal cycle on July 1.

The MVP Award adds value to my IT consulting business, EXPTA Consulting. It's evidence that Microsoft values my leadership in the community and real-world experience, which I bring to each and every engagement. Customers know that I provide the best results as their trusted advisor.

I feel great!

Discontinuation of Session Border Controllers in O365 and Why You Should Care

Tuesday, July 18, 2017

Microsoft announced today the Discontinuation of support for Session Border Controllers in Exchange Online Unified Messaging. This article is meant to explain what this means and why it's such a big deal.

UPDATES:

Option 3, using TE-SYSTEMS anynode, is no longer a Microsoft recommended option.

On April 24th Microsoft extended the date to remove SBCs from Office 365 to April 30, 2019, based on user feedback. This is only an extension. They have no intention of supporting SBCs after that date.

Session Border Controllers (SBCs) are used to route SIP-SIP traffic. They act as two-legged single-purpose firewalls, used only for SIP traffic. SBCs are usually deployed in the DMZ, where one interface faces the internal network (gateway/PBX) and the other faces the Internet (Office 365). They are required for all PBXs except Lync Server and Skype for Business to connect to Office 365 for voicemail or cloud PBX. Two SBCs are required for this communication, one on-prem and another Microsoft-owned SBC in Office 365. ß This is what is being retired.

VOIP gateways are needed when a legacy TDM-based PBX does not speak SIP. They translate TDM (PRI) to SIP. A SIP trunk connects the VOIP gateway to the SBC in DMZ.

Customers have one or more of the following types of telephone systems that link to Office 365 for voicemail:

3rd party TDM-based PBX (analog)
Examples include Avaya, AT&T Merlin, Nortel. Requires a voice gateway and SBS to connect to either Exchange UM or EXO UM.

3rd party IP-based PBX (digital)
Examples include Cisco CallManager. Requires an SBS to connect to either Exchange UM or EXO UM.

Lync Server/Skype for Business
Makes an authenticated federated call to the Lync Online service.

An Office 365 customer must create an IP Gateway in the tenant for SBC connectivity to Office 365. This creates a public DNS entry that looks like [GUID].um.outlook.com that maps to the SBC in Office 365. There will be one for each customer, but all on-prem SBCs connect to the same IP Gateway address, so the actual number of SBCs is really unknown.

UM Gateway in Exchange Server

The number of customers utilizing SBCs to connect to Office 365 may be small according to Microsoft, but these are usually very large customers with many SBCs. Once customers settle on a connectivity solution they continue to invest and expand on it. That's why it's such a big deal, especially for these customers.

According to today's announcement, the Office 365 SBCs are scheduled to be decommissioned in July 2018. If you're one of the customers who rely on SBCs to connect your on-premises PBX to Office 365 for Exchange UM or Azure voicemail, you have till then to make a change. As the article states, you have four options:

Option 1: Complete migration from 3rd party on-premises PBX to Office 365 Cloud PBX.
Option 2: Complete migration from 3rd party on-premises PBX to Skype for Business Server Enterprise Voice on-premises.
Option 3: For customers with a mixed deployment of 3rd party PBX and Skype for Business, connect the PBX to Skype for Business Server using a connector from a Microsoft partner, and continue using Exchange Online UM through that connector. For example, TE-SYSTEMS’ anynode UM connector can be used for that purpose.
Option 4: For customers with no Skype for Business Server deployment or for whom the solutions above are not appropriate, implement a 3rd party voicemail system.

Options 1, 2, and 4 are pretty well understood, but not trivial. Option 3, the anynode UM connector, requires a bit more explaining.

The anynode Skype for Business Voicemail Connector is a software SIP-to-SIP SBC solution that uses the Microsoft Unified Communications Managed API (UCMA) to communicate directly with Skype for Business Enterprise Voice. It's available from a German software company called TE-SYSTEMS (kind of reminds me of Geomant MWI for Exchange 2007 - anyone remember that?) This is great if your PBX already does SIP, but a number of large customers have analog PBXs in one or more locations. Traditional SBCs can convert analog PSTN calls to SIP using a Voice Gateway feature, and then trunk it over to Skype for Business or Skype for Business Online.

