Windows Azure Active Directory
Content
Windows Azure Active Directory « Jorge's Quest For Knowledge!
1 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Jorge's Quest For Knowledge!
About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just
Like An Addiction, The More You Have, The More You Want To Have!)
Archive for the ‘Windows Azure Active Directory’ Category
(2015-10-14) Azure Active Directory Domain Services (Preview)
Posted by Jorge on 2015-10-14
i
Rate This
Original source: hĴps://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-features/ (hĴps://azure.microsoft.com/en-us
/documentation/articles/active-directory-ds-features/)
–
This is really really cool!
–
Azure Active Directory Domain Services is basically“ʺDomain Controller As A Service (DCaaS)”. You can:
“Lift-and-shift” apps to Azure more easily than ever
Use LDAP, Active Directory domain join, NTLM, and Kerberos authentication
Rely on a managed, highly-available service
Get started in minutes, pay as you go
Dev and test with no identity worries
Manage Azure virtual machines effectively using Group Policy
–
Azure Active Directory Domain Services lets you join Azure virtual machines to a domain without the need to deploy domain controllers.
Users can sign in to these virtual machines using their corporate Active Directory credentials and access resources seamlessly. You can
more-securely administer domain-joined virtual machines using Group Policy—an easy, familiar way to apply and enforce security baselines
on all of your Azure virtual machines
–
The following features are available in the Azure AD Domain Services preview release.
Simple deployment experience: You can enable Azure AD Domain Services for your Azure AD tenant using just a few clicks. Regardless
of whether your Azure AD tenant is a cloud-tenant or synchronized with your on-premises directory, your managed domain can be
provisioned quickly.
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
2 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Support for domain-join: You can easily domain join computers in the Azure virtual network that Azure AD Domain Services is available
in. The domain join experience on Windows client and Server operating systems works seamlessly against domains serviced by Azure AD
Domain Services. You can also use automated domain join tooling against such domains.
One domain instance per Azure AD directory: You can create a single Active Directory domain for each Azure AD directory.
Create domains with custom names: You can create domains with custom names (eg. contoso.local) using Azure AD Domain Services.
This includes both verified as well as unverified domain names. Optionally, you can also create a domain with the built-in domain suffix
(i.e. *.onmicrosoft.com) that is offered by your Azure AD directory.
Integrated with Azure AD: You do not need to configure or manage replication to Azure AD Domain Services. User accounts, group
memberships and user credentials (passwords) from your Azure AD directory are automatically available in Azure AD Domain Services.
New users, groups or changes to aĴributes ocurring in your Azure AD tenant or in your on-premises directory are automatically
synchronized to Azure AD Domain Services.
NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on
Windows Integrated Authentication.
Use your corporate credentials/passwords: Passwords for users in your Azure AD tenant work with Azure AD Domain Services. This
means users in your organization can use their corporate credentials on the domain – for domain joining machines, logging in interactively
or over remote desktop, authenticating against the DC etc.
LDAP bind & LDAP read support: You can use applications that rely on LDAP binds in order to authenticate users in domains serviced
by Azure AD Domain Services. Additionally, applications that use LDAP read operations to query user/computer aĴributes from the
directory can also work against Azure AD Domain Services.
Group Policy: You can leverage a single built-in GPO each for the users and computers containers in order to enforce compliance with
required security policies for user accounts as well as domain joined computers.
Available in multiple Azure regions: See the supported Azure regions (hĴps://azure.microsoft.com/en-us/documentation/articles/activedirectory-ds-regions/) page for a list of Azure regions in which Azure AD Domain Services are available.
High availability: Azure AD Domain Services offer high availability for your domain. This offers the guarantee of higher service uptimeand
resilience to failures. Built-in health monitoring offers automated remediation from failures by spinning up new instances to replace failed
instances and to provide continued service for your domain.
Use familiar management tools: You can use familiar Windows Server Active Directory management tools such as the Active Directory
Administrative Center or Active Directory PowerShell in order to administer domains provided by Azure AD Domain Services.
–
UPDATE 2015-10-21: Check hĴps://azure.microsoft.com/en-us/regions/#services (hĴps://azure.microsoft.com/en-us/regions/#services) to seeif
this service is (already) available or not in your region
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Azure AD Domain Services (DCaaS), Windows Azure Active Directory | Leave a Comment »
(2015-10-13) Roles Based Access Control (RBAC) For Azure Is Now GA
Posted by Jorge on 2015-10-13
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
3 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
i
Rate This
Finally, no more “all or nothing”. Delegation is now possible for Azure resources.
–
More information:
Azure RBAC is GA! (hĴp://blogs.technet.com/b/ad/archive/2015/10/12/azure-rbac-is-ga.aspx)
Role-based access control in the Microsoft Azure portal (hĴps://azure.microsoft.com/en-gb/documentation/articles/role-based-accesscontrol-configure/)
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in RBAC, Windows Azure Active Directory | Leave a Comment »
(2015-10-07) Realistic Random Data Set To Import Into Some Identity Store
Posted by Jorge on 2015-10-07
i
Rate This
Have you ever required to have a large and realistic random data set to test your application or system in some way? Well, look no further!
–
With testing, “performance/volume testing” and/or “logic testing” (either declarative or coded, against small and large data sets) is meant.
Testing with correctly defined (custom) data is required to make sure the application/system behaves as you require it to behave. By using fake
data you are sure you do not get into trouble due to privacy or security related issues. You also do not have to beg for and jump through all
kinds of hoops to get the data. Depending, on your organization, you may also need to have a data set that includes special characters (e.g.
apostrophes) and/or very special characters (e.g. unicode characters from other languages)
–
Most likely, there are more websites out there, but the following 2 websites can help you out in different scenarios:
1. hĴps://www.mockaroo.com/ (hĴps://www.mockaroo.com/)
2. hĴp://www.fakenamegenerator.com/order.php (hĴp://www.fakenamegenerator.com/order.php)
–
[1] Mockaroo – Realistics Data Generator (hĴps://www.mockaroo.com/)
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
4 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
This website allows you to use your own defined schema. You can do that by selecting/defining the field names and field types or by importing
the field headers of some CSV file you have. After importing the CSV headers, you still need to define the field types. When done, you can
preview the data or download it right away. The data can be downloaded in different formats, such as, but not limited to, CSV format. The
only downsides are the limited number of objects (max. 1000) and that it only supports western characters for names. If you need more data,
you need to pay a fee per year.
(hĴps://jorgequestforknowledge.files.wordpress.com
/2015/10/image.png)
Figure 1: The Interface Of The Mockaroo Website To Define The Required Schema
–
[2] Fake Name Generator (hĴp://www.fakenamegenerator.com/order.php)
However, if you do not have a strict schema, you want up to 50.000 objects and you also require non-western characters for names (e.g.
japanese, chinese, arabic, etc.), then you might be interesting in using this website. You can generate data for a single object, or you can bulk
generate (order for free!) a very large amount of data up to 50.000 objects. If you need more objects, you just request it multiple times.
First you need to select the format and compression type. Secondly you need to select the name set(s), countries, gender and age of that
objects.
(hĴps://jorgequestforknowledge.files.wordpress.com
/2015/10/image1.png)
Figure 2a: The Interface Of The Fake Name Generator Website To Define The Configuration For The Data Set
–
And last but not least, you need to select the required fields you want to include in the data set, define the required number of objects and the
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
5 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
e-mail address where the bulk order is e-mailed to.
(hĴps://jorgequestforknowledge.files.wordpress.com
/2015/10/image2.png)
Figure 2b: The Interface Of The Fake Name Generator Website To Define The Configuration For The Data Set
–
Every request file is made available after a few minutes and when done you will receive an e-mail with a time-limited link.
–
After receiving the data set you can import it, by first writing your own PowerShell script, into ADDS, ADLDS, Azure AD, FIM Portal/Sync,
SQL database or anything similar
–
Have fun!
