Azure Active Directory – Modern Workplace TV

Restrict Guest Permissions in Azure Active Directory

Written by Jan Willemon August 24, 2020

Azure Active Directory (Azure AD) allows you to restrict what external guest users can see in their organization in Azure AD. Guest users are set to a limited permission level by default in Azure AD, while the default for member users is the full set of default user permissions.

This video shows a preview of a new guest user permission level in your Azure AD organization’s external collaboration settings for even more restricted access, so your guest access choices now are:

Permission level	Access level
Same as member users	Guests have the same access to Azure AD resources as member users
Limited access (default)	Guests can see membership of all non-hidden groups
Restricted access (new)	Guests can’t see membership of any groups

More information in Docs: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/users-restrict-guest-permissions

My Profile Portal

Written by Jan Willemon September 27, 2019

The new My Profile (preview) portal helps you to manage your work or school account by setting up and managing your security info, managing your connected organizations and devices, and viewing how your organization uses your data.

In this video I show you around in the new portal, and also show you the My Sign-Ins functionality and the new My Applications portal.

Conditional Access for MFA and SSPR Registration

Written by Jan Willemon May 20, 2019May 20, 2019

A couple of weeks ago, the combined registration experience for Multi Factor Authentication and Self Service Password Reset was launched in public preview. This new registration experience enables users to register for MFA and SSPR in a single, step-by-step process.

A lot of organizations asked for control over the conditions in which security sensitive MFA or SSPR information can be registered, to ensure it’s the right user — not an attacker — registering this security sensitive info.

This is why Azure AD conditional access for our combined registration experience for MFA and SSPR is now available in Public Preview. This new Conditional Access functionality is part of the Azure AD Premium Plan 1 subscription.

In this video I show you how to configure this and what the user experience is like.

Limited Access using Azure AD Conditional Access

Written by Jan Willemon May 6, 2019May 13, 2019

In some situations you may want to give access to your data, but not give up on control. Enabling your employees while at the same time making sure no data is leaked from the cloud app to the device used.

With Limited Access in Azure AD Conditional Access, it is possible to limit access within cloud applications. For example: allow access to SharePoint Online, but prevent downloading or printing of any documents.

In this video, we explore the possibilities of this Conditional Access capability for Outlook on the Web (aka Outlook Web Access or OWA). Find out how to configure limited access in a few simple steps and see for yourself what the end user will experience.

Azure AD Identity Protection

Written by Jan Willemon September 21, 2018May 13, 2019

Azure Active Directory Identity Protection is part of Azure AD Premium P2 and enables you to:

Detect potential vulnerabilities affecting your organization’s identities
Configure automated responses to detected suspicious actions that are related to your organization’s identities
Investigate suspicious incidents and take appropriate action to resolve them

In today’s video I am going to show you how to configure a risk policy and what it looks like when suspicious activity is detected and remediated.

Learn more about Azure AD Identity Protection here.

Azure AD B2B Support for Google Identities

Written by Jan Willemon August 29, 2018May 13, 2019

A long awaited feature in Azure AD B2B has become available in Public Preview: it is now possible to add Google as an identity provider for B2B guest users! This means, you can invite guest users from outside your company using their GMail-account.

Enabling Google federation makes your invited Gmail user’s experience more seamless. After you have set up B2B Google federation for your organization, invited Gmail users can use their Google identity to sign in and collaborate. They no longer need to create an Azure AD account or Microsoft Account to access the apps and resources you’re sharing with them!

To get this to work, there’s a number of steps that you need to take, which are thoroughly documented on Docs. Let’s see what it looks like:

Important note: at this moment there’s support only for Google ID’s with the @gmail.com extension.

Read all about this new feature in Alex Simons’ blog. Full documentation can be found on Microsoft Docs.

Conditional Access Info in Azure AD Sign Ins Report

Written by Jan Willemon August 17, 2018May 13, 2019

Conditional Access it the most popular feature in Azure AD premium. To manage conditional access at scale, you need detailed visibility into how it’s actually working in your organization.

The addition of conditional access information in the Azure AD Sign-ins report is now in public preview. This new information will help you troubleshoot conditional access policies and understand the usage of conditional access in your organization.

There are four key scenarios for this new capability:

Quickly troubleshoot conditional access policies
Understand usage of conditional access policies
Understand legacy authentication usage in your organization
Identify gaps in your conditional access policies

In this video I show this new capability in combination with a Conditional Access policy assigned to the Global Admins-role in Azure AD:

Find out even more at https://cloudblogs.microsoft.com/enterprisemobility/2018/07/25/public-preview-for-conditional-access-information-in-azure-ad-sign-ins-report/

Replace ADFS with Pass-through Authentication

Written by Jan Willemon August 2, 2018July 20, 2018

The majority of organizations using Azure AD, sync on-prem accounts using AAD Connect. For Authentication, password hash sync has since long been the recommended approach. It is secure since only the hash of the hash of the password is synced to the cloud. And it gives you all the advantages of Azure AD like Identity Protection.

However, historically many organizations have chosen for ADFS. The arguments were often: we don’t want passwords in the cloud, we want SSO and we want to do smart stuff with conditional access and password policies.

The downside of AFDS is the complexity of the solution and the amount of infrastructure it requires. Despite being free from a license perspective, operational cost of ADFS is relatively high.

With Conditional Access and Password Protection in Azure AD, some of the arguments for ADFS have become invalid. And with the introduction of Pass-through Authentication, it is also no longer necessary to sync password hashes to the cloud. The user password can be checked against your on-prem Active Directory, while the authentication and token service runs on the cloud. And it offers Seamless SSO.

Moving from ADFS to PTA is usually a big cost saver, so let’s see in today’s video how PTA is setup and used:

Azure AD B2B Collaboration

Written by Jan Willemon July 26, 2018July 26, 2018

Azure Active Directory (Azure AD) business-to-business (B2B) collaboration capabilities enable any organization using Azure AD to work safely and securely with users from any other organization, small or large. Those organizations can be with or without Azure AD, and don’t even need to have an IT department.

In this video, we’re going to invite an external user to Contoso Bank using Azure AD B2B Collaboration.

I’m also going to show you how to add such an invited, external user to the Global Address List of your organization.

Azure AD Password Protection (preview)

Written by Jan Willemon July 17, 2018July 26, 2018

Recently Azure AD Password Protection has become available in Public Preview. This new feature consists of several components, intended to eliminate bad passwords in your organization.

The main feature is the Global Banned Password list. On this dynamic list, Microsoft has gathered vulnerable passwords that are deemed to common. The list is not public, but you can imagine passwords like Welcome01 and Password123 are on it.

New in the Public Preview is the possibility to add custom passwords that you want to ban for your own organization. This enables you to ban the company name, brand names and the like, as passwords in your organization.

Password Protection is also available for hybrid scenarios, extending this Azure AD capability to your on-prem Active Directory.

In this video, you will find out how to configure Password Protection and you will see the user experience. I’m also showing you how to install and configure Password Protection for your on-prem AD.

Find out more in this blog post by Alex Simons and of course on Microsoft Docs.