I can understand why Microsoft is discontinuing their SBCs in Office 365. It makes them rely on a third-party system that's sometimes difficult to manage. And after all, Microsoft is in business to sell services like Skype for Business and cloud PBX. But forcing customers to plan for and deploy all-new phone systems, SBC solutions, or voicemail systems in one year is asking a lot. Especially for the size of the customers they're affecting.

So what do you think? Will this tactic make you go "all in" for cloud PBX, as Microsoft hopes, or will it drive you toward one of the other solutions? Either way, you better get started now.

Congratulations 2017-2018 Microsoft MVP!

Saturday, July 1, 2017

I'm pleased to announce that I have been given the Office Servers and Services Microsoft MVP award again for 2017-2018. I have been awarded every year since 2009, so this will be my ninth consecutive year.

The MVP Award is an important recognition to me and I'm very pleased to receive it. It includes several benefits, but the most important one to me are all the interactions with the great product groups at Microsoft. These relationships allow me to reach out to specific product team members to provide feedback and get clarification on product features and behaviors.

It's a mutually beneficial partnership -- under NDA, Microsoft is able to talk with MVPs about product futures, provide access to technology adoption programs (TAPs) to try out new software, and solicit our feedback. As MVPs, we are able to provide important and honest feedback to the product teams about how new features and behaviors will affect our customers, beta test new software and file bug reports, and be advocates for you, the customer.

This also adds value to my IT consulting business, EXPTA Consulting. It's evidence that Microsoft values my technical leadership and real-world experience, which I bring to each and every engagement, and customers know that I provide the best results as their trusted advisor.

I feel great!

Important update for AAD Connect - Version 1.1.553.0

Wednesday, June 28, 2017

Microsoft released Azure Active Directory Connect version 1.1.553.0 on June 26, 2017. More importantly, they published an important security advisory one day later.

Microsoft Security Advisory 4033453 - Vulnerability in Azure AD Connect Could Allow Elevation of Privilege explains,

The [ADD Connect version 1.1.553.0] update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts. The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.

Microsoft highly recommends all customers update to version 1.1.553.0 or later to mitigate this vulnerability, even if you don't use the optional password writeback feature. If you are unable to update immediately, the article above describes mitigation steps you can consider.

If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission using Windows DSACLS tool.

DSACLS DNofAdminSDHolderContainer /D CONTOSO\ADDSAccount:CA;"Reset Password"

Besides this important security update, AAD Connect 1.1.553.0 includes several fixes, new features, and improvements both in AAD Connect and AD FS management. Read the Azure AD Connect: Version release history for a complete list.

With Azure AD Connect being such an important part of your cloud connectivity and authentication solution, it's super important to stay on top of any updates.

Explaining Conditional Access and Azure Pass Through Authentication

Tuesday, January 3, 2017

My previous article, Is Azure AD Pass-Through Authentication Right for You? generated some comments and questions about how PTA works with conditional access in Azure AD. There was enough confusion that I wrote a companion article, Explaining Conditional Access and Azure Pass Through Authentication.

Conditional access works great in a cloud-only world, but the real world usually contains legacy clients. Learn when it's appropriate to use conditional access policies and when to use AD FS claims rules with Azure pass-through authentication.

Additional resources:

Download the latest version of Azure Active Directory Connect
View the latest AAD Connect release notes
Read more about Pass-Through Authentication
Read more about conditional access with Microsoft Intune
Read more about Setting up on-premises conditional access using Azure Active Directory Device Registration with AD FS

Is Azure AD Pass-Through Authentication Right for You?

Friday, December 9, 2016

Microsoft just released the new Azure Pass-Through Authentication and seamless Single Sign On option available in the new Azure AD Connect. This new authentication mechanism has a lot of great features and is well thought out, but it's not for every organization.

Check out my article, Microsoft Releases Azure AD Pass-Through Authentication and Seamless Single Sign-on, on the ENow Exchange & Office 365 Solutions Engine Blog. In it, I explain what PTA is, how it works, and how to configure it. You will learn how to deploy additional AAD pass-through connectors for high availability and configure SSO. I also discuss why AD FS may be a better solution for your business.

