Tuesday, June 30, 2015

Azure Active Directory editions

The Free edition of Azure Active Directory is part of every Azure subscription. There is nothing to license and nothing to install. With it, you can manage user accounts, synchronise with on-premises directories, get single sign-on across Azure, Office 365, and thousands of popular SaaS applications like Salesforce, Google Apps, ServiceNow, Dropbox, etc.

Azure AD premium is what you will need for password self service in the cloud and AD write back.

The Microsoft Enterprise Mobility Suite (EMS) discount makes it the most cost-effective way to acquire the included cloud services:

  1. Microsoft Azure Active Directory Premium for hybrid identity management, Microsoft Intune and Microsoft Azure Rights Management for information protection

Features

Free edition

Basic edition

Premium edition

Directory as a service

Up to 500K objects

No object limit

No object limit

User and group management using UI or Windows PowerShell cmdlets

Tick

Tick

Tick

Device registration

Tick

Tick

Tick

Access Panel portal for SSO-based user access to SaaS and custom applications

Tick

Up to 10 apps per user

Tick

Up to 10 apps per user

No app limit

User-based application access management and provisioning

Tick

Tick

Tick

Self-service password change for cloud users

Tick

Tick

Tick

Azure AD Connect – For syncing between on-premises directories and Azure Active Directory

Tick

Tick

Tick

Standard security reports

Tick

Tick

Tick

Features

 

Basic edition

Premium edition

High availability SLA uptime (99.9%)

 

Tick

Tick

Group-based application access management and provisioning

 

Tick

Tick

Customisation logo and colours to the Sign In and Access Panel pages

 

Tick

Tick

Self-service password reset for cloud users

 

Tick

Tick

Application Proxy: Secure Remote Access and SSO to on-premises web applications

 

Tick

Tick

Features

Premium edition

Advanced application usage reporting

   

Tick

Self-service group management for cloud users

   

Tick

Self-service password reset with on-premises write-back

Tick

Microsoft Identity Manager (MIM) user licenses – For on-premises identity and access management

Tick

Advanced anomaly security reports (machine learning-based)

   

Tick

Cloud app discovery

   

Tick

Multi-Factor Authentication service for cloud users

Tick

Multi-Factor Authentication server for on-premises users

   

Tick

Multi-Factor Authentication is included with Premium and can secure access to on-premises applications (VPN, RADIUS, etc.), Azure, Microsoft Online Services like Office 365 etc.

Microsoft Identity Manager (MIM) - Premium comes with the option to grant rights to use a MIM server (and CALs) in your on-premises network to support any combination of Hybrid Identity solutions. This is a great option if you have a variation of on-premises directories and databases that you want to sync directly to Azure Active Directory. There is no limit on the number of FIM servers you can use, however, MIM CALs are granted based on the allocation of an Azure.

 

Note, if you have SSPR on prem too?

Q: Can I synchronise data for security questions from on premises?
A: No, this is not possible today, but Microsoft are considering it.

Note2, locked out account?

Q: Do you unlock the local active directory accounts when users reset their passwords?

A: Yes, when a user resets his or her password and password writeback has been deployed with versions of AADSync 1.0.0485.0222 or later, then that user’s account will be automatically unlocked when that user resets his or her password.

Note3 & 4, worries about hackerz?

Q: Do you prevent users from attempting password reset many times in a short time period?

A: Yes, Users may only try 5 password reset attempts within an hour before being locked out for 24 hours. Users may only try to validate a phone number 5 times within an hour before being locked out for 24 hours. Users may only try a single authentication method 5 times within an hour before being locked out for 24 hours.

Q: For how long are the email and SMS one-time passcode valid?

A: The session lifetime for password reset is 105 minutes. This means that from the beginning of the password reset operation, the user has 105 minutes to reset his or her password. The email and SMS one-time passcode are invalid after this time period expires.

 

 

 

 

Azure AD versions: https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx

Azure AD Password writeback: https://msdn.microsoft.com/en-us/library/azure/dn903642.aspx

Setting up SSRP: https://msdn.microsoft.com/en-us/library/azure/dn683881.aspx

Friday, June 12, 2015

XenDesktop 7.6, Windows 2012 R2, Office 365

 

When opening any Office 365 application before opening Internet Explorer 11 (IE11) Office will fail with file permissions error.

