Windows Azure Active Directory

Windows Azure Active Directory Jorge's Quest For Knowledge!
1 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just
Like An Addiction, The More You Have, The More You Want To Have!)
Archive for the Windows Azure Active Directory Category
(2015-10-14) Azure Active Directory Domain Services (Preview)

Posted by Jorge on 2015-10-14
i
Rate This
Original source: hps://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-features/ (hps://azure.microsoft.com/en-us

/documentation/articles/active-directory-ds-features/)
This is really really cool!
Azure Active Directory Domain Services is basicallyDomain Controller As A Service (DCaaS). You can:
Lift-and-shift apps to Azure more easily than ever
Use LDAP, Active Directory domain join, NTLM, and Kerberos authentication
Rely on a managed, highly-available service
Get started in minutes, pay as you go
Dev and test with no identity worries
Manage Azure virtual machines eectively using Group Policy
Azure Active Directory Domain Services lets you join Azure virtual machines to a domain without the need to deploy domain controllers.
Users can sign in to these virtual machines using their corporate Active Directory credentials and access resources seamlessly. You can
more-securely administer domain-joined virtual machines using Group Policyan easy, familiar way to apply and enforce security baselines
on all of your Azure virtual machines
The following features are available in the Azure AD Domain Services preview release.
Simple deployment experience: You can enable Azure AD Domain Services for your Azure AD tenant using just a few clicks. Regardless
of whether your Azure AD tenant is a cloud-tenant or synchronized with your on-premises directory, your managed domain can be
provisioned quickly.
12/11/2015 12:51 AM
2 of 30
Support for domain-join: You can easily domain join computers in the Azure virtual network that Azure AD Domain Services is available
in. The domain join experience on Windows client and Server operating systems works seamlessly against domains serviced by Azure AD
Domain Services. You can also use automated domain join tooling against such domains.
One domain instance per Azure AD directory: You can create a single Active Directory domain for each Azure AD directory.
Create domains with custom names: You can create domains with custom names (eg. contoso.local) using Azure AD Domain Services.
This includes both veried as well as unveried domain names. Optionally, you can also create a domain with the built-in domain sux
(i.e. *.onmicrosoft.com) that is oered by your Azure AD directory.
Integrated with Azure AD: You do not need to congure or manage replication to Azure AD Domain Services. User accounts, group
memberships and user credentials (passwords) from your Azure AD directory are automatically available in Azure AD Domain Services.
New users, groups or changes to aributes ocurring in your Azure AD tenant or in your on-premises directory are automatically
synchronized to Azure AD Domain Services.
NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on
Windows Integrated Authentication.
Use your corporate credentials/passwords: Passwords for users in your Azure AD tenant work with Azure AD Domain Services. This
means users in your organization can use their corporate credentials on the domain for domain joining machines, logging in interactively
or over remote desktop, authenticating against the DC etc.
LDAP bind & LDAP read support: You can use applications that rely on LDAP binds in order to authenticate users in domains serviced
by Azure AD Domain Services. Additionally, applications that use LDAP read operations to query user/computer aributes from the
directory can also work against Azure AD Domain Services.
Group Policy: You can leverage a single built-in GPO each for the users and computers containers in order to enforce compliance with
required security policies for user accounts as well as domain joined computers.
Available in multiple Azure regions: See the supported Azure regions (hps://azure.microsoft.com/en-us/documentation/articles/activedirectory-ds-regions/) page for a list of Azure regions in which Azure AD Domain Services are available.
High availability: Azure AD Domain Services oer high availability for your domain. This oers the guarantee of higher service uptimeand
resilience to failures. Built-in health monitoring oers automated remediation from failures by spinning up new instances to replace failed
instances and to provide continued service for your domain.
Use familiar management tools: You can use familiar Windows Server Active Directory management tools such as the Active Directory
Administrative Center or Active Directory PowerShell in order to administer domains provided by Azure AD Domain Services.
UPDATE 2015-10-21: Check hps://azure.microsoft.com/en-us/regions/#services (hps://azure.microsoft.com/en-us/regions/#services) to seeif

this service is (already) available or not in your region
Cheers,
Jorge
* This posting is provided AS IS with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hps://jorgequestforknowledge.wordpress.com/disclaimer/ (hps://jorgequestforknowledge.wordpress.com/disclaimer/)
############### Jorges Quest For Knowledge #############

