Azure AD v2 Apps vs. The brick wall

Azure AD V2 Apps vs. The Brick Wall a.k.a. admin consent! Some month ago I was introduced to what Microsoft internally calls “The Brick Wall”. The end users are left with a prompt for admin consent enforced by the Microsoft Azure Federation Gateway and even if a Global Administrator (or Application Administrator) tried to approve …

Continue reading "Azure AD v2 Apps vs. The brick wall" »

Minor ADFS 2016 upgrade bug related to custom web theme

This is just a quick post I wanted to share online as this is the second time I was asked/heard about this ADFS 2016 bug. A minor bug exist in ADFS 2016 after upgrading from ADFS 2012 R2, when you have added a custom ADFS illustration picture. When willl I see this bug? Often you …

Continue reading "Minor ADFS 2016 upgrade bug related to custom web theme" »

Microsoft Flow and Azure Conditional Access (Azure MFA)

If you have deployed Azure Conditional Access (Azure MFA) you might have indirectly broken Microsoft Flow and impacted some service accounts used for running a business critical workflow. It is possible to make an exception with Azure Conditional Access that does not block your Microsoft Flow from working. Example of issue: PowerUsers: MFA and Invalid …

Continue reading "Microsoft Flow and Azure Conditional Access (Azure MFA)" »

Azure Conditional Access support for Dynamics 365 for Finance and Operations

Some weeks back I discussed with a customer whether Microsoft Dynamics 365 for Finance and Operations could be protected by using Microsoft Azure Conditional Access instead of just configuring a specific IP range whitelist within the Microsoft Dynamics 365 environment. Utilizing Microsoft Conditional Access would provide a more modern workplace approach for accessing Microsoft Dynamics …

Continue reading "Azure Conditional Access support for Dynamics 365 for Finance and Operations" »

Microsoft Azure AD Joined devices support Kerberos

Not many people are aware that Microsoft Windows 10 since version 1609 have had support for Kerberos authentication and thereby also bridging an important gap between Azure AD Joined and Domain Joined machines. This is an important step in the migration to a more modern environment with hybrid devices and enabling modern workplace scenarios for …

Continue reading "Microsoft Azure AD Joined devices support Kerberos" »

Office 365 / Azure AD: Block sign in for accounts with password hash sync

Expired Active Directory users are still able to sign into Microsoft Office 365 / Azure Active Directory when using password Synchronization If you have made the move from ADFS / PTA to using Azure AD Password Synchronization with SSO you will soon realize that former / terminated employees are still able to sign into Microsoft Office …

Continue reading "Office 365 / Azure AD: Block sign in for accounts with password hash sync" »

iOS 11 provides support for OAuth 2.0 (Modern Auth) in the native mail app

With the release of iOS 11.0, the native mail client has now support for OAuth 2.0. OAuth 2.0 is often mentioned as modern authentication and provides some new capabilities like Microsoft Azure Multi-factor Authentication support and allows to using certificates for authentications. Modern Authentication uses a secure token instead of relying on a username and …

Continue reading "iOS 11 provides support for OAuth 2.0 (Modern Auth) in the native mail app" »

login.windows.net still needs to be added to trusted sites in Internet Explorer

During some troubleshooting it was discovered that for some reason “https://login.windows.net” needs to added to “IE trusted site” else you wouldn’t get a PRT (Primary Refresh Token) issued in some scenarios. Microsoft have been working on merging the Azure AD Authentication Flows since March 2015, but this still doesn’t seem to be merged end-to-end yet. Source: Simplifying …

Continue reading "login.windows.net still needs to be added to trusted sites in Internet Explorer" »

Credential Roaming vs. Device Registration Certificate for Conditional Access

During the last couple of weeks I have been asked from a couple of my customers on how to get Azure device registration to work in environments using either Windows Credential Roaming or Roaming User Profile (with Certificates included). After doing some research on the subject I found the answer on docs.microsoft.com, Microsoft doesn’t support …

Continue reading "Credential Roaming vs. Device Registration Certificate for Conditional Access" »

Microsoft Azure Information Protection app now support CBA

Microsoft just released support for certificate-based authentication (CBA) for the Microsoft Azure Information Protection iOS app. The app integrates with the Microsoft Authenticator app that supports the Apple iOS SafariViewController that enables access to the certificates stored on the iOS device.

Continue reading "Microsoft Azure Information Protection app now support CBA" »