In our environment, we are using pass though auth for Azure AD but for Azure AD Domain service, we need to enable Password Hash Sync as well. I have few questions on that:
1) Can we enable both PTA and PHS?
2) If above is possible, then which one will be the primary auth?
3) Can we enable PTA for Azure AD and PHS for Azure AD DS?
3) Can we make PHS primary and PTA as manual failover?
Thanks in advance
You can enable PHS as a backup through "Customize synchronization options" > connect to Azure and AD > Optional features > PHS.
This will just act as a backup and PTA will remain your primary mode of authentication. Authentication will not fallback to PHS automatically and you would have to manually switch to PHS if needed.
You would need to enable PHS if you intend to use AAD DS and if you want to make PHS the primary mode then PTA has to be disabled at a tenant level and manually enabled when needed.
Currently, it's not possible to enable both PTA and PHS from one AAD Connect.
In the future, there may be have some other light tools for this but it has no ETA from Microsoft Azure AD Product Group.
Related
There is a option in AD to enable or disable "Security Defaults".
AD Portal > Dashboard > AD Tenant > Properties > Manage Security Defaults > Enable security defaults
Is there a way to exclude a AD user or App from the security defaults?
Security defaults in Azure AD is enabled for all users and cannot be disabled on a per user or application basis.
In order to achieve the latter, you will need to implement Conditional Access.
I have created guest users in my Azure AD tenant by sending invitations via email following this link https://learn.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal.
The guest users are added to my tenant once they accept the invitation.
Now I have assigned some applications to the guest users that they can access.
To enhance the security, I want to enable two-factor authentication for the guest users when they are accessing the application.
Is it possible to enable MFA for the guest users? If yes, can anyone guide me with the steps
Yes, it is possible to enable MFA for guest users.
To achieve your requirement, please follow the below steps:
Make sure whether you have Azure AD premium P1 or P2 license which is necessary to create conditional access policy.
To create conditional access policy,
Go to Azure portal -> Azure Active directory -> Security -> Conditional access -> Policies -> New policy.
In Grant tab, Select "Grant access" and Check mark "Required Multi factor authentication". Enable policy by selecting it On and Create.
I have tried in my environment, after creating policy I signed in as a guest user from Incognito window and it prompted for two factor authentication like below:
We are currently testing the feature EnforceCloudPasswordPolicyForPasswordSyncedUsers (https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#public-preview-of-the-enforcecloudpasswordpolicyforpasswordsyncedusers-feature) which makes it possible for a tenant to comply to the Azure AD password expiration policy when a user password has expired.
By default, If the customer uses Password Hash Synchronization (PHS), the value DisablePasswordExpiration is set for every user. Which means that If a password is expired on-premise, the user is still able to make use of any Azure AD integrated services. Since we want them to comply the password expiration policy set in AD/AAD, we want this feature configured.
I have this feature working in a LAB environment with a demo M365 tenant.
Situation LAB: 1 AAD Connect Server - 1 M365 tenant - PHS enabled - Specific OU synced - ForcePasswordChangeOnLogOn feature enabled
When I create a new user with the feature enabled, it sets the value to DisablePasswordExpiration, when I initiate a password change on-premise it changes the value from DisablePasswordExpiration to None as expected.
Now the challenge, in the dev environment of the customer.
Situation: 1 AAD Connect Server - 1 M365 tenant - PHS enabled - Specific OU synced - ForcePasswordChangeOnLogOn feature enabled
When I create a new user, it does not have any value set. It should have the DisablePasswordExpiration set, but it doesn't. When I initiate a sync between on-prem and AAD, the value doesn't appear.
When I change the password on-prem for an existing user WITH the value DisablePasswordExpiration value set, it changes the value to "None". So in the above scenario for the feature does not work for newly created users, but does works for existing users.
The feature EnforceCloudPasswordPolicyForPasswordSyncedUsers is enabled in both cases.
Is there a way to detect and monitor that a service principal is only being used from a specific set of IP addresses? I do not want to IP restrict my entire directory. I have premium AAD and I think it has features that I might be able to utilized but I cannot do much testing. I’m currently struggling on how to detect if a SP has been jeopardized and how to prevent it.
If you want to use IP as conditions for the user to sign-in, you could use Conditional Access to make it. But the Conditional Access is used for the entire tenant.
And the features of Azure Active Directory Premium includes:
Company branding
Group-based application access
Self-service password reset
Self-service group management
Advanced security reports and alerts
Multi-Factor Authentication
Forefront Identity Manager (FIM)
Enterprise SLA of 99.9%
For the details, please read here.
I have been trying to add a "virtual" claim provider (SAML 2.0 Identity Provider) in ADFS, I have another claim provider with same certicate. I get this error on ADFS2.0 in windows Server 2012
MSIS7600 Each Signing Certificate value for a claims provider Trust must be unique across all claims provider trusts in ADFS 2.0 configuration
Is there any workaround to avoid this issue?
No, I got the same thing here. Appearantly it must be unique. I tried to add 2 tenants (2 customers) coming from Windows Azure Active Directory where all claims of all tenants are signed with the same certificate.
The first one works perfectly but on the second one the MSIS7600 refuses to let me add the second Claims Party.
We had the same thing here and solved it by using this trick
We created a new Azure AD with the purpose that this is the one we are going to add in ADFS.
For each customer tenant we want users to be able to login, we asked asked for read permissions to this tenant; this way it it added in your own subscription. We then selected the users from the customer tenant and added it to the Azure AD we are going to use in ADFS.
We connected ADFS to this Azure AD
All our customers can now login to the ADFS using their own credentials. The only thing we have to do is adding the existing Azure AD users from their own tenant to our Azure AD.
This way it let's you to add as many customers or external Ad's if you want and also not "showing" all tenants in the list of the ADFS page. Because there is only one tenant in ADFS there is no complain of the error MSIS 7600 and you don't have to update all tenants seperately.
Philippe is right. You can use AzureAD B2B feature that allows you to login in any Azure AD user in any tenant to be able to login. This is done by invite. This feature is in preview. This is the simplest choice. However, from an ADFS perspective, policy is on only a single entity. Home realm discovery can be a little more tedious.
We've also fixed ADFS 2016 to relax this constraint for a few reasons. We now constraint it on "Cert + claims-provider-identifier". In this world you will be able to add any # of Azure AD tenants distinctly. This fix will be out in the next preview (should be out soon).