######### hp://JorgeQuestForKnowledge.wordpress.com/ (hp://JorgeQuestForKnowledge.wordpress.com/) ########
Posted in Azure AD Domain Services (DCaaS), Windows Azure Active Directory | Leave a Comment
(2015-10-13) Roles Based Access Control (RBAC) For Azure Is Now GA

12/11/2015 12:51 AM
3 of 30
i
Rate This
Finally, no more all or nothing. Delegation is now possible for Azure resources.
More information:
Azure RBAC is GA! (hp://blogs.technet.com/b/ad/archive/2015/10/12/azure-rbac-is-ga.aspx)
Role-based access control in the Microsoft Azure portal (hps://azure.microsoft.com/en-gb/documentation/articles/role-based-accesscontrol-congure/)
Cheers,
Jorge


Posted in RBAC, Windows Azure Active Directory | Leave a Comment
(2015-10-07) Realistic Random Data Set To Import Into Some Identity Store
i
Rate This
Have you ever required to have a large and realistic random data set to test your application or system in some way? Well, look no further!
With testing, performance/volume testing and/or logic testing (either declarative or coded, against small and large data sets) is meant.
Testing with correctly dened (custom) data is required to make sure the application/system behaves as you require it to behave. By using fake
data you are sure you do not get into trouble due to privacy or security related issues. You also do not have to beg for and jump through all
kinds of hoops to get the data. Depending, on your organization, you may also need to have a data set that includes special characters (e.g.
apostrophes) and/or very special characters (e.g. unicode characters from other languages)
Most likely, there are more websites out there, but the following 2 websites can help you out in dierent scenarios:
1. hps://www.mockaroo.com/ (hps://www.mockaroo.com/)
2. hp://www.fakenamegenerator.com/order.php (hp://www.fakenamegenerator.com/order.php)
[1] Mockaroo Realistics Data Generator (hps://www.mockaroo.com/)
12/11/2015 12:51 AM
4 of 30
This website allows you to use your own dened schema. You can do that by selecting/dening the eld names and eld types or by importing
the eld headers of some CSV le you have. After importing the CSV headers, you still need to dene the eld types. When done, you can
preview the data or download it right away. The data can be downloaded in dierent formats, such as, but not limited to, CSV format. The
only downsides are the limited number of objects (max. 1000) and that it only supports western characters for names. If you need more data,
you need to pay a fee per year.
(hps://jorgequestforknowledge.les.wordpress.com
/2015/10/image.png)
Figure 1: The Interface Of The Mockaroo Website To Dene The Required Schema
[2] Fake Name Generator (hp://www.fakenamegenerator.com/order.php)

However, if you do not have a strict schema, you want up to 50.000 objects and you also require non-western characters for names (e.g.
japanese, chinese, arabic, etc.), then you might be interesting in using this website. You can generate data for a single object, or you can bulk
generate (order for free!) a very large amount of data up to 50.000 objects. If you need more objects, you just request it multiple times.
First you need to select the format and compression type. Secondly you need to select the name set(s), countries, gender and age of that
objects.
/2015/10/image1.png)
Figure 2a: The Interface Of The Fake Name Generator Website To Dene The Conguration For The Data Set
And last but not least, you need to select the required elds you want to include in the data set, dene the required number of objects and the
12/11/2015 12:51 AM
5 of 30
e-mail address where the bulk order is e-mailed to.
/2015/10/image2.png)
Figure 2b: The Interface Of The Fake Name Generator Website To Dene The Conguration For The Data Set
Every request le is made available after a few minutes and when done you will receive an e-mail with a time-limited link.
After receiving the data set you can import it, by rst writing your own PowerShell script, into ADDS, ADLDS, Azure AD, FIM Portal/Sync,
SQL database or anything similar
Have fun!
Cheers,
Jorge


Posted in Active Directory Domain Services (ADDS), Active Directory Lightweight Directory Services (ADLDS), Data Set, Data Set, Data Set,
Data Set, Forefront Identity Manager (FIM) Portal, Windows Azure Active Directory | Leave a Comment
(2015-07-01) New Azure Authenticator Phone App Supports Multiple

Account Providers
12/11/2015 12:51 AM
6 of 30
i
Rate This
Microsoft has released a new MFA Phone App supports any account provider supporting the Open Authentication Initiative (OATH).
Examples of supported account providers are: Azure AD, Microsoft Account and Google.
For more information please read:

