Getting Serious with Active Directory and Entra ID in the Second Half of 2023

Brace yourselves! In the coming months, Microsoft is planning another round of Windows server updates, which means admins must prepare now for the major changes impacting Active Directory and Entra ID.

As a feature of Windows Server, Active Directory sees a new major release roughly every three years. Microsoft Entra ID (formerly known as Azure AD), on the other hand, sees several new releases per day. The yawning gap between these two release cycles poses many challenges to identity admins. However, things have gotten considerably harder over the past few years with Microsoft raising the bottom line on information security in Active Directory, something I referred to as the Kerberos Kerfuffle. And guess what - another wave of changes are coming our way.

Now, while we could brace ourselves and simply exclaim, ‘Winter is coming!’ we can also be proactive and choose to fully prepare and can get ahead of these changes. We can be diligent and determine the scope of the work and the changes that will need to be made within our Active Directory domains and within our Entra ID tenants. We can do this without resorting to the delay of critical Windows updates, and without having to apologize to end-users about their changing cloud experiences. We can get in front of this, before people start breathing down our necks when the entire Identity and Access Management (IAM) solution comes crushing down…

*Note: The dates below have been publicly announced but may change. When these dates change, they are typically delayed providing admins more time to prepare!

Active Directory Changes

In the coming months, Microsoft plans to make the following staggered changes to Active Directory through the monthly cumulative Windows updates for all supported Windows Server versions:

Today: RPC sealing required

On October 10^th, 2023, the information security measures that address weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing (CVE-2022-38023) become fully enforced. KB5021130 describes these changes.

Microsoft attempted applying these measures in compatibility mode on November 8th, 2022, and is applying these measures without rollback on July 11th, 2023. Effectively, the changes will be enforced, unless admins refrain from installing the July 11, 2023, cumulative updates and cumulative updates beyond these updates.

Want to do Active Directory right? Check out our On-Demand webinar recording and learn how to properly Secure and Monitor Active Directory.

July 11th – October 10th: Prepare for full PAC Signatures

On October 10^th, 2023, the information security measures that address the Kerberos security bypass and elevation of privilege vulnerability (CVE-2022-37967) involving alteration of Privilege Attribute Certificate (PAC) signatures become fully enforced. KB5020805 describes these measures.

Microsoft attempted to apply these measures on November 8th, 2022 and is applying these measures on July 11th, 2023. In both cases, admins could still roll back using the KrbtgtFullPacSignature registry key. However, with the October 10, 2023, cumulative updates, these measures will be automatically applied and there will be no way to roll back. Effectively, the changes will be enforced, unless admins refrain from installing the October 10, 2023, cumulative updates, and cumulative updates beyond these updates.

Entra ID Changes

In the coming months, Microsoft plans to make the following changes to Entra ID:

Currently rolling out: Redirect to the Entra Portal

Admins who manage Entra ID (formerly known as Azure AD) in the Azure portal, will be redirected to the Entra portal to manage all aspects of the service.

Currently rolling out: Registration campaign improvements

Microsoft is currently rolling out a change to the registration campaign feature (also known as the ‘Nudge’ feature). People in the organization will only be able to skip the multi-factor authentication registration process 3 times. As people can currently skip this one-time registration indefinitely, this change is poised to produce some service desk incidents.

Currently rolling out: External ID Branding

When an Entra External ID guest user is prompted to sign into a resource Entra ID tenant, the background and logo branding reflects that of the resource tenant. As soon as the guest enters their sign-in name (typically the userPrincipalName, UPN), the logo changes to that of the home tenant, but the background branding remains the same.  

Microsoft is working on changing this branding experience for cross-tenant collaboration authentication requests. In the new experience, when a guest user is prompted to sign in, after entering the UPN, they’ll be redirected to their home tenant sign-in page, and the branding experience will reflect that of the home tenant instead of the resource tenant. After successfully signing in, the user will be signed into the app in the resource tenant.

Currently rolling out: Modernized Terms of Use

The Terms of Use (ToU) feature is being modernized. When rolled out, it redirects from the legacy Profile page to the My Account portal and features a PDF viewer to review previously accepted terms of use.  Many organizations have documented procedures to perform certain steps. These procedures need to be updated to reflect the above change.

October 2023: End-user experience changes

Beginning October 2023, Microsoft is improving end-user experiences in the following ways:

• People in the organization will be able to change their password on the Security Info tile of My Sign-ins portal.
• The legacy Profile page will automatically redirect users to the My Account portal.

As with all ‘improvements’ made by Microsoft, in some environments it would result in uncertainty with end users asking themselves whether they are still doing the right thing. Documented procedures, of course, will need to be updated to reflect these changes as well.

October 2023: Modernized PhoneFactor portal

Also starting in October 2023, the legacy PhoneFactor portal will be modernized to better align with the Microsoft Entra admin center look and feel. I think most organizations have already adopted the Security Defaults and Conditional Access to prompt for multi-factor authentication in a more granular fashion, but some organizations still rely on the Per-User MFA options provided in the legacy PhoneFactor portal. If so, it would feel a lot less like it’s 2012 for admins in these organizations.

Looking Beyond the Last Half of the Year

When looking beyond the third and fourth quarter of 2023, more changes are coming. The processes you adopt today can help you face changes in Active Directory and Entra ID in the future. If you're concerned about Domain Controllers being affected by changes in Windows updates, ENow’s Active Directory Monitoring and Reporting solution provides near real-time information on the health of your Domain Controllers. This way, updates that impact Active Directory and cause the inability to sign in and use Active Directory-integrated functionality, are identified fast and judiciously rolled back.

Always be prepared.

Proactively Monitor and Protect your Active Directory

Having an Active Directory Monitoring and Reporting solution in place that provides a single dashboard for monitoring all critical components of Active Directory not only reduces the workload on central administrators – it’s crucial to the health and security of your network. ENow’s OneLook dashboard displays all vital components of Microsoft Active Directory, enabling admins to quickly identify issues before they become outages.

Additionally, with ENow's Active Directory Monitoring and Reporting solution, synthetic transactions actively probe for faults and failures across all critical AD components: domain controllers, replication, DNS, and more. Admins can protect Active Directory, improve security awareness and compliance through visibility into data that empowers admins to remove user accounts that have inappropriate access from privileged groups (Schema Admins, Domain Administrators), and see exactly what users are doing across your environment. And with robust reporting capabilities, you’re able to better understand and optimize your Active Directory with real-time data and historical trends, allowing admins to accurately forecast necessary resources to meet growing demands and determine if SLAs are being met.

Contact ENow today for more information around monitoring, managing, and securing Active Directory - the foundation of your network.