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Active Directory Domain Services (ADDS), Active Directory Lightweight Directory Services (ADLDS), Data Set, Data Set, Data Set,
Data Set, Forefront Identity Manager (FIM) Portal, Windows Azure Active Directory | Leave a Comment »
(2015-07-01) New Azure Authenticator Phone App Supports Multiple
Account Providers
Posted by Jorge on 2015-07-01
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
6 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
i
Rate This
Microsoft has released a new MFA Phone App supports any account provider supporting the Open Authentication Initiative (OATH).
Examples of supported account providers are: Azure AD, Microsoft Account and Google.
–
For more information please read:
Try the new Azure Authenticator application! (hĴp://blogs.technet.com/b/ad/archive/2015/06/29/try-the-new-azure-authenticatorapp.aspx)
Moving to the new Azure Authenticator app (hĴps://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-azureauthenticator/?rnd=1)
Azure Multi-Factor Authentication (hĴps://msdn.microsoft.com/library/azure/dn249471.aspx)
Azure Multi-Factor Authentication options for Federated Users (hĴps://msdn.microsoft.com/en-us/library/azure/dn394284.aspx)
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Multi-Factor AuthN, Windows Azure Active Directory | Leave a Comment »
(2015-06-29) Azure AD Connect Has RTM’ed
Posted by Jorge on 2015-06-29
i
Rate This
Azure AD Connect allows you to quickly onboard to Azure AD and Office 365. The Azure AD Connect wizard is the single tool and guided
experience for connecting your on premises identity infrastructure to the cloud. Choose your topology and needs (single or multiple
directories, password sync or federation), and the wizard will deploy and configure all components required to get your connection up and
running including sync services, AD FS, and the Azure AD PowerShell module.
Azure AD Connect encompasses functionality that was previously released as Dirsync and AAD Sync. These tools will no longer be released
individually. All future improvements will be included in updates to Azure AD Connect, so that you always know where to get the most
current functionality.
–
Download it from here (hĴps://www.microsoft.com/en-us/download/details.aspx?id=47594)
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
7 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
–
Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both
cloud and on-premises resources. With this integration users and organizations can take advantage of the following:
Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server
Active Directory and then connecting to Azure Active Directory.
Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor
authentication.
Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or
Azure for cloud-based applications
Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.
–
More information:
Integrating your on-premises identities with Azure Active Directory (hĴps://azure.microsoft.com/nl-nl/documentation/articles/activedirectory-aadconnect/)
Azure AD Connect Preview 2 is available! (hĴp://blogs.technet.com/b/ad/archive/2015/03/24/azure-ad-connect-preview-2-is-available.aspx)
Azure AD Connect: One simple, fast, lightweight tool to connect Active Directory and Azure Active Directory (hĴp://blogs.technet.com
/b/ad/archive/2014/12/15/azure-ad-connect-one-simple-fast-lightweight-tool-to-connect-active-directory-and-azure-active-directory.aspx)
Connecting AD and Azure AD: Only 4 clicks with Azure AD Connect (hĴp://blogs.technet.com/b/ad/archive/2014/08/04/connectingad-and-azure-ad-only-4-clicks-with-azure-ad-connect.aspx)
Azure AD Connect & Connect Health is now GA! (hĴp://blogs.technet.com/b/ad/archive/2015/06/24/azure-ad-connect-amp-connecthealth-is-now-ga.aspx)
Azure AD Connect (hĴps://en.wikipedia.org/wiki/Azure_AD_Connect)
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »
(2014-11-21) Troubleshooting SSO Issues In Azure AD, Office 365 Or
Windows Intune
Posted by Jorge on 2014-11-21
i
1 Vote
The following resources can help you troubleshoot with SSO issues:
Troubleshoot single sign-on setup issues in Office 365, Windows Intune, or Azure (hĴp://support.microsoft.com/kb/2530569)
Signing in to Office 365, Azure, or Windows Intune by using single sign-on doesn’t work from some devices (hĴp://support2.microsoft.com
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
8 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
/kb/2530713)
Office 365 & Single Sign-On: How to Handle Different UserPrincipalName (UPN) Values (hĴp://blogs.technet.com/b/askpfeplat/archive
/2013/09/02/office-365-amp-single-sign-on-how-to-handle-different-userprincipalname-upn-values.aspx)
You can’t sign in to Office 365, Azure, or Windows Intune (hĴp://support2.microsoft.com/kb/2412085)
Office 365 Identity Federation Debug Tool (hĴp://www.msexchange.org/kbase/ExchangeServerTips/MicrosoftOffice365/ExchangeOnline
/office-365-identity-federation-debug-tool.html)
(2014-09-29) Default Claims Rules In ADFS To Support SSO Through Federation With Azure AD/Office 365(hĴps://jorgequestforknowledge.wordpr
/2014/09/29/default-claims-rules-in-adfs-to-support-sso-through-federation-with-azure-adoffice-365/)
(2014-10-01) TroubleShooting Federation/SSO To Windows Azure AD And Office 365 (hĴps://jorgequestforknowledge.wordpress.com
/2014/10/01/troubleshooting-federationsso-to-windows-azure-ad-and-office-365/)
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Office 365, SSO, SSO, Troubleshoot, Troubleshoot, Windows Azure Active Directory | Leave a Comment »
(2014-11-05) Upgrading Azure AD Sync Services From GA (v1.0.419.911)
To v1.0.470.1023
Posted by Jorge on 2014-11-05
i
Rate This
As mentioned in this blog post (hĴps://jorgequestforknowledge.wordpress.com/2014/11/01/a-new-version-of-azure-active-directorysync-services-has-been-released-v1-0-470-1023/) Microsoft released a new version of the Azure AD Sync Services. As mentioned in the release
notes (hĴp://msdn.microsoft.com/en-us/library/azure/dn835004.aspx) the upgrade is quite straightforward with a fix, but only if you modified
one or more sync rules.
If you already have Azure AD Sync installed, there is one additional step you have to take in case you have changed any of the out-of-box
Synchronization Rules. After you have upgraded to the 1.0.470.1023 release, the synchronization rules you have modified are duplicated. For
each modified Sync Rule do the following:
Locate the Sync Rule you have modified and take a note of the changes
Delete the Sync Rule
Locate the new Sync Rule created by Azure AD Sync and re-apply the changes.
–
So let’s try this and see what happens.
My starting point is the GA version
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
9 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image264.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image265.png)
Figure 1: GA Version Of Azure AD Sync Services (AADSync)
–
Double-click on MicrosoftAzureADConnectionTool.exe and the following screen appears. Check the checkbox ʺI agree to the license termsʺ if
you indeed do agree with the license terms. Click the [Upgrade] buĴon to continue.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image266.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image919.png)
Figure 2: Initial Screen Of The Azure AD Sync Upgrade
–
The first thing the upgrade wizard tries to do is upgrade the Azure Active Directory Sign-in Assistance/Client, and then it will upgrade all
other components. However, you might receive the following ʺerrorʺ. If you do not see it, you’re good. therefore continue to figure 12.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image267.png)
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image1311.png)
Figure 3: Error About Upgrading The Azure Active Directory Sign-in Assistance/Client
–
As specified, go and look in the Application Event Log. Event ID 906 tells you to check a log file, so you should do so!
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image268.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image1711.png)
Figure 4: Error In The Application Event Log
–
You see another Event ID 906, and that’s not really helpful
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image269.png)
10 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
11 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image2111.png)
Figure 5: Error In The Application Event Log
–
And yet you see another Event ID 906, and again that’s not really helpful. It just mentions the upgrade of the Azure Active Directory Sign-in
Assistance/Client failed.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image270.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image2610.png)
Figure 6: Error In The Application Event Log
–
System.Exception: Unable to upgrade the Azure Active Directory Sign-in Client. Please see the event log for additional details. —>
Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessExecutionFailedException: Exception: Execution failed with errorCode: 1603.