Try the new Azure Authenticator application! (hp://blogs.technet.com/b/ad/archive/2015/06/29/try-the-new-azure-authenticatorapp.aspx)
Moving to the new Azure Authenticator app (hps://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-azureauthenticator/?rnd=1)
Azure Multi-Factor Authentication (hps://msdn.microsoft.com/library/azure/dn249471.aspx)
Azure Multi-Factor Authentication options for Federated Users (hps://msdn.microsoft.com/en-us/library/azure/dn394284.aspx)
Cheers,
Jorge


Posted in Multi-Factor AuthN, Windows Azure Active Directory | Leave a Comment
(2015-06-29) Azure AD Connect Has RTMed

i
Rate This
Azure AD Connect allows you to quickly onboard to Azure AD and Oce 365. The Azure AD Connect wizard is the single tool and guided
experience for connecting your on premises identity infrastructure to the cloud. Choose your topology and needs (single or multiple
directories, password sync or federation), and the wizard will deploy and congure all components required to get your connection up and
running including sync services, AD FS, and the Azure AD PowerShell module.
Azure AD Connect encompasses functionality that was previously released as Dirsync and AAD Sync. These tools will no longer be released
individually. All future improvements will be included in updates to Azure AD Connect, so that you always know where to get the most
current functionality.
Download it from here (hps://www.microsoft.com/en-us/download/details.aspx?id=47594)
12/11/2015 12:51 AM
7 of 30
Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both
cloud and on-premises resources. With this integration users and organizations can take advantage of the following:
Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server
Active Directory and then connecting to Azure Active Directory.
Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor
authentication.
Users can leverage their common identity through accounts in Azure AD to Oce 365, Intune, SaaS apps and third-party applications.
Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or
Azure for cloud-based applications
Azure AD Connect makes this integration easy and simplies the management of your on-premises and cloud identity infrastructure.
More information:
Integrating your on-premises identities with Azure Active Directory (hps://azure.microsoft.com/nl-nl/documentation/articles/activedirectory-aadconnect/)
Azure AD Connect Preview 2 is available! (hp://blogs.technet.com/b/ad/archive/2015/03/24/azure-ad-connect-preview-2-is-available.aspx)
Azure AD Connect: One simple, fast, lightweight tool to connect Active Directory and Azure Active Directory (hp://blogs.technet.com
/b/ad/archive/2014/12/15/azure-ad-connect-one-simple-fast-lightweight-tool-to-connect-active-directory-and-azure-active-directory.aspx)
Connecting AD and Azure AD: Only 4 clicks with Azure AD Connect (hp://blogs.technet.com/b/ad/archive/2014/08/04/connectingad-and-azure-ad-only-4-clicks-with-azure-ad-connect.aspx)
Azure AD Connect & Connect Health is now GA! (hp://blogs.technet.com/b/ad/archive/2015/06/24/azure-ad-connect-amp-connecthealth-is-now-ga.aspx)
Azure AD Connect (hps://en.wikipedia.org/wiki/Azure_AD_Connect)
Cheers,
Jorge


Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment
(2014-11-21) Troubleshooting SSO Issues In Azure AD, Office 365 Or

Windows Intune
i
1 Vote
The following resources can help you troubleshoot with SSO issues:
Troubleshoot single sign-on setup issues in Oce 365, Windows Intune, or Azure (hp://support.microsoft.com/kb/2530569)
Signing in to Oce 365, Azure, or Windows Intune by using single sign-on doesnt work from some devices (hp://support2.microsoft.com
12/11/2015 12:51 AM
8 of 30
/kb/2530713)
Oce 365 & Single Sign-On: How to Handle Dierent UserPrincipalName (UPN) Values (hp://blogs.technet.com/b/askpfeplat/archive
/2013/09/02/oce-365-amp-single-sign-on-how-to-handle-dierent-userprincipalname-upn-values.aspx)
You cant sign in to Oce 365, Azure, or Windows Intune (hp://support2.microsoft.com/kb/2412085)
Oce 365 Identity Federation Debug Tool (hp://www.msexchange.org/kbase/ExchangeServerTips/MicrosoftOce365/ExchangeOnline
/oce-365-identity-federation-debug-tool.html)
(2014-09-29) Default Claims Rules In ADFS To Support SSO Through Federation With Azure AD/Oce 365(hps://jorgequestforknowledge.wordpr
/2014/09/29/default-claims-rules-in-adfs-to-support-sso-through-federation-with-azure-adoce-365/)
(2014-10-01) TroubleShooting Federation/SSO To Windows Azure AD And Oce 365 (hps://jorgequestforknowledge.wordpress.com
/2014/10/01/troubleshooting-federationsso-to-windows-azure-ad-and-oce-365/)
Cheers,
Jorge