It turns out Office 365 uses the temporary internet folder location from IE11 as its path to open temp files into. IE 11 has now got a new path for these files:

%userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 – this Content.IE5 file does not exist until up have opened up IE11 first.

Even if you change the path in the user profile it ignores it and looks to use IE11 path regardless.

Solution:

Create group policy in IE11 (may have to load the IE11 admx files) which changes the path back to %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files

All works correctly once this applied.

 

Thanks to Andrew Hill – Senior Consultant, Experteq for the tip.

Wednesday, June 10, 2015

Moving the FIM 2010 R2 (FIM Service, read FIM portal) to a new SQL server

Shutdown the Forefront Identity Manager Service in services.cpl.

Backup the DB from the SQL Manager

Move it, rename it, restore it.

On the new DB server, set the FIM service account you are using as DB_Owner

 

You need to run the following command to enable SQL server service broker for the FIM Service Database since the DB has been restored. Remember that every time you restore FIM Service from a backup or move the DB to a new server, you would need to:

ALTER DATABASE [SQLD0040Q] SET ENABLE_BROKER WITH NO_WAIT

The alter query may fail if there are active connections to the database. You need to fix that if so.

 

On the FIM portal server

Open RegEdit
    Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMService

DatabaseServer is the name of the new SQL Server (it would have been blank if the local server was the SQL server)

DatabaseName is the file name in the remote SQL Server

 

Start the FIM Services

Moving the FIM 2010 R2 SQL database (or renaming the database)

Shutdown any jobs on FIM. Shut down the FIM Service in services.cpl.

 

Backup the DB from the SQL Manager

Move it, rename it, restore it.

On the new DB server, set the FIM service account you are using as DB_Owner

 

On the FIM server

Open RegEdit
    Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMSynchronizationService\Parameters

        Server is the name of the new SQL Server (it would have been blank if the local server was the SQL server)

        DBName is the file name in the remote SQL Server

        SQLInstance Property should equal the name of the instance (default instance, then it should be blank)

Start the FIM Services

 

Hat-tip: http://social.technet.microsoft.com/wiki/contents/articles/5465.fimilm-how-to-move-the-backend-sql-server-synchronization-service-database.aspx  (note this says Server Property inferring the key is called “Server Property“ it is just “Server”

Thursday, June 04, 2015

FIM portal, the setup needs to run under SharePoint Farm administrator

Well they got an error, it just turns out it is wrong, here is the answer.
image
Error message text:
To install FIM portal, the setup needs to run under SharePoint Farm administrator account with at least Open permission that allows users to open a Web site, list, or folder in order to access items inside that container. Please make sure you are a SharePoint Farm administrator with Open permission and then click “Retry”. Click “Cancel” to abort setup.
Despite what the message says, you configure the farm administrators group and it does not work. What it really needs is a Site Collection Administrator. The Site Collection Administrators is an individual user (ie not two and not a group)!

Go to, Central Admin (URL:34997), then click on Application Management, then click on Change Site Collection Administrators, change to the user.
 
image

Hattip: http://blog.msresource.net/2013/01/29/to-install-fim-portal-the-setup-needs-to-run-under-sharepoint-farm-administrator-account-with-at-least-open-permission-that-allows-users-to-open-a-web-site-list-or-folder-in-order-to-access-items-i/

Tuesday, June 02, 2015

July 29 2015 – Windows 10 - free for the first year

 

image

Microsoft officials* said Windows 10 Home will be priced at $119usd and Windows 10 Pro will cost $199usd. Windows 10 upgrade $99usd will allow users to move from Windows 10 Home to Pro. You will also need to buy this if you are running Windows XP or Vista.

Microsoft is making Windows 10 available for FREE for the first year to computers with Windows 7 Service Pack 1 and Windows 8.1 on July 29, 2015. This is a limited time promotion that expires on July 29, 2016. Once the promotion ends, Microsoft will charge Windows 7 and Windows 8.1 users to upgrade to Windows 10.

New today!

If you are using a Windows 7/8.1, you will notice a Windows flag icon in your system tray starting today. This is the “Get Windows 10″ reservation launcher.

To reserve the upgrade, you just need to click the button in the wizard that launches. This will prepare Windows Update for Windows 10 upgrade when it arrives on July 29. So you will need to do this on each PC you intend to upgrade to Windows 10.

image

image


* According to to Neowin

Blog Archive