Details:
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartProcessCore(String fileName, String arguments, String
workingDirectory, NetworkCredential credential, Boolean loadUserProfile, Boolean hideWindow, Boolean waitForExit)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartBackgroundProcessAndWaitForExit(String fileName, String
arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackage(String msiPackageDirectory, String
msiPackageFileName, String parametersString, String installationPath, NetworkCredential credential, String installLogFileName, Boolean quiet,
Boolean suppressReboot)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackageQuietSuppressReboot(String
msiPackageDirectory, String msiPackageFileName, String parametersString, String installationPath, NetworkCredential credential, String
installLogFileName)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.MsiSetupTaskBase.UpgradeCore()
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Upgrade()
— End of inner exception stack trace —
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String
taskName, Exception innerException)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Upgrade()
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.SetupAdapter.TypeDependencies.GenericDirectorySyncSetupUpgrade(String
pathToSetupFiles, String installationPath, ProgressChangedEventHandler progressChangedEventHandler)
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.WizardPages.InstallOrUpgradePageViewModel.SetupTask(Object sender,
DoWorkEventArgs args)
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.Controls.Wizards.ProgressReportingTaskViewModel.ExecuteAction(Action
action, Boolean isProgressIndeterminate)
–
Finally looking in ‘C:\Windows\temp\AADSync\MsoIdCli_64_Install.log’ at point, almost in the end, you will see the following errors
marked yellow. Basically it is saying that the repair failed. Why is it repairing instead of upgrading?
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image271.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image302.png)
Figure 7: Error In The Log File About Repairing The Installation
–
The version of the Azure Active Directory Sign-in Assistance/Client in this AADSync package is v7.250.4556.0, and the version that I already
had installed was also v7.250.4556.0. Because the versions are the same, it will not upgrade, but rather it will try to repair. On my test server, I
have ADFS v3.0 and AADSync on the same server. A few days ago I updated the Azure AD PowerShell CMDlets including the Azure Active
Directory Sign-in Assistance/Client. And that’s why I ended up with that version already installed.
The solution here is to go to the ʺControl Panel – Programs and Featuresʺ and uninstall the Azure Active Directory Sign-in Assistance/Client.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image272.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image382.png)
12 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Figure 8: Uninstalling The Microsoft Online Services Sign-In Assistant (= Azure Active Directory Sign-in Assistance/Client)
–
Confirm the uninstall
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image273.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image422.png)
Figure 9: Confirming Uninstalling The Microsoft Online Services Sign-In Assistant
–
When the uninstall is done, do not reboot the server as requested
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image463.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image464.png)
Figure 10: Request To Reboot The Server
–
Now go back to the upgrade wizard and click the [Upgrade] buĴon again.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image274.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image502.png)
Figure 11: Retrying The Upgrade
–
The upgrade will now continue. It will present the current credentials you are using to connect to Azure AD.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image275.png)
13 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image572.png)
Figure 12: Credentials To Connect To Azure AD Tenant
–
Next it will present the current AD forest already connected. If you want to can connect extra AD forests, otherwise click the [Next] buĴon.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image276.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image612.png)
Figure 13: AD Forests Already Connected To AADSync
–
Now, it presents you with the user matching configuration. You cannot change this right now, therefore click the [Next] buĴon.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image277.png)
14 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image652.png)
Figure 14: Previously Configured User Matching Options
–
Now, it presents you with optional features you can use. You can keep it AS-IS or you can enable what you need to enable. If you want to
enable or disable optional feature, you just need to rerun the wizard.
[Exchange Hybrid Deployment] –> If you have an Exchange hybrid deployment, then select this checkbox. This will write-back some aĴributes
from Exchange online to the on-premises Active Directory.
[Password Synchronization] –> With password synchronization, you enable your users to use the same password they are using to logon to
your on-premises Active Directory to logon to Azure Active Directory. For more information on how to configure this, please see
hĴp://msdn.microsoft.com/en-us/library/azure/dn835016.aspx (hĴp://msdn.microsoft.com/en-us/library/azure/dn835016.aspx).
[Password Write-Back] –> Password write-back is an Azure Active Directory Premium feature. For more information on how to configure this,
please see hĴp://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx
(hĴp://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx).
[Azure AD App And AĴribute Filtering] –> If you want to review or limit the aĴributes which are synchronized with Azure AD, then select
Azure AD app and aĴribute filtering. You will then get two additional pages in the wizard. For more information on how to configure this,
please see hĴp://msdn.microsoft.com/en-us/library/azure/dn764938.aspx (hĴp://msdn.microsoft.com/en-us/library/azure/dn764938.aspx)
Click the [Next] buĴon.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image278.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image692.png)
Figure 15: Optional Features To Enable
–
15 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Now it will present you with a summary screen. Click the [Next] buĴon to really start the upgrade of the software.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image279.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image732.png)
Figure 16: Ready To Configure And Upgrade
–
After the upgrade you can choose to synchronize now or do it later as scheduled. Click the [Finish] buĴon.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image280.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image772.png)
Figure 17: Finished
–
16 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image281.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image812.png)
Figure 18: Upgraded Version Of Azure AD Sync Services (AADSync)
–
That’s all folks!
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment »
(2014-11-01) A New Version Of Azure Active Directory Sync Services Has Been
Released (v1.0.470.1023)
Posted by Jorge on 2014-11-01
i
Rate This
A few days ago, Microsoft has released a new version of the Azure Active Directory Sync Services (AADSync)
–
This version adds the following features:
17 of 30
Password synchronization from multiple on-premise AD to AAD
Localized installation UI to all Windows Server languages
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
–
Upgrading from AADSync 1.0 GA
If you already have Azure AD Sync installed, there is one additional step you have to take in case you have changed any of the out-of-box
Synchronization Rules. After you have upgraded to the 1.0.470.1023 release, the synchronization rules you have modified are duplicated. For
each modified Sync Rule do the following:
Locate the Sync Rule you have modified and take a note of the changes.
Delete the Sync Rule.
Locate the new Sync Rule created by Azure AD Sync and re-apply the changes.
–
Permissions for the AD account
The AD account must be granted additional permissions to be able to read the password hashes from AD. The permissions to grant arenamed
“Replicating Directory Changes” and “Replicating Directory Changes All”. Both permissions are required to be able to read the password
hashes.
–
Release Note: Changing the AD password
After password sync has been enabled, if the password of the account used by the AD Connector is changed through the UI then password
synchronization must by disabled and re-enabled.
–
Download: Microsoft Azure Active Directory Sync Services v1.0.470.1023 (hĴp://www.microsoft.com/en-us/download
/details.aspx?id=44225)
Documentation: Azure Active Directory Synchronization Services (AAD Sync) (hĴp://msdn.microsoft.com/en-us/library/azure
/dn790204.aspx)
–
More information:
(2014-09-16) Azure Active Directory Sync Services Has Reached General Availability (hĴps://jorgequestforknowledge.wordpress.com
/2014/09/16/azure-active-directory-sync-services-has-reached-general-availability/)
(2014-09-21) Change Install Of The Azure AD Sync Service Throws WMI Namespace Error(hĴps://jorgequestforknowledge.wordpress.com
/2014/09/21/change-install-of-the-azure-ad-sync-service-throws-wmi-namespace-error/)
(2014-09-23) Upgrading Azure AD Sync From The Beta Version To RTM (hĴps://jorgequestforknowledge.wordpress.com/2014/09
/23/upgrading-azure-ad-sync-from-the-beta-version-to-rtm/)
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment »
(2014-10-01) TroubleShooting Federation/SSO To Windows Azure AD And
18 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Office 365
Posted by Jorge on 2014-10-01
i
Rate This
When seĴing up DirSync And Federation between your on-premise AD and Windows Azure AD to support identity sync and SSO, the most
important aĴribute to make sure everything works are the immutableID and the userPrincipalName.