Posted in Oce 365, SSO, SSO, Troubleshoot, Troubleshoot, Windows Azure Active Directory | Leave a Comment
(2014-11-05) Upgrading Azure AD Sync Services From GA (v1.0.419.911)

To v1.0.470.1023
i
Rate This
As mentioned in this blog post (hps://jorgequestforknowledge.wordpress.com/2014/11/01/a-new-version-of-azure-active-directorysync-services-has-been-released-v1-0-470-1023/) Microsoft released a new version of the Azure AD Sync Services. As mentioned in the release
notes (hp://msdn.microsoft.com/en-us/library/azure/dn835004.aspx) the upgrade is quite straightforward with a x, but only if you modied
one or more sync rules.
If you already have Azure AD Sync installed, there is one additional step you have to take in case you have changed any of the out-of-box
Synchronization Rules. After you have upgraded to the 1.0.470.1023 release, the synchronization rules you have modied are duplicated. For
each modied Sync Rule do the following:
Locate the Sync Rule you have modied and take a note of the changes
Delete the Sync Rule
Locate the new Sync Rule created by Azure AD Sync and re-apply the changes.
So lets try this and see what happens.

My starting point is the GA version
12/11/2015 12:51 AM
9 of 30
(hps://jorgequestforknowledge.les.wordpress.com/2014/10/image264.png)
Figure 1: GA Version Of Azure AD Sync Services (AADSync)
Double-click on MicrosoftAzureADConnectionTool.exe and the following screen appears. Check the checkbox I agree to the license terms if
you indeed do agree with the license terms. Click the [Upgrade] buon to continue.
(hps://jorgequestforknowledge.les.wordpress.com/2014/10
/image919.png)
Figure 2: Initial Screen Of The Azure AD Sync Upgrade
The rst thing the upgrade wizard tries to do is upgrade the Azure Active Directory Sign-in Assistance/Client, and then it will upgrade all
other components. However, you might receive the following error. If you do not see it, youre good. therefore continue to gure 12.
12/11/2015 12:51 AM
/image1311.png)
Figure 3: Error About Upgrading The Azure Active Directory Sign-in Assistance/Client
As specied, go and look in the Application Event Log. Event ID 906 tells you to check a log le, so you should do so!
/image1711.png)
Figure 4: Error In The Application Event Log
You see another Event ID 906, and thats not really helpful
10 of 30
12/11/2015 12:51 AM
11 of 30
/image2111.png)
And yet you see another Event ID 906, and again thats not really helpful. It just mentions the upgrade of the Azure Active Directory Sign-in
Assistance/Client failed.
/image2610.png)
System.Exception: Unable to upgrade the Azure Active Directory Sign-in Client. Please see the event log for additional details. >
Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessExecutionFailedException: Exception: Execution failed with errorCode: 1603.
Details:
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartProcessCore(String leName, String arguments, String
workingDirectory, NetworkCredential credential, Boolean loadUserProle, Boolean hideWindow, Boolean waitForExit)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartBackgroundProcessAndWaitForExit(String leName, String
arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProle)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackage(String msiPackageDirectory, String
msiPackageFileName, String parametersString, String installationPath, NetworkCredential credential, String installLogFileName, Boolean quiet,
Boolean suppressReboot)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackageQuietSuppressReboot(String
msiPackageDirectory, String msiPackageFileName, String parametersString, String installationPath, NetworkCredential credential, String
installLogFileName)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.MsiSetupTaskBase.UpgradeCore()
12/11/2015 12:51 AM
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)