Additional resources:

Download the latest version of Azure Active Directory Connect
View the latest AAD Connect release notes
Read more about Pass-Through Authentication
Read more about Single Sign-On

How to Manage Distribution Groups from Office 365 in a Hybrid Environment

Wednesday, November 30, 2016

When on-premises distribution groups are synced to an Office 365 tenant via Azure Active Directory Connect, migrated users who are owners of the distribution group can't manage them in Outlook. Depending on the version of Outlook used, the user will receive an error message that resembles the following:

The action 'Update-DistributionGroupMember', 'Identity.Members', can't be performed on the object '<name>' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

-or-

Changes to the public group membership cannot be saved. You do not have sufficient permission to perform this operation on this object.

This happens because Outlook tries to update the same directory where the user's mailbox exists. If the mailbox is in Exchange Online this is the Exchange Online Directory Service (EXODS) directory, which syncs with Azure AD. Since EXODS is read-only in a hybrid environment using AAD Connect, the user receives the error.

Congratulations 2016 Microsoft MVP!

Friday, April 1, 2016

I m pleased to announce that I have been given the Microsoft MVP award again for 2016. I have been awarded every year since 2009, so this will be my eighth consecutive year.

About mid 2015 Microsoft revamped the MVP Award program and rearranged the specialties. All Exchange Server MVPs were moved to the Office Servers and Services technical communities to better align with Microsoft's cloud-first offerings. That makes sense, since I work with so many more technologies than Exchange, both on-prem and in the cloud.

I feel great!

Linked Mailbox users will not sync in Azure AD with AAD Connect

Wednesday, March 30, 2016

You may find that some on-premises user accounts will not synchronize with Azure Active Directory using AAD Connect, no matter what you try. Once you rule out the obvious (OU filtering, object filtering, security permissions, etc.) check to see if the problem user has a linked mailbox in Exchange.

According to the article, Azure AD Connect sync: Understanding Users and Contacts:

"An account with a linked mailbox will never be used for userPrincipalName and sourceAnchor. It is assumed that an active account will be found later."

I can't tell you what that last sentence is supposed to mean, but I can tell you that a linked mailbox cannot be soft-matched or hard-matched, and it will never provision itself in Azure AD. You will not see any warnings or errors in Synchronization Service Manager or the event logs indicating there's a problem -- the user just never gets provisioned in AAD, as if they are being filtered.

If you're handy with Synchronization Service Manager ("C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe"), you'll see that the on-prem user was pulled into the metaverse, but the Connectors tab only shows the on-prem AD connector. It does not show the corresponding tenant connector, as it should.

A linked mailbox is a special type of mailbox that is accessed by a user in a separate, trusted forest. I don't normally see orgs using linked mailboxes except during specific cross-forest migration scenarios. For example, during a merger or acquisition when both forests need to access the same mailbox. I have, however, seen occasions when a normal user mailbox is somehow converted to a linked mailbox during an Exchange upgrade. This usually happens because the source mailbox has some funky* permissions set on it, and by moving the mailbox to the new Exchange Server infrastructure the mailbox is converted from a user to a linked mailbox for some reason. * Funky is a technical term.

If your environment is a single forest with no trusts or resource forests there's virtually no reason that any mailbox should be a linked mailbox. As a matter of fact, Exchange won't even let you create a linked mailbox unless there's a configured trusted forest in existence.

It is normally safe to convert a linked mailbox to a user mailbox with no ill effects. You cannot use the Exchange Admin Center to convert a linked mailbox to a user mailbox. You must use the Exchange Management Shell.

Use the following EMS command to convert a single linked mailbox to a user mailbox:

Set-User -Identity kljohnson@contoso.com -LinkedMasterAccount $null

Or you can use the following EMS command to convert all linked mailboxes to user mailboxes:

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'LinkedMailbox')} | Set-User -LinkedMasterAccount $null

Once a linked mailbox has been converted to a user mailbox you can run a delta sync of AAD Connect using the following command and the user object(s) will now be provisioned correctly in Azure Active Directory.

Start-ADSyncSyncCycle -PolicyType Delta

I usually do this twice in a row to make sure both on-prem AD and Azure AD objects are completely up to date.