–
Paul Williams from msresource.net has wriĴen a great number of blog posts about this, touching all kinds of related stuff. See the following
blog posts:
Multi-forest SSO to O365: implementing multiple immutable IDs (hĴp://blog.msresource.net/2013/09/18/multi-forest-sso-too365-implementing-multiple-immutable-ids/)
Windows Azure Active Directory Connector part 1: when, where and why (hĴp://blog.msresource.net/2014/01/13/windows-azure-activedirectory-connector-part-1-when-where-and-why/)
Windows Azure Active Directory Connector part 2: multi-forest directory synchronization (hĴp://blog.msresource.net/2014/01
/22/windows-azure-active-directory-connector-part-2-multi-forest-directory-synchronization/)
Windows Azure Active Directory Connector part 3: immutable ID (hĴp://blog.msresource.net/2014/03/10/windows-azure-active-directoryconnector-part-3-immutable-id/)
Implementing Exchange Online with an existing on-premises identity management solution that provisions mailboxes(hĴp://blog.msresource.net
/2014/06/25/implementing-exchange-online-with-an-existing-on-premises-identity-management-solution-that-provisions-mailboxes/)
–
With regards to the implementation I used the string version of the objectGUID (AD) as the immutableID (sourceAnchor in AAD)) and the
UPN as the userPrincipalName (AAD). I achieved that by leveraging FIM with the AAD connector. Because of that I also had to implement
slighty different claims rules in ADFS for Azure AD/Office 365. The rules in my ADFS v2.0 looked like:
@RuleName = ʺIdentity Claims – objectGUID (Base64) To objectGUID (String)ʺ
c:[Type == ʺhĴp://temp.org/identity/claims/adObjectGuidBase64orgʺ] (hĴp://temp.org/identity/claims/adObjectGuidBase64orgʺ])
=> add(store = ʺString Processing Storeʺ, types = (ʺhĴp://temp.org/identity/claims/adObjectGuidStringʺ) (hĴp://temp.org/identity/claims
/adObjectGuidStringʺ)), query = ʺfromBase64GuidtoStringGuidʺ, param = c.Value);
@RuleName = ʺIdentity Claims – upn To UPNʺ
c:[Type == ʺhĴp://schemas.xmlsoap.org/ws/2005/05/identity/claims/upnʺ] (hĴp://schemas.xmlsoap.org/ws/2005/05/identity/claims/upnʺ])
=> issue(Type = ʺhĴp://schemas.xmlsoap.org/claims/UPNʺ (hĴp://schemas.xmlsoap.org/claims/UPNʺ), Value = c.Value);
@RuleName = ʺIdentity Claims – objectGUID (String) To ImmutableIDʺ
c:[Type == ʺhĴp://temp.org/identity/claims/adObjectGuidStringʺ] (hĴp://temp.org/identity/claims/adObjectGuidStringʺ])
=> issue(Type = ʺhĴp://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableIDʺ (hĴp://schemas.microsoft.com/LiveID/Federation
/2008/05/ImmutableIDʺ), Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
@RuleName = ʺIdentity Claims – ImmutableID To Name IDʺ
c:[Type == ʺhĴp://schemas.xmlsoap.org/claims/UPNʺ] (hĴp://schemas.xmlsoap.org/claims/UPNʺ])
=> issue(Type = ʺhĴp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierʺ (hĴp://schemas.xmlsoap.org/ws/2005/05/identity
/claims/nameidentifierʺ), Value = c.Value, Properties[ʺhĴp://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/formatʺ]
(hĴp://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/formatʺ]) = ʺurn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedʺ);
–
I swear everything was working, until some day I started to get the following errors:
….when navigating to: hĴps://outlook.office365.com/owa/ (hĴps://outlook.office365.com/owa/)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image292.png)
19 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com
/2014/09/image293.png)
Figure 1: Error When Using Federated Logon And Navigating To Office 365 Portal
–
….when navigating to: hĴps://manage.windowsazure.com/default.aspx (hĴps://manage.windowsazure.com/default.aspx)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image294.png)
(hĴps://jorgequestforknowledge.files.wordpress.com
/2014/09/image295.png)
Figure 2: Error When Using Federated Logon And Navigating To Azure AD Management Portal
–
….when navigating to: hĴps://portal.office.com/ (hĴps://portal.office.com/)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image296.png)
20 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com
/2014/09/image297.png)
Figure 3: Error When Using Federated Logon And Navigating To Office 365 Management Portal
–
By giving the correlation ID to someone at Microsoft that is able to check it in the system logs, they most likely will be able to tell you what
would be wrong. In this case unfortunately I as not able to do that. The logs on my system did not given me any clue!
As I have another ADFS v3.0 system in my environment, I therefore decided to configure that ADFS instance with all default values for
DirSync and federation. After configuring all this, I was able to access Azure AD and Office 365 through federated logon on my ADFS v3.0
box, but still not on my ADFS v2.0.
–
After comparing the federation trusts between ADFS v2.0 and Azure AD, and between ADFS v3.0 and Azure AD I saw the following
difference:
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image298.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image299.png)
Figure 4: Signature Hash Algorithm On The RP Trust On ADFS v3.0 For Azure AD/Office 365 (Default Config) – WORKING
–
21 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image300.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image301.png)
Figure 5: Signature Hash Algorithm On The RP Trust On ADFS v2.0 For Azure AD/Office 365 (Custom Config) – NOT WORKING
–
For whatever reason, in the past I had changed the signature hash algorithm on the RP Trust On ADFS v2.0 For Azure AD/Office 365 AND I
had forgoĴen about it. It took me some time to find this one, but by just changing the signature hash algorithm on the RP Trust On ADFS v2.0
For Azure AD/Office 365 from SHA-256 to SHA-1, everything started to work again! Yiiihhaaaaaa!
–
PS: this has NOTHING to do between the usage of ADFS v2.0 and ADFS v3.0. This was a configuration mistaken I made when playingaround
in the test/demo environment
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Active Directory Federation Services (ADFS), Azure AD Sync, DirSync, DirSync, Federation Trusts, Office 365, SSO, Transform
Rules, Windows Azure Active Directory | 1 Comment »
(2014-09-25) Changing The Service Account And/Or Security Groups For Azure
AD Sync Services
Posted by Jorge on 2014-09-25
22 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
i
1 Vote
If you used the default configuration, you will end up with a local service account (e.g. AAD_Ġ304599ae39) for the Azure AD Sync Service
and local security groups will be used (ADSyncAdmins, ADSyncOperators, ADSyncBrowse and ADSyncPasswordSet). This blog post helps
you change either one, local service account or local security groups, or both to use domain objects. This blog post assumes you want to
change both the service account and the security groups. In that case perform all steps. If you only want to change either one, then only
perform the corresponding steps.
–
Step 1: Create the new Azure AD Sync Service service account in AD
Example: ADCORP\SVC_R1_AADSyncSvc
–
Step 2: Create the new Azure AD Sync Service security groups in AD
Example: ADCORP\AADSyncAdmins
Example: ADCORP\AADSyncOperators
Example: ADCORP\AADSyncBrowse
Example: ADCORP\AADSyncPasswordSet
–
Step 3: Establish correct memberships
Example: ADCORP\AADSyncAdmins <– make the Azure AD Sync Service service account in AD and any AD based user/admin account
that fully manage the AAD Sync Service a member of this group
QUESTION: do you know which other group needed to be created in FIM, but is not needed anymore in AADSync?
–
Step 4: Configure the new Azure AD Sync Service service account in AD with the correct user rights on the server with Azure AD Sync
Service installed
Give the new Azure AD Sync Service service account in AD the following user rights on the server with Azure AD Sync Service installed
“Deny logon as a batch job”
“Deny logon locally”
“Deny logon through Terminal Services”
“Deny access to this computer from the network”
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image244.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image245.png)
Figure 1: Required User Rights For The New Azure AD Sync Service Service Account In AD
–
If you do not know the password of the current Azure AD Sync Service Service Account stop the ʺMicrosoft Azure AD Sync (ADSync)ʺ
service, reset the password of the current Azure AD Sync Service Service Account, reenter credentials for the ʺMicrosoft Azure AD Sync
(ADSync)ʺ service and start the ʺMicrosoft Azure AD Sync (ADSync)ʺ service.