at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Upgrade()
End of inner exception stack trace
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String
taskName, Exception innerException)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Upgrade()
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.SetupAdapter.TypeDependencies.GenericDirectorySyncSetupUpgrade(String
pathToSetupFiles, String installationPath, ProgressChangedEventHandler progressChangedEventHandler)
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.WizardPages.InstallOrUpgradePageViewModel.SetupTask(Object sender,
DoWorkEventArgs args)
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.Controls.Wizards.ProgressReportingTaskViewModel.ExecuteAction(Action
action, Boolean isProgressIndeterminate)
Finally looking in C:\Windows\temp\AADSync\MsoIdCli_64_Install.log at point, almost in the end, you will see the following errors
marked yellow. Basically it is saying that the repair failed. Why is it repairing instead of upgrading?
/image302.png)
Figure 7: Error In The Log File About Repairing The Installation
The version of the Azure Active Directory Sign-in Assistance/Client in this AADSync package is v7.250.4556.0, and the version that I already
had installed was also v7.250.4556.0. Because the versions are the same, it will not upgrade, but rather it will try to repair. On my test server, I
have ADFS v3.0 and AADSync on the same server. A few days ago I updated the Azure AD PowerShell CMDlets including the Azure Active
Directory Sign-in Assistance/Client. And thats why I ended up with that version already installed.
The solution here is to go to the Control Panel Programs and Features and uninstall the Azure Active Directory Sign-in Assistance/Client.
/image382.png)
12 of 30
12/11/2015 12:51 AM
Figure 8: Uninstalling The Microsoft Online Services Sign-In Assistant (= Azure Active Directory Sign-in Assistance/Client)
Conrm the uninstall
Figure 9: Conrming Uninstalling The Microsoft Online Services Sign-In Assistant
When the uninstall is done, do not reboot the server as requested
Figure 10: Request To Reboot The Server
Now go back to the upgrade wizard and click the [Upgrade] buon again.
/image502.png)
Figure 11: Retrying The Upgrade
The upgrade will now continue. It will present the current credentials you are using to connect to Azure AD.
13 of 30
12/11/2015 12:51 AM
/image572.png)
Figure 12: Credentials To Connect To Azure AD Tenant
Next it will present the current AD forest already connected. If you want to can connect extra AD forests, otherwise click the [Next] buon.
/image612.png)
Figure 13: AD Forests Already Connected To AADSync
Now, it presents you with the user matching conguration. You cannot change this right now, therefore click the [Next] buon.
14 of 30
12/11/2015 12:51 AM
/image652.png)
Figure 14: Previously Congured User Matching Options
Now, it presents you with optional features you can use. You can keep it AS-IS or you can enable what you need to enable. If you want to
enable or disable optional feature, you just need to rerun the wizard.
[Exchange Hybrid Deployment] > If you have an Exchange hybrid deployment, then select this checkbox. This will write-back some aributes
from Exchange online to the on-premises Active Directory.
[Password Synchronization] > With password synchronization, you enable your users to use the same password they are using to logon to
your on-premises Active Directory to logon to Azure Active Directory. For more information on how to congure this, please see
hp://msdn.microsoft.com/en-us/library/azure/dn835016.aspx (hp://msdn.microsoft.com/en-us/library/azure/dn835016.aspx).
[Password Write-Back] > Password write-back is an Azure Active Directory Premium feature. For more information on how to congure this,
please see hp://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx
(hp://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx).
[Azure AD App And Aribute Filtering] > If you want to review or limit the aributes which are synchronized with Azure AD, then select
Azure AD app and aribute ltering. You will then get two additional pages in the wizard. For more information on how to congure this,
please see hp://msdn.microsoft.com/en-us/library/azure/dn764938.aspx (hp://msdn.microsoft.com/en-us/library/azure/dn764938.aspx)
Click the [Next] buon.
/image692.png)
Figure 15: Optional Features To Enable
15 of 30
12/11/2015 12:51 AM
Now it will present you with a summary screen. Click the [Next] buon to really start the upgrade of the software.
/image732.png)
Figure 16: Ready To Congure And Upgrade
After the upgrade you can choose to synchronize now or do it later as scheduled. Click the [Finish] buon.
/image772.png)
Figure 17: Finished
16 of 30
12/11/2015 12:51 AM
Figure 18: Upgraded Version Of Azure AD Sync Services (AADSync)
Thats all folks!
Cheers,
Jorge


Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment
(2014-11-01) A New Version Of Azure Active Directory Sync Services Has Been
Released (v1.0.470.1023)
i
Rate This
A few days ago, Microsoft has released a new version of the Azure Active Directory Sync Services (AADSync)
This version adds the following features:
17 of 30
Password synchronization from multiple on-premise AD to AAD