How to Schedule and Force Sync Updates with AAD Connect 1.1.x

Tuesday, March 8, 2016

Microsoft has made some significant changes to AAD Connect in version 1.1.x. New features include:

Automatic upgrade feature for Express settings customers
Support for the global admin using MFA and PIM in the installation wizard
Allow changing the user's sign-in method after initial install
Allow Domain and OU filtering in the installation wizard. This also allows connecting to forests where not all domains are available.
Scheduler is built-in to the sync engine and the default schedule is now 30 minutes
Plus there's MOAR!

You can download the latest version of AAD Connect here.

Note that the new Automatic Upgrade feature is not enabled unless you install AAD Connect with Express settings. Customized settings require more configuration, so automatic upgrade is not possible in these scenarios (yet).

They also changed the way you manage AAD Connect synchronization schedules and manual syncs (again). I swear sometimes these guys are psychotic.

Scheduling Synchronization

In previous versions, the synchronization schedule was implemented as a scheduled task in Windows. Now it's part of the sync engine and is configured via a PowerShell cmdlet. Previous versions synchronized every 3 hours, now it's every 30 minutes! Run the new Get-ADSyncScheduler cmdlet to view the current synchronization schedule:

Default synchronization schedule in AAD Connect 1.1.105

If you want to adjust the default schedule run the Set-ADSyncScheduler cmdlet. Note that you cannot set the scheduler less than the AllowedSyncCycleInterval of 30 minutes, but you can set it higher. If you try to use a value less than 30 minutes, you will get an error:

Cannot change AAD Connect sync frequency less than 30 minutes

If you DO find a way to adjust the schedule lower, understand that this is not supported by Microsoft.

Set-ADSyncScheduler accepts the following parameters:

CustomizedSyncCycleInterval <timespan> -- Used to set the custom sync cycle interval. Must be higher that the Allowed Sync Cycle Interval.
SyncCycleEnabled <bool> -- Enables or disables scheduled synchronization.
NextSyncCyclePolicyType <SynchronizationPolicyType> {Unspecified | Delta | Initial} -- Specifies how the next synchronization will work. Delta only syncs changes since the last sync. Initial will perform a full resynchronization.
PurgeRunHistoryInterval] <timespan> -- The interval when AAD Connect will purge the operation logs for past sync jobs. The default is keep them for 7 days.
MaintenanceEnabled] <bool> -- Enables maintenance mode to enable you to update the certificates/keys and purge the operations log.
Force -- Makes the setting changes without warnings or confirmation. It does NOT force AAD Connect to accept a custom sync schedule that it is lower than the Allowed Sync Cycle Interval.

Forcing Synchronization

If you want to run a sync sooner than the next scheduled run, you can do it manually using the new Start-ADSyncSyncCycle cmdlet. For example:

Start-ADSyncSyncCycle -PolicyType Delta

This will force a delta sync immediately, as long as a scheduled sync is not running. Use PolicyType Initial to force a full sync.

Second Edition of Office 365 for Exchange Professionals

Thursday, September 10, 2015

I am very pleased to announce that the second edition of Office 365 for Exchange Professionals will be released next week at the IT/Dev Connections conference in Las Vegas, where all four of us will be speaking.

This self-published eBook is the most comprehensive publication available of all things Office 365. Over 150 pages of new content has been added since the first release at Microsoft Ignite in May 2015. The book covers new features and capabilities of Microsoft's cloud offering from an Exchange professional's perspective. You will learn how to take advantage of all the cloud has to offer in this comprehensive but surprisingly easy to read book.

The MVP co-authors are Tony Redmond, Michael Van Horenbeeck, and Paul Cunningham. Once again I provide my services as technical editor for this 770+ page book. Together, we bring over 60 years' experience in the IT and messaging industry. We have spent many hours exploring and understanding, participating in technical preview programs, and developing best practices in order to update this second edition with brand new content.

You can preorder Office 365 for Exchange Professionals from Paul Cunningham's ExchangeServerPro.com website or for your Kindle on Amazon.

If you are attending the IT/Dev Connections conference please join us for our second edition book launch party hosted by Binary Tree.

Pages

Scheduling Synchronization

Forcing Synchronization