23 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image246.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image247.png)
Figure 2: ReseĴing The Password Of The Current (Local) Azure AD Sync Service Service Account
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image248.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image249.png)
Figure 3: Re-Entering Credentials For The ʺMicrosoft Azure AD Sync (ADSync)ʺ Service
–
When changing the Azure AD Sync Service Service Account, the new Azure AD Sync Service Service Account must be configured with the
encryption keys securing the secret data in the database. To be able to do that you must export the keyset, if not already available.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image250.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image251.png)
Figure 4: Exporting The KeySet Using The Azure ADSync Encryption Key Management Wizard
–
24 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image252.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image253.png)
Figure 5: Providing The Credentials Of The Current (Local) Azure AD Sync Service Service Account
–
The default folder is: ʺC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Azure AD Sync\ʺ and make sure a existing keyset does
not already exist with the same filename
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image254.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image255.png)
Figure 6: Providing The Path Of The Encryption File
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image256.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image257.png)
Figure 7: Configuration Summary
–
25 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image258.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image259.png)
Figure 8: Configuration Result
–
Now it is time to start the change install
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image260.png)
(hĴps://jorgequestforknowledge.files.wordpress.com
/2014/09/image261.png)
Figure 9: Starting The Change Install For Microsoft Azure AD Sync
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image262.png)
26 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image263.png)
Figure 10: Microsoft Azure AD Sync Maintenance Wizard – Welcome Page
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image264.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image265.png)
Figure 11: Microsoft Azure AD Sync Maintenance Wizard – Maintenance Options Page
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image266.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image267.png)
Figure 12: Microsoft Azure AD Sync Maintenance Wizard – Features Page
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image268.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image269.png)
27 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Figure 13: Microsoft Azure AD Sync Maintenance Wizard – Azure AD Sync Service Service Account Credentials Page
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image270.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image271.png)
Figure 14: Microsoft Azure AD Sync Maintenance Wizard – Azure AD Sync Service Security Groups Page
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image272.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image273.png)
Figure 15: Microsoft Azure AD Sync Maintenance Wizard – Initiating Install Page
–
If you did not configure the Azure AD Sync Service Service Account with the user rights as shown in figure 1, you will get the following
warning.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image274.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image275.png)
Figure 16: Warning About Azure AD Sync Service Service Account Not Being Configured In Secure Manner
–
If you get the following error, make sure to check this blog post (hĴps://jorgequestforknowledge.wordpress.com/2014/09/21/change-installof-the-azure-ad-sync-service-throws-wmi-namespace-error/) AFTER the wizard has finished!!!
28 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image276.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image277.png)
Figure 17: Warning About Azure AD Sync Setup Not Being Able To Configure WMI Permissions On A Non-Existent Namespace
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image278.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image279.png)
Figure 18: Restoring The Keyset For The New Azure AD Sync Service Service Account
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image280.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image281.png)
Figure 19: Change Install Of Microsoft Azure AD Sync Setup Finished
–
And you’re done!
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment »
« Previous Entries
29 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
30 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Blog at WordPress.com. | The Andreas09 Theme.
12/11/2015 12:51 AM
1 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Jorge's Quest For Knowledge!
About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just
Like An Addiction, The More You Have, The More You Want To Have!)
Archive for the ‘Windows Azure Active Directory’ Category
(2015-10-14) Azure Active Directory Domain Services (Preview)
Posted by Jorge on 2015-10-14
i
Rate This
Original source: hĴps://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-features/ (hĴps://azure.microsoft.com/en-us
/documentation/articles/active-directory-ds-features/)
–
This is really really cool!
–
Azure Active Directory Domain Services is basically“ʺDomain Controller As A Service (DCaaS)”. You can:
“Lift-and-shift” apps to Azure more easily than ever
Use LDAP, Active Directory domain join, NTLM, and Kerberos authentication
Rely on a managed, highly-available service
Get started in minutes, pay as you go
Dev and test with no identity worries
Manage Azure virtual machines effectively using Group Policy
–
Azure Active Directory Domain Services lets you join Azure virtual machines to a domain without the need to deploy domain controllers.
Users can sign in to these virtual machines using their corporate Active Directory credentials and access resources seamlessly. You can
more-securely administer domain-joined virtual machines using Group Policy—an easy, familiar way to apply and enforce security baselines
on all of your Azure virtual machines
–
The following features are available in the Azure AD Domain Services preview release.
Simple deployment experience: You can enable Azure AD Domain Services for your Azure AD tenant using just a few clicks. Regardless
of whether your Azure AD tenant is a cloud-tenant or synchronized with your on-premises directory, your managed domain can be
provisioned quickly.
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
2 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Support for domain-join: You can easily domain join computers in the Azure virtual network that Azure AD Domain Services is available
in. The domain join experience on Windows client and Server operating systems works seamlessly against domains serviced by Azure AD
Domain Services. You can also use automated domain join tooling against such domains.
One domain instance per Azure AD directory: You can create a single Active Directory domain for each Azure AD directory.
Create domains with custom names: You can create domains with custom names (eg. contoso.local) using Azure AD Domain Services.
This includes both verified as well as unverified domain names. Optionally, you can also create a domain with the built-in domain suffix
(i.e. *.onmicrosoft.com) that is offered by your Azure AD directory.
Integrated with Azure AD: You do not need to configure or manage replication to Azure AD Domain Services. User accounts, group
memberships and user credentials (passwords) from your Azure AD directory are automatically available in Azure AD Domain Services.
New users, groups or changes to aĴributes ocurring in your Azure AD tenant or in your on-premises directory are automatically
synchronized to Azure AD Domain Services.
NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on
Windows Integrated Authentication.
Use your corporate credentials/passwords: Passwords for users in your Azure AD tenant work with Azure AD Domain Services. This
means users in your organization can use their corporate credentials on the domain – for domain joining machines, logging in interactively
or over remote desktop, authenticating against the DC etc.
LDAP bind & LDAP read support: You can use applications that rely on LDAP binds in order to authenticate users in domains serviced
by Azure AD Domain Services. Additionally, applications that use LDAP read operations to query user/computer aĴributes from the
directory can also work against Azure AD Domain Services.
Group Policy: You can leverage a single built-in GPO each for the users and computers containers in order to enforce compliance with
required security policies for user accounts as well as domain joined computers.
Available in multiple Azure regions: See the supported Azure regions (hĴps://azure.microsoft.com/en-us/documentation/articles/activedirectory-ds-regions/) page for a list of Azure regions in which Azure AD Domain Services are available.
High availability: Azure AD Domain Services offer high availability for your domain. This offers the guarantee of higher service uptimeand
resilience to failures. Built-in health monitoring offers automated remediation from failures by spinning up new instances to replace failed
instances and to provide continued service for your domain.
Use familiar management tools: You can use familiar Windows Server Active Directory management tools such as the Active Directory
Administrative Center or Active Directory PowerShell in order to administer domains provided by Azure AD Domain Services.
–
UPDATE 2015-10-21: Check hĴps://azure.microsoft.com/en-us/regions/#services (hĴps://azure.microsoft.com/en-us/regions/#services) to seeif
this service is (already) available or not in your region
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Azure AD Domain Services (DCaaS), Windows Azure Active Directory | Leave a Comment »
(2015-10-13) Roles Based Access Control (RBAC) For Azure Is Now GA
Posted by Jorge on 2015-10-13
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
3 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
i
Rate This
Finally, no more “all or nothing”. Delegation is now possible for Azure resources.