Localized installation UI to all Windows Server languages
12/11/2015 12:51 AM
Upgrading from AADSync 1.0 GA

If you already have Azure AD Sync installed, there is one additional step you have to take in case you have changed any of the out-of-box
Synchronization Rules. After you have upgraded to the 1.0.470.1023 release, the synchronization rules you have modied are duplicated. For
each modied Sync Rule do the following:
Locate the Sync Rule you have modied and take a note of the changes.
Delete the Sync Rule.
Locate the new Sync Rule created by Azure AD Sync and re-apply the changes.
Permissions for the AD account
The AD account must be granted additional permissions to be able to read the password hashes from AD. The permissions to grant arenamed
Replicating Directory Changes and Replicating Directory Changes All. Both permissions are required to be able to read the password
hashes.
Release Note: Changing the AD password
After password sync has been enabled, if the password of the account used by the AD Connector is changed through the UI then password
synchronization must by disabled and re-enabled.
Download: Microsoft Azure Active Directory Sync Services v1.0.470.1023 (hp://www.microsoft.com/en-us/download

/details.aspx?id=44225)
Documentation: Azure Active Directory Synchronization Services (AAD Sync) (hp://msdn.microsoft.com/en-us/library/azure
/dn790204.aspx)
More information:
(2014-09-16) Azure Active Directory Sync Services Has Reached General Availability (hps://jorgequestforknowledge.wordpress.com
/2014/09/16/azure-active-directory-sync-services-has-reached-general-availability/)
(2014-09-21) Change Install Of The Azure AD Sync Service Throws WMI Namespace Error(hps://jorgequestforknowledge.wordpress.com
/2014/09/21/change-install-of-the-azure-ad-sync-service-throws-wmi-namespace-error/)
(2014-09-23) Upgrading Azure AD Sync From The Beta Version To RTM (hps://jorgequestforknowledge.wordpress.com/2014/09
/23/upgrading-azure-ad-sync-from-the-beta-version-to-rtm/)
Cheers,
Jorge


(2014-10-01) TroubleShooting Federation/SSO To Windows Azure AD And

18 of 30
12/11/2015 12:51 AM
Office 365
i
Rate This
When seing up DirSync And Federation between your on-premise AD and Windows Azure AD to support identity sync and SSO, the most
important aribute to make sure everything works are the immutableID and the userPrincipalName.
Paul Williams from msresource.net has wrien a great number of blog posts about this, touching all kinds of related stu. See the following
blog posts:
Multi-forest SSO to O365: implementing multiple immutable IDs (hp://blog.msresource.net/2013/09/18/multi-forest-sso-too365-implementing-multiple-immutable-ids/)
Windows Azure Active Directory Connector part 1: when, where and why (hp://blog.msresource.net/2014/01/13/windows-azure-activedirectory-connector-part-1-when-where-and-why/)
Windows Azure Active Directory Connector part 2: multi-forest directory synchronization (hp://blog.msresource.net/2014/01
/22/windows-azure-active-directory-connector-part-2-multi-forest-directory-synchronization/)
Windows Azure Active Directory Connector part 3: immutable ID (hp://blog.msresource.net/2014/03/10/windows-azure-active-directoryconnector-part-3-immutable-id/)
Implementing Exchange Online with an existing on-premises identity management solution that provisions mailboxes(hp://blog.msresource.net
/2014/06/25/implementing-exchange-online-with-an-existing-on-premises-identity-management-solution-that-provisions-mailboxes/)
With regards to the implementation I used the string version of the objectGUID (AD) as the immutableID (sourceAnchor in AAD)) and the
UPN as the userPrincipalName (AAD). I achieved that by leveraging FIM with the AAD connector. Because of that I also had to implement
slighty dierent claims rules in ADFS for Azure AD/Oce 365. The rules in my ADFS v2.0 looked like:
@RuleName = Identity Claims objectGUID (Base64) To objectGUID (String)
c:[Type == hp://temp.org/identity/claims/adObjectGuidBase64org] (hp://temp.org/identity/claims/adObjectGuidBase64org])
=> add(store = String Processing Store, types = (hp://temp.org/identity/claims/adObjectGuidString) (hp://temp.org/identity/claims
/adObjectGuidString)), query = fromBase64GuidtoStringGuid, param = c.Value);
@RuleName = Identity Claims upn To UPN
c:[Type == hp://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn] (hp://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn])
=> issue(Type = hp://schemas.xmlsoap.org/claims/UPN (hp://schemas.xmlsoap.org/claims/UPN), Value = c.Value);
@RuleName = Identity Claims objectGUID (String) To ImmutableID
c:[Type == hp://temp.org/identity/claims/adObjectGuidString] (hp://temp.org/identity/claims/adObjectGuidString])
=> issue(Type = hp://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID (hp://schemas.microsoft.com/LiveID/Federation
/2008/05/ImmutableID), Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
@RuleName = Identity Claims ImmutableID To Name ID
c:[Type == hp://schemas.xmlsoap.org/claims/UPN] (hp://schemas.xmlsoap.org/claims/UPN])
=> issue(Type = hp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentier (hp://schemas.xmlsoap.org/ws/2005/05/identity
/claims/nameidentier), Value = c.Value, Properties[hp://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format]
(hp://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format]) = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecied);
I swear everything was working, until some day I started to get the following errors:
.when navigating to: hps://outlook.oce365.com/owa/ (hps://outlook.oce365.com/owa/)
19 of 30
12/11/2015 12:51 AM
/2014/09/image293.png)
Figure 1: Error When Using Federated Logon And Navigating To Oce 365 Portal
.when navigating to: hps://manage.windowsazure.com/default.aspx (hps://manage.windowsazure.com/default.aspx)

