Category Archives: Azure Active Directory

All Posts about Azure Active Directory (AAD)

Allgemein, Azure, Azure Active Directory, Azure Governance, Azure Security, Cloud, Community, Events, Meetup, Microsoft

IdentitySummit 2020 is over – Thank you

Leave a comment

Our 1st IdentitySummit is over and we had a amazing Summit with our powerfull Speakers and our attendees.

We (Azure Bonn Orga Team) started planning the Summit in March 2020. The Orga Team from the AzureBonn Meetup consists of Melanie Eibl, Thomas Naunheim and René de la Motte. The idea came from Thomas (our Identity Expert) and we can say that was a wonderful idea.

We meet together at the Debeka Innovation Center (DICE) in Koblenz to organize and streaming all the sessions from one central place. The current Corona situation has unfortunately not made a complete live event possible, so we have met under the rules in force to ensure a smooth process and bring a little live feeling.

Now after 6 session in 2 parallel Tracks we can say it was worth every minute of planning – Why?

The answer is simple: First of all because of our great speakers. Each session was planned with a minimum of 300, and each session went deep into the relevant topics, showing what needs to be considered, the pitfalls and best practices available.

Continue reading IdentitySummit 2020 is over – Thank you
Allgemein, Azure, Azure Active Directory, Azure Monitor, Azure Security, Cloud, Microsoft

Howto Setup and Monitor the Break Glass Account in your Tenant

4 Comments

19/01/2022 – Update 1

I´ve updated the article because the actual sign-in query only logs all login attempts of the break glass account (successfully, unsuccessfully, etc.) . I added the different IDs so that you can setup the alert mail based on a indivudal filter. Thank you goes out to Eric Soldierer for this note. I also updated some changed services that had left their preview status.

In the past I do a lot of Azure Governance workshop and one interesting topic is how to handle the Break Glass Account. Before we going deeper, first we take a look was is the Break Glass Account. For each Administrator role in Azure or Office365 is it best practice to use MFA to secure the account and get a better security for the Tenant. To realize this, normally we use Conditional Access and create a rule, that every Admin require MFA for login. But what can we do, when:

  • the MFA service is down
  • we create a Conditinal Access that with a wrong rule set and lost sign-in access
  • we do not regulary update our control list and the admin account goes lost

For this cases we need a Break glass account, an additional account with a high security password, to enter the Tenant in an emergeny case. For this account, there are some recommendations:

  • only use a generic account
  • create a complex password with more than 16 characters
  • up to 256 characters possible – the limit of 16 character is removed
  • for compliance reason divide the password into two parts
  • save each part in a different location
  • create a security group that contains the break glass accounts
  • create two break glass accounts with no standard username like breakglass@ or emergency
  • use the Tenant name for the account
  • do not use a custom domain name
  • in futher it will be possible to use FIDO2 security key for break glass (right now is in preview and not recommended for such critical scenario)

Now we can discuss in some ways a security gap – a service account with Global admin rights that do not require MFA for login. Now you see, why it is so important to monitor this accounts and get notified when they will be used for login.

Continue reading Howto Setup and Monitor the Break Glass Account in your Tenant
Active Directory, Allgemein, Azure, Azure Active Directory, Azure Files, Cloud, Microsoft, Windows Virtual Desktop

CONFIGURE AZURE FILES ON-PREMISES ACTIVE DIRECTORY (AD DS) AUTHENTICATION FOR FILESERVER OR WVD

14 Comments

Update 2

Please note: This article is replaced by All you need to know about Azure Files SMB authentication via Active Directory Domain Services.

Update 1

Azure Files on-premises Active Directory Domain Services authentication is since 11/06/20 GA. The article is upgraded and integrated the latest features and improvements.

Update 2

12/06/20 Azure Files Hybrid PowerShell Module upgrate to v. 0.2.0

In the past I had a lot of talks about Azure File Sync, a lightwight solutions to sync servers from different locations and branches via Azure Files. One often questions was, it is possible to use Azure Files directly with integrated on-premises Active Directory (AD DS) authentication – the great answer since a few days is Yes, this is possible.

Now you can use Azure Files with on-premises Active Directory authentication as a fully replacement for Fileservers. No need for Azure Active Directory Domain Services (Azure AD DS) or different settings on Azure Files. This gives great new ways to use Azure Files as an replacement for Windows based fileservers or for using as an profile store for Windows Virtual Desktop and come closer to a cloud native solution.

In this article I will explain how Azure files AD DS authentication works, how to configure it, some basic steps and more. Please feel free to use the comment section or Twitter to get in touch with me and give me feedback or ask questions.

Continue reading CONFIGURE AZURE FILES ON-PREMISES ACTIVE DIRECTORY (AD DS) AUTHENTICATION FOR FILESERVER OR WVD
Allgemein, Azure, Azure Active Directory, Azure Security, Certifications, Cloud, Microsoft, Windows Server

How I pass the Azure Security Exam Az-500

13 Comments

In the past I have taken several Azure exams, and yesterday I took the Azure Security exam Az-500. I am really glad that I passed the exam. In this article I will give you a brief overview of the topics I saw in the exam and what materials I used to prepare for the exam. I can say directly that the best way to succeed in the exam is practice.

Continue reading How I pass the Azure Security Exam Az-500
Allgemein, Azure, Azure Active Directory, Azure Security, Cloud, Microsoft

Setup Passwordless login Für Azure & Microsoft365 mit yubico 5 und FIDO2

2 Comments

Vor einigen Wochen hat Yubico zahlreiche Passwordless-Kits kostenlos zur Verfügung gestellt. Um weitere Menschen von den zahlreichen Vorteilen des Passwordless Logins mit dem integrierten FIDO (Fast IDentity Online) Standard, in Yubico Devices, zu überzeugen. Vor ein paar Tagen habe ich mein Starterpaket erhalten – an dieser Stelle vielen Dank für die Zusendung. Das Starterpaket enthielt direkt 2 Keys den YubiKey 5 NFC (USB + NFC) und den YubiKey 5C (USB Type-C). Direkt nach dem Erhalt habe ich mit der Einrichtung begonnen – die sich sehr einfach gestaltet.

Dieser Artikel stellt die Voraussetzungen und die Konfiguration des Azure Active Directorys vor, um die Kennwortlose (Passwordless) Funktion zu nutzen.

Continue reading Setup Passwordless login Für Azure & Microsoft365 mit yubico 5 und FIDO2
Active Directory, Allgemein, Azure, Azure Active Directory, Cloud, Microsoft

AzureAD Connect mit AD Service Account konfigurieren

Leave a comment

Eines der ersten Aufgaben bei Hybrid Szenarien ist die Einrichtung von AzureAD Connect, um die Domänenidentitäten für Cloud Produkte bereitzustellen und Single-Sign-On zu ermöglichen.

In diesem kleinen HowTo möchte ich die Einrichtung anhand eines Gatewayservers erläutern, der zwischen dem eigentlichem DC und AzureAD die Identitäten synchronisiert.

Continue reading AzureAD Connect mit AD Service Account konfigurieren