–
More information:
Azure RBAC is GA! (hĴp://blogs.technet.com/b/ad/archive/2015/10/12/azure-rbac-is-ga.aspx)
Role-based access control in the Microsoft Azure portal (hĴps://azure.microsoft.com/en-gb/documentation/articles/role-based-accesscontrol-configure/)
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in RBAC, Windows Azure Active Directory | Leave a Comment »
(2015-10-07) Realistic Random Data Set To Import Into Some Identity Store
Posted by Jorge on 2015-10-07
i
Rate This
Have you ever required to have a large and realistic random data set to test your application or system in some way? Well, look no further!
–
With testing, “performance/volume testing” and/or “logic testing” (either declarative or coded, against small and large data sets) is meant.
Testing with correctly defined (custom) data is required to make sure the application/system behaves as you require it to behave. By using fake
data you are sure you do not get into trouble due to privacy or security related issues. You also do not have to beg for and jump through all
kinds of hoops to get the data. Depending, on your organization, you may also need to have a data set that includes special characters (e.g.
apostrophes) and/or very special characters (e.g. unicode characters from other languages)
–
Most likely, there are more websites out there, but the following 2 websites can help you out in different scenarios:
1. hĴps://www.mockaroo.com/ (hĴps://www.mockaroo.com/)
2. hĴp://www.fakenamegenerator.com/order.php (hĴp://www.fakenamegenerator.com/order.php)
–
[1] Mockaroo – Realistics Data Generator (hĴps://www.mockaroo.com/)
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
4 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
This website allows you to use your own defined schema. You can do that by selecting/defining the field names and field types or by importing
the field headers of some CSV file you have. After importing the CSV headers, you still need to define the field types. When done, you can
preview the data or download it right away. The data can be downloaded in different formats, such as, but not limited to, CSV format. The
only downsides are the limited number of objects (max. 1000) and that it only supports western characters for names. If you need more data,
you need to pay a fee per year.
(hĴps://jorgequestforknowledge.files.wordpress.com
/2015/10/image.png)
Figure 1: The Interface Of The Mockaroo Website To Define The Required Schema
–
[2] Fake Name Generator (hĴp://www.fakenamegenerator.com/order.php)
However, if you do not have a strict schema, you want up to 50.000 objects and you also require non-western characters for names (e.g.
japanese, chinese, arabic, etc.), then you might be interesting in using this website. You can generate data for a single object, or you can bulk
generate (order for free!) a very large amount of data up to 50.000 objects. If you need more objects, you just request it multiple times.
First you need to select the format and compression type. Secondly you need to select the name set(s), countries, gender and age of that
objects.
(hĴps://jorgequestforknowledge.files.wordpress.com
/2015/10/image1.png)
Figure 2a: The Interface Of The Fake Name Generator Website To Define The Configuration For The Data Set
–
And last but not least, you need to select the required fields you want to include in the data set, define the required number of objects and the
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
5 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
e-mail address where the bulk order is e-mailed to.
(hĴps://jorgequestforknowledge.files.wordpress.com
/2015/10/image2.png)
Figure 2b: The Interface Of The Fake Name Generator Website To Define The Configuration For The Data Set
–
Every request file is made available after a few minutes and when done you will receive an e-mail with a time-limited link.
–
After receiving the data set you can import it, by first writing your own PowerShell script, into ADDS, ADLDS, Azure AD, FIM Portal/Sync,
SQL database or anything similar
–
Have fun!
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Active Directory Domain Services (ADDS), Active Directory Lightweight Directory Services (ADLDS), Data Set, Data Set, Data Set,
Data Set, Forefront Identity Manager (FIM) Portal, Windows Azure Active Directory | Leave a Comment »
(2015-07-01) New Azure Authenticator Phone App Supports Multiple
Account Providers
Posted by Jorge on 2015-07-01
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
6 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
i
Rate This
Microsoft has released a new MFA Phone App supports any account provider supporting the Open Authentication Initiative (OATH).
Examples of supported account providers are: Azure AD, Microsoft Account and Google.
–
For more information please read:
Try the new Azure Authenticator application! (hĴp://blogs.technet.com/b/ad/archive/2015/06/29/try-the-new-azure-authenticatorapp.aspx)
Moving to the new Azure Authenticator app (hĴps://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-azureauthenticator/?rnd=1)
Azure Multi-Factor Authentication (hĴps://msdn.microsoft.com/library/azure/dn249471.aspx)
Azure Multi-Factor Authentication options for Federated Users (hĴps://msdn.microsoft.com/en-us/library/azure/dn394284.aspx)
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Multi-Factor AuthN, Windows Azure Active Directory | Leave a Comment »
(2015-06-29) Azure AD Connect Has RTM’ed
Posted by Jorge on 2015-06-29
i
Rate This
Azure AD Connect allows you to quickly onboard to Azure AD and Office 365. The Azure AD Connect wizard is the single tool and guided
experience for connecting your on premises identity infrastructure to the cloud. Choose your topology and needs (single or multiple
directories, password sync or federation), and the wizard will deploy and configure all components required to get your connection up and
running including sync services, AD FS, and the Azure AD PowerShell module.
Azure AD Connect encompasses functionality that was previously released as Dirsync and AAD Sync. These tools will no longer be released
individually. All future improvements will be included in updates to Azure AD Connect, so that you always know where to get the most
current functionality.
–
Download it from here (hĴps://www.microsoft.com/en-us/download/details.aspx?id=47594)
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
7 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
–
Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both
cloud and on-premises resources. With this integration users and organizations can take advantage of the following:
Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server
Active Directory and then connecting to Azure Active Directory.
Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor
authentication.
Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or
Azure for cloud-based applications
Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.
–
More information:
Integrating your on-premises identities with Azure Active Directory (hĴps://azure.microsoft.com/nl-nl/documentation/articles/activedirectory-aadconnect/)
Azure AD Connect Preview 2 is available! (hĴp://blogs.technet.com/b/ad/archive/2015/03/24/azure-ad-connect-preview-2-is-available.aspx)
Azure AD Connect: One simple, fast, lightweight tool to connect Active Directory and Azure Active Directory (hĴp://blogs.technet.com
/b/ad/archive/2014/12/15/azure-ad-connect-one-simple-fast-lightweight-tool-to-connect-active-directory-and-azure-active-directory.aspx)
Connecting AD and Azure AD: Only 4 clicks with Azure AD Connect (hĴp://blogs.technet.com/b/ad/archive/2014/08/04/connectingad-and-azure-ad-only-4-clicks-with-azure-ad-connect.aspx)
Azure AD Connect & Connect Health is now GA! (hĴp://blogs.technet.com/b/ad/archive/2015/06/24/azure-ad-connect-amp-connecthealth-is-now-ga.aspx)
Azure AD Connect (hĴps://en.wikipedia.org/wiki/Azure_AD_Connect)
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »
(2014-11-21) Troubleshooting SSO Issues In Azure AD, Office 365 Or
Windows Intune
Posted by Jorge on 2014-11-21
i
1 Vote
The following resources can help you troubleshoot with SSO issues:
Troubleshoot single sign-on setup issues in Office 365, Windows Intune, or Azure (hĴp://support.microsoft.com/kb/2530569)
Signing in to Office 365, Azure, or Windows Intune by using single sign-on doesn’t work from some devices (hĴp://support2.microsoft.com
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
8 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
/kb/2530713)
Office 365 & Single Sign-On: How to Handle Different UserPrincipalName (UPN) Values (hĴp://blogs.technet.com/b/askpfeplat/archive
/2013/09/02/office-365-amp-single-sign-on-how-to-handle-different-userprincipalname-upn-values.aspx)
You can’t sign in to Office 365, Azure, or Windows Intune (hĴp://support2.microsoft.com/kb/2412085)
Office 365 Identity Federation Debug Tool (hĴp://www.msexchange.org/kbase/ExchangeServerTips/MicrosoftOffice365/ExchangeOnline
/office-365-identity-federation-debug-tool.html)
(2014-09-29) Default Claims Rules In ADFS To Support SSO Through Federation With Azure AD/Office 365(hĴps://jorgequestforknowledge.wordpr
/2014/09/29/default-claims-rules-in-adfs-to-support-sso-through-federation-with-azure-adoffice-365/)
(2014-10-01) TroubleShooting Federation/SSO To Windows Azure AD And Office 365 (hĴps://jorgequestforknowledge.wordpress.com
/2014/10/01/troubleshooting-federationsso-to-windows-azure-ad-and-office-365/)
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Office 365, SSO, SSO, Troubleshoot, Troubleshoot, Windows Azure Active Directory | Leave a Comment »
(2014-11-05) Upgrading Azure AD Sync Services From GA (v1.0.419.911)
To v1.0.470.1023
Posted by Jorge on 2014-11-05
i
Rate This
As mentioned in this blog post (hĴps://jorgequestforknowledge.wordpress.com/2014/11/01/a-new-version-of-azure-active-directorysync-services-has-been-released-v1-0-470-1023/) Microsoft released a new version of the Azure AD Sync Services. As mentioned in the release
notes (hĴp://msdn.microsoft.com/en-us/library/azure/dn835004.aspx) the upgrade is quite straightforward with a fix, but only if you modified
one or more sync rules.
