Azure & Active Directory Center

Microsoft’s identity portfolio is huge and includes products and services like Active Directory, AD FS, Azure AD Connect, Defender for Identity, Microsoft Identity Manager and Azure AD. Contrary to what some belief, Active Directory on-premises is supported, alive and kicking and here to stay for most organizations. This became abundantly clear in August 2022, as Microsoft improved things for Identity admins in the following ways:

Exchange admins have enjoyed the Group writeback optional feature in Azure AD Connect for a long time. It offers add-on functionality to Microsoft 365 Groups in Azure AD for organizations that use both Active Directory and Azure AD in a Hybrid Exchange setup.

Using Microsoft Graph PowerShell SDK

In my previous article about creating custom roles for Exchange Online administrators here, I described how to grant a specific team of administrators permissions to grant admin consent ONLY for specific OAuth2.0 application permissions.

Microsoft 365, formally Office 365, is maturing. It has been more than 10 years since the launch of Office 365, and the type of migrations I see as a consultant are changing.

Recently I had to upgrade my Azure AD Connect server from version 1.x to version 2.x, and I blogged about in my December 2021 blog article "Upgrade Azure AD Connect from 1.x to 2.x". After the upgrade I had to upgrade my Azure Active Directory Password Protection services as well since I installed a new server and decommissioned the old one.

Last year I wrote "Microsoft 365 Security Assessment" Part 1 and Part 2, where I provided a list of actions one should perform or check in one’s Microsoft 365 environment as a security assessment.

Previously, MVP Nicolas Blank wrote an interesting article "Having an Identity Crisis" and it talked about all kinds of attacks on your environment. One such attack is on user email.  Users tend to choose a password that is easy for them to remember and this makes the password weak and easy to guess by others.  Even with some social engineering, user passwords are easy to retrieve, as can be seen on this YouTube clip What is your password?

Microsoft introduced the feature Publisher Verification to help administrators to stay on top of all OAuth2.0 apps and avoid illicit content attacks. You can find more details about these topics here:

- Publisher verification
- What is the illicit consent grant attack in Office 365?

Generally, this is a very welcome security feature, but there are also some pitfalls and facts that need to be considered carefully.

One of the great features in Microsoft 365 is Azure Active Directory Application Proxy. AAD App Proxy allows you to publish internal web applications to the Internet and ensure users authenticate in a very secure way. Best of all, it can do this usually without requiring any firewall changes – all that is required is outbound Internet access from the computer running the AAD App Proxy agent.

Introduction

By now, Azure AD Conditional Access should no longer be unfamiliar to anyone in IT. As a refresher, it’s Microsoft’s solution for providing a flexible, condition-based, way of controlling access to (cloud) resources.