/2014/09/image295.png)
Figure 2: Error When Using Federated Logon And Navigating To Azure AD Management Portal
.when navigating to: hps://portal.oce.com/ (hps://portal.oce.com/)

20 of 30
12/11/2015 12:51 AM
/2014/09/image297.png)
Figure 3: Error When Using Federated Logon And Navigating To Oce 365 Management Portal
By giving the correlation ID to someone at Microsoft that is able to check it in the system logs, they most likely will be able to tell you what
would be wrong. In this case unfortunately I as not able to do that. The logs on my system did not given me any clue!
As I have another ADFS v3.0 system in my environment, I therefore decided to congure that ADFS instance with all default values for
DirSync and federation. After conguring all this, I was able to access Azure AD and Oce 365 through federated logon on my ADFS v3.0
box, but still not on my ADFS v2.0.
After comparing the federation trusts between ADFS v2.0 and Azure AD, and between ADFS v3.0 and Azure AD I saw the following
dierence:
Figure 4: Signature Hash Algorithm On The RP Trust On ADFS v3.0 For Azure AD/Oce 365 (Default Cong) WORKING
21 of 30
12/11/2015 12:51 AM
Figure 5: Signature Hash Algorithm On The RP Trust On ADFS v2.0 For Azure AD/Oce 365 (Custom Cong) NOT WORKING
For whatever reason, in the past I had changed the signature hash algorithm on the RP Trust On ADFS v2.0 For Azure AD/Oce 365 AND I
had forgoen about it. It took me some time to nd this one, but by just changing the signature hash algorithm on the RP Trust On ADFS v2.0
For Azure AD/Oce 365 from SHA-256 to SHA-1, everything started to work again! Yiiihhaaaaaa!
PS: this has NOTHING to do between the usage of ADFS v2.0 and ADFS v3.0. This was a conguration mistaken I made when playingaround
in the test/demo environment
Cheers,
Jorge


Posted in Active Directory Federation Services (ADFS), Azure AD Sync, DirSync, DirSync, Federation Trusts, Oce 365, SSO, Transform
Rules, Windows Azure Active Directory | 1 Comment
(2014-09-25) Changing The Service Account And/Or Security Groups For Azure
AD Sync Services
22 of 30
12/11/2015 12:51 AM
i
1 Vote
If you used the default conguration, you will end up with a local service account (e.g. AAD_304599ae39) for the Azure AD Sync Service
and local security groups will be used (ADSyncAdmins, ADSyncOperators, ADSyncBrowse and ADSyncPasswordSet). This blog post helps
you change either one, local service account or local security groups, or both to use domain objects. This blog post assumes you want to
change both the service account and the security groups. In that case perform all steps. If you only want to change either one, then only
perform the corresponding steps.
Step 1: Create the new Azure AD Sync Service service account in AD

Example: ADCORP\SVC_R1_AADSyncSvc
Step 2: Create the new Azure AD Sync Service security groups in AD