If you already have Azure AD Sync installed, there is one additional step you have to take in case you have changed any of the out-of-box
Synchronization Rules. After you have upgraded to the 1.0.470.1023 release, the synchronization rules you have modified are duplicated. For
each modified Sync Rule do the following:
Locate the Sync Rule you have modified and take a note of the changes
Delete the Sync Rule
Locate the new Sync Rule created by Azure AD Sync and re-apply the changes.
–
So let’s try this and see what happens.
My starting point is the GA version
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
9 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image264.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image265.png)
Figure 1: GA Version Of Azure AD Sync Services (AADSync)
–
Double-click on MicrosoftAzureADConnectionTool.exe and the following screen appears. Check the checkbox ʺI agree to the license termsʺ if
you indeed do agree with the license terms. Click the [Upgrade] buĴon to continue.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image266.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image919.png)
Figure 2: Initial Screen Of The Azure AD Sync Upgrade
–
The first thing the upgrade wizard tries to do is upgrade the Azure Active Directory Sign-in Assistance/Client, and then it will upgrade all
other components. However, you might receive the following ʺerrorʺ. If you do not see it, you’re good. therefore continue to figure 12.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image267.png)
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image1311.png)
Figure 3: Error About Upgrading The Azure Active Directory Sign-in Assistance/Client
–
As specified, go and look in the Application Event Log. Event ID 906 tells you to check a log file, so you should do so!
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image268.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image1711.png)
Figure 4: Error In The Application Event Log
–
You see another Event ID 906, and that’s not really helpful
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image269.png)
10 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
11 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image2111.png)
Figure 5: Error In The Application Event Log
–
And yet you see another Event ID 906, and again that’s not really helpful. It just mentions the upgrade of the Azure Active Directory Sign-in
Assistance/Client failed.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image270.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image2610.png)
Figure 6: Error In The Application Event Log
–
System.Exception: Unable to upgrade the Azure Active Directory Sign-in Client. Please see the event log for additional details. —>
Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessExecutionFailedException: Exception: Execution failed with errorCode: 1603.
Details:
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartProcessCore(String fileName, String arguments, String
workingDirectory, NetworkCredential credential, Boolean loadUserProfile, Boolean hideWindow, Boolean waitForExit)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartBackgroundProcessAndWaitForExit(String fileName, String
arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackage(String msiPackageDirectory, String
msiPackageFileName, String parametersString, String installationPath, NetworkCredential credential, String installLogFileName, Boolean quiet,
Boolean suppressReboot)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackageQuietSuppressReboot(String
msiPackageDirectory, String msiPackageFileName, String parametersString, String installationPath, NetworkCredential credential, String
installLogFileName)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.MsiSetupTaskBase.UpgradeCore()
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Upgrade()
— End of inner exception stack trace —
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String
taskName, Exception innerException)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Upgrade()
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.SetupAdapter.TypeDependencies.GenericDirectorySyncSetupUpgrade(String
pathToSetupFiles, String installationPath, ProgressChangedEventHandler progressChangedEventHandler)
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.WizardPages.InstallOrUpgradePageViewModel.SetupTask(Object sender,
DoWorkEventArgs args)
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.Controls.Wizards.ProgressReportingTaskViewModel.ExecuteAction(Action
action, Boolean isProgressIndeterminate)
–
Finally looking in ‘C:\Windows\temp\AADSync\MsoIdCli_64_Install.log’ at point, almost in the end, you will see the following errors
marked yellow. Basically it is saying that the repair failed. Why is it repairing instead of upgrading?
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image271.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image302.png)
Figure 7: Error In The Log File About Repairing The Installation
–
The version of the Azure Active Directory Sign-in Assistance/Client in this AADSync package is v7.250.4556.0, and the version that I already
had installed was also v7.250.4556.0. Because the versions are the same, it will not upgrade, but rather it will try to repair. On my test server, I
have ADFS v3.0 and AADSync on the same server. A few days ago I updated the Azure AD PowerShell CMDlets including the Azure Active
Directory Sign-in Assistance/Client. And that’s why I ended up with that version already installed.
The solution here is to go to the ʺControl Panel – Programs and Featuresʺ and uninstall the Azure Active Directory Sign-in Assistance/Client.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image272.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image382.png)
12 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Figure 8: Uninstalling The Microsoft Online Services Sign-In Assistant (= Azure Active Directory Sign-in Assistance/Client)
–
Confirm the uninstall
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image273.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image422.png)
Figure 9: Confirming Uninstalling The Microsoft Online Services Sign-In Assistant
–
When the uninstall is done, do not reboot the server as requested
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image463.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image464.png)
Figure 10: Request To Reboot The Server
–
Now go back to the upgrade wizard and click the [Upgrade] buĴon again.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image274.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image502.png)
Figure 11: Retrying The Upgrade
–
The upgrade will now continue. It will present the current credentials you are using to connect to Azure AD.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image275.png)
13 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image572.png)
Figure 12: Credentials To Connect To Azure AD Tenant
–
Next it will present the current AD forest already connected. If you want to can connect extra AD forests, otherwise click the [Next] buĴon.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image276.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image612.png)
Figure 13: AD Forests Already Connected To AADSync
–
Now, it presents you with the user matching configuration. You cannot change this right now, therefore click the [Next] buĴon.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image277.png)
14 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image652.png)
Figure 14: Previously Configured User Matching Options
–
Now, it presents you with optional features you can use. You can keep it AS-IS or you can enable what you need to enable. If you want to
enable or disable optional feature, you just need to rerun the wizard.
[Exchange Hybrid Deployment] –> If you have an Exchange hybrid deployment, then select this checkbox. This will write-back some aĴributes
from Exchange online to the on-premises Active Directory.
[Password Synchronization] –> With password synchronization, you enable your users to use the same password they are using to logon to
your on-premises Active Directory to logon to Azure Active Directory. For more information on how to configure this, please see
hĴp://msdn.microsoft.com/en-us/library/azure/dn835016.aspx (hĴp://msdn.microsoft.com/en-us/library/azure/dn835016.aspx).
[Password Write-Back] –> Password write-back is an Azure Active Directory Premium feature. For more information on how to configure this,
please see hĴp://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx
(hĴp://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx).
[Azure AD App And AĴribute Filtering] –> If you want to review or limit the aĴributes which are synchronized with Azure AD, then select
Azure AD app and aĴribute filtering. You will then get two additional pages in the wizard. For more information on how to configure this,
please see hĴp://msdn.microsoft.com/en-us/library/azure/dn764938.aspx (hĴp://msdn.microsoft.com/en-us/library/azure/dn764938.aspx)
Click the [Next] buĴon.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image278.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image692.png)
Figure 15: Optional Features To Enable
–
15 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Now it will present you with a summary screen. Click the [Next] buĴon to really start the upgrade of the software.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image279.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image732.png)
Figure 16: Ready To Configure And Upgrade
–
After the upgrade you can choose to synchronize now or do it later as scheduled. Click the [Finish] buĴon.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image280.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10
/image772.png)
Figure 17: Finished
–
16 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image281.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/10/image812.png)
Figure 18: Upgraded Version Of Azure AD Sync Services (AADSync)
–
That’s all folks!
