Identity

There are 2 entries in this Category.

Quickly Change Authentication models in Azure AD / Office 365

In 2017 Microsoft has made some major improvements to their Managed authentication model to make it a viable competitor to the cumbersome Federated model. As a refresher, Federated identity requires Microsoft ADFS infrastructure deployed (along with ADConnect for AD Sync), and to make it highly available entails multiple servers deployed in multiple datacenters/Azure, global load balancing of the internet-facing URL with Azure Traffic Manager – dependencies on your private cloud to authenticate to the public cloud. Managed identity still uses ADConnect for AD Sync but the biggest drawback is that you didn’t get the “seamless” single signon (SSO) experience that ADFS provides, only “same sign on” (SSO) and needing to reenter your credentials.

Microsoft has recently added Seamless Single Signon and Pass-Thru Authentication (as an alternative to password-hash synchronization in high security environments, but out of scope for this article) to ADConnect, in efforts to further eliminate the ADFS dependencies previously mentioned, and with this I’ve been working a large number of projects in planning / executing a move away from ADFS.

What I’ve found is that it’s always been a grey area on how long this process takes, given most of the documentation calls for using the Convert-MSOLDomainToStandard cmdlet and dealing with the password conversion process. If you follow these steps there’s an easier way to do it.

Step 1 – Check Local Active Directory

The first step is ensuring that you have local AD setup and able to support Password Sync. One of the Microsoft Premier Field Engineers (PFE) wrote a great blog on this in 2016:
https://blogs.technet.microsoft.com/askpfeplat/2016/12/19/convert-a-federated-domain-in-azure-ad-to-managed-and-use-password-sync-step-by-step/

“First, ensure your Azure AD Connect Sync ID has “Replicate Directory Changes” and “Replicate Directory Changes All” permissions in AD (For Password Sync to function properly). If you did not set this up initially, you will have to do this prior to configuring”

This can be done thru Active Directory Users & Computers

image

Continue reading “Quickly Change Authentication models in Azure AD / Office 365” »

Enabling Access to Security Groups in MIM for All Users

I have a customer that is looking to give normal users access to view and request access to Security groups thru MIM so I whipped this up!

Under Management Policy Rules search for Security to minimize your scope

clip_image002

Enable the following rules by disabling “Policy Is Disabled”

Security group management: Users can read selected attributes of group resources
Security group management: Users can add or remove any member of groups subject to owner approval

clip_image004

clip_image005

When you’re done these rules should reflect “No” in the Disabled column!!!!

Then change the Requestors on these following rules from Security Group Users to All Users and Groups

Security group management: Users can add or remove any member of groups subject to owner approval

clip_image007

clip_image009

Security group management: Users can read selected attributes of group resources

clip_image011

clip_image013

Next, under Administration go to Search Scope

clip_image014

Edit the following item and add the Usage keyword

clip_image015

Do the same thing in Administration under Navigation Bar Resource

clip_image016

clip_image017

Edit the following item and add the Usage keyword

clip_image019

Whenever you make UI changes, you need to perform an IISRESET on the Portal server

Now log in as your user and you should see the Security group section the same way an Administrator should see it.

clip_image020

css.php