Example: ADCORP\AADSyncAdmins
Example: ADCORP\AADSyncOperators
Example: ADCORP\AADSyncBrowse
Example: ADCORP\AADSyncPasswordSet
Step 3: Establish correct memberships

Example: ADCORP\AADSyncAdmins < make the Azure AD Sync Service service account in AD and any AD based user/admin account
that fully manage the AAD Sync Service a member of this group
QUESTION: do you know which other group needed to be created in FIM, but is not needed anymore in AADSync?
Step 4: Congure the new Azure AD Sync Service service account in AD with the correct user rights on the server with Azure AD Sync
Service installed
Give the new Azure AD Sync Service service account in AD the following user rights on the server with Azure AD Sync Service installed
Deny logon as a batch job
Deny logon locally
Deny logon through Terminal Services
Deny access to this computer from the network
Figure 1: Required User Rights For The New Azure AD Sync Service Service Account In AD
If you do not know the password of the current Azure AD Sync Service Service Account stop the Microsoft Azure AD Sync (ADSync)
service, reset the password of the current Azure AD Sync Service Service Account, reenter credentials for the Microsoft Azure AD Sync
(ADSync) service and start the Microsoft Azure AD Sync (ADSync) service.
23 of 30
12/11/2015 12:51 AM
Figure 2: Reseing The Password Of The Current (Local) Azure AD Sync Service Service Account
Figure 3: Re-Entering Credentials For The Microsoft Azure AD Sync (ADSync) Service
When changing the Azure AD Sync Service Service Account, the new Azure AD Sync Service Service Account must be congured with the
encryption keys securing the secret data in the database. To be able to do that you must export the keyset, if not already available.
Figure 4: Exporting The KeySet Using The Azure ADSync Encryption Key Management Wizard
24 of 30
12/11/2015 12:51 AM
Figure 5: Providing The Credentials Of The Current (Local) Azure AD Sync Service Service Account
The default folder is: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Azure AD Sync\ and make sure a existing keyset does
not already exist with the same lename
Figure 6: Providing The Path Of The Encryption File
Figure 7: Conguration Summary
25 of 30
12/11/2015 12:51 AM
Figure 8: Conguration Result
Now it is time to start the change install

/2014/09/image261.png)
Figure 9: Starting The Change Install For Microsoft Azure AD Sync
26 of 30
12/11/2015 12:51 AM
Figure 10: Microsoft Azure AD Sync Maintenance Wizard Welcome Page
Figure 11: Microsoft Azure AD Sync Maintenance Wizard Maintenance Options Page
Figure 12: Microsoft Azure AD Sync Maintenance Wizard Features Page
27 of 30
12/11/2015 12:51 AM
Figure 13: Microsoft Azure AD Sync Maintenance Wizard Azure AD Sync Service Service Account Credentials Page
Figure 14: Microsoft Azure AD Sync Maintenance Wizard Azure AD Sync Service Security Groups Page
Figure 15: Microsoft Azure AD Sync Maintenance Wizard Initiating Install Page
If you did not congure the Azure AD Sync Service Service Account with the user rights as shown in gure 1, you will get the following
warning.
Figure 16: Warning About Azure AD Sync Service Service Account Not Being Congured In Secure Manner
If you get the following error, make sure to check this blog post (hps://jorgequestforknowledge.wordpress.com/2014/09/21/change-installof-the-azure-ad-sync-service-throws-wmi-namespace-error/) AFTER the wizard has nished!!!
28 of 30
12/11/2015 12:51 AM
Figure 17: Warning About Azure AD Sync Setup Not Being Able To Congure WMI Permissions On A Non-Existent Namespace
Figure 18: Restoring The Keyset For The New Azure AD Sync Service Service Account
Figure 19: Change Install Of Microsoft Azure AD Sync Setup Finished
And youre done!
Cheers,
Jorge



Previous Entries
29 of 30
12/11/2015 12:51 AM
30 of 30
Blog at WordPress.com. | The Andreas09 Theme.
12/11/2015 12:51 AM

Windows Azure Active Directory

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Windows Azure Active Directory

Hochgeladen von

Copyright:

Verfügbare Formate

Windows Azure Active Directory Jorge's Quest For Knowledge!

Jorge's Quest For Knowledge!

Archive for the Windows Azure Active Directory Category

(2015-10-14) Azure Active Directory Domain Services (Preview)

Original source: hps://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-features/ (hps://azure.microsoft.com/en-us

This is really really cool!