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment »
(2014-11-01) A New Version Of Azure Active Directory Sync Services Has Been
Released (v1.0.470.1023)
Posted by Jorge on 2014-11-01
i
Rate This
A few days ago, Microsoft has released a new version of the Azure Active Directory Sync Services (AADSync)
–
This version adds the following features:
17 of 30
Password synchronization from multiple on-premise AD to AAD
Localized installation UI to all Windows Server languages
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
–
Upgrading from AADSync 1.0 GA
If you already have Azure AD Sync installed, there is one additional step you have to take in case you have changed any of the out-of-box
Synchronization Rules. After you have upgraded to the 1.0.470.1023 release, the synchronization rules you have modified are duplicated. For
each modified Sync Rule do the following:
Locate the Sync Rule you have modified and take a note of the changes.
Delete the Sync Rule.
Locate the new Sync Rule created by Azure AD Sync and re-apply the changes.
–
Permissions for the AD account
The AD account must be granted additional permissions to be able to read the password hashes from AD. The permissions to grant arenamed
“Replicating Directory Changes” and “Replicating Directory Changes All”. Both permissions are required to be able to read the password
hashes.
–
Release Note: Changing the AD password
After password sync has been enabled, if the password of the account used by the AD Connector is changed through the UI then password
synchronization must by disabled and re-enabled.
–
Download: Microsoft Azure Active Directory Sync Services v1.0.470.1023 (hĴp://www.microsoft.com/en-us/download
/details.aspx?id=44225)
Documentation: Azure Active Directory Synchronization Services (AAD Sync) (hĴp://msdn.microsoft.com/en-us/library/azure
/dn790204.aspx)
–
More information:
(2014-09-16) Azure Active Directory Sync Services Has Reached General Availability (hĴps://jorgequestforknowledge.wordpress.com
/2014/09/16/azure-active-directory-sync-services-has-reached-general-availability/)
(2014-09-21) Change Install Of The Azure AD Sync Service Throws WMI Namespace Error(hĴps://jorgequestforknowledge.wordpress.com
/2014/09/21/change-install-of-the-azure-ad-sync-service-throws-wmi-namespace-error/)
(2014-09-23) Upgrading Azure AD Sync From The Beta Version To RTM (hĴps://jorgequestforknowledge.wordpress.com/2014/09
/23/upgrading-azure-ad-sync-from-the-beta-version-to-rtm/)
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment »
(2014-10-01) TroubleShooting Federation/SSO To Windows Azure AD And
18 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Office 365
Posted by Jorge on 2014-10-01
i
Rate This
When seĴing up DirSync And Federation between your on-premise AD and Windows Azure AD to support identity sync and SSO, the most
important aĴribute to make sure everything works are the immutableID and the userPrincipalName.
–
Paul Williams from msresource.net has wriĴen a great number of blog posts about this, touching all kinds of related stuff. See the following
blog posts:
Multi-forest SSO to O365: implementing multiple immutable IDs (hĴp://blog.msresource.net/2013/09/18/multi-forest-sso-too365-implementing-multiple-immutable-ids/)
Windows Azure Active Directory Connector part 1: when, where and why (hĴp://blog.msresource.net/2014/01/13/windows-azure-activedirectory-connector-part-1-when-where-and-why/)
Windows Azure Active Directory Connector part 2: multi-forest directory synchronization (hĴp://blog.msresource.net/2014/01
/22/windows-azure-active-directory-connector-part-2-multi-forest-directory-synchronization/)
Windows Azure Active Directory Connector part 3: immutable ID (hĴp://blog.msresource.net/2014/03/10/windows-azure-active-directoryconnector-part-3-immutable-id/)
Implementing Exchange Online with an existing on-premises identity management solution that provisions mailboxes(hĴp://blog.msresource.net
/2014/06/25/implementing-exchange-online-with-an-existing-on-premises-identity-management-solution-that-provisions-mailboxes/)
–
With regards to the implementation I used the string version of the objectGUID (AD) as the immutableID (sourceAnchor in AAD)) and the
UPN as the userPrincipalName (AAD). I achieved that by leveraging FIM with the AAD connector. Because of that I also had to implement
slighty different claims rules in ADFS for Azure AD/Office 365. The rules in my ADFS v2.0 looked like:
@RuleName = ʺIdentity Claims – objectGUID (Base64) To objectGUID (String)ʺ
c:[Type == ʺhĴp://temp.org/identity/claims/adObjectGuidBase64orgʺ] (hĴp://temp.org/identity/claims/adObjectGuidBase64orgʺ])
=> add(store = ʺString Processing Storeʺ, types = (ʺhĴp://temp.org/identity/claims/adObjectGuidStringʺ) (hĴp://temp.org/identity/claims
/adObjectGuidStringʺ)), query = ʺfromBase64GuidtoStringGuidʺ, param = c.Value);
@RuleName = ʺIdentity Claims – upn To UPNʺ
c:[Type == ʺhĴp://schemas.xmlsoap.org/ws/2005/05/identity/claims/upnʺ] (hĴp://schemas.xmlsoap.org/ws/2005/05/identity/claims/upnʺ])
=> issue(Type = ʺhĴp://schemas.xmlsoap.org/claims/UPNʺ (hĴp://schemas.xmlsoap.org/claims/UPNʺ), Value = c.Value);
@RuleName = ʺIdentity Claims – objectGUID (String) To ImmutableIDʺ
c:[Type == ʺhĴp://temp.org/identity/claims/adObjectGuidStringʺ] (hĴp://temp.org/identity/claims/adObjectGuidStringʺ])
=> issue(Type = ʺhĴp://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableIDʺ (hĴp://schemas.microsoft.com/LiveID/Federation
/2008/05/ImmutableIDʺ), Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
@RuleName = ʺIdentity Claims – ImmutableID To Name IDʺ
c:[Type == ʺhĴp://schemas.xmlsoap.org/claims/UPNʺ] (hĴp://schemas.xmlsoap.org/claims/UPNʺ])
=> issue(Type = ʺhĴp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierʺ (hĴp://schemas.xmlsoap.org/ws/2005/05/identity
/claims/nameidentifierʺ), Value = c.Value, Properties[ʺhĴp://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/formatʺ]
(hĴp://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/formatʺ]) = ʺurn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedʺ);
–
I swear everything was working, until some day I started to get the following errors:
….when navigating to: hĴps://outlook.office365.com/owa/ (hĴps://outlook.office365.com/owa/)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image292.png)
19 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com
/2014/09/image293.png)
Figure 1: Error When Using Federated Logon And Navigating To Office 365 Portal
–
….when navigating to: hĴps://manage.windowsazure.com/default.aspx (hĴps://manage.windowsazure.com/default.aspx)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image294.png)
(hĴps://jorgequestforknowledge.files.wordpress.com
/2014/09/image295.png)
Figure 2: Error When Using Federated Logon And Navigating To Azure AD Management Portal
–
….when navigating to: hĴps://portal.office.com/ (hĴps://portal.office.com/)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image296.png)
20 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com
/2014/09/image297.png)
Figure 3: Error When Using Federated Logon And Navigating To Office 365 Management Portal
–
By giving the correlation ID to someone at Microsoft that is able to check it in the system logs, they most likely will be able to tell you what
would be wrong. In this case unfortunately I as not able to do that. The logs on my system did not given me any clue!
As I have another ADFS v3.0 system in my environment, I therefore decided to configure that ADFS instance with all default values for