Azure & Active Directory Center

When you are planning any major IT transformation, we recommend that you do what the great craftsmen do: Measure twice. Cut once. That’s because we have seen it happen time and again. You spend all this effort creating a pristine plan and understanding the cool new features of the cloud platform you are migrating to. You market those features to your end users, to help show them how it will be a change for the better. And then the moment you start migrating, you run into issues. Now you have to stop the project and remediate these problems before you can keep going.

One of the pieces of feedback we received from a previous ENow post (integrating your temporary COVID tenant with your on-premises environment), was the fear of introducing errors and interrupting processes that now rely on the Azure AD tenant. This, indeed, may be the case when you rely solely on Azure AD Connect’s soft matching capabilities and wield a narrow scope for synchronization of objects.

Are you currently on AAD Connect 1.6.2.0? If so, you need to act now!

In the first quarters of 2020, when organizations were confronted with the demand to work any place, any device, all the time, some had to scramble to make things work. One of the common approaches we found was creating a “COVID Microsoft 365 tenant” and provisioning other temporary solutions.

The rising need for flexibility and ease of integration with other systems, either on-premises or in the cloud, are driving organizations to adopt a simpler directory structure. Ideally, Active Directory architecture, design, management and operations should seamlessly be monitored and adjusted to keep up with the changes occurring in the larger enterprise. More often than not, however, instead of having in place an Active Directory monitoring strategy there only are periodic reviews that happens usually in response to certain events — some of business nature, some related to changes in technology or products, and some security related.

Microsoft introduced the feature Publisher Verification to help administrators to stay on top of all OAuth2.0 apps and avoid illicit content attacks. You can find more details about these topics here:

- Publisher verification
- What is the illicit consent grant attack in Office 365?

Generally, this is a very welcome security feature, but there are also some pitfalls and facts that need to be considered carefully.

The key question often debated is whether Active Directory is owned by multiple teams, or by a stand-alone IT, security or directory team. And depending on who you ask within the organizations, you may get several different views. So how do you split the responsibility around Active Directory management?

Once a business begins to use Active Directory more and more, depending on how large the organization is, objects have the tendency to become "stale." Every employee typically has an Active Directory user account. They are assigned one the day they are hired. At the same time, if they received a computer, that computer was probably joined to the Active Directory domain. Now, let's say they were assigned to a personal printer and they need to share that printer with “Bob” down the hall. “Susie's” printer could now go into Active Directory. What about Susie's computer's DNS record? Many companies choose to integrate DNS with Active Directory as well which is yet another object in Active Directory! You get the point.

There are many types of organizations. Some organizations have started as cloud-only. Other organizations are still very much entrenched on-premises. From the last group of organizations, I hear the following sentence a lot: “We don’t use Azure AD.”

I think this is an interesting but dangerous thing to say.

In the previous article we looked at the operations and processes regarding backup and recovery of AD DS information, namely the AD DS database and its objects. In this article we will be looking at the backup options for some of Active Directory’s other modules such as Active Directory Certificate Services (AD CS). Your Active Directory monitoring solution should be tracking events for AD CS to ensure the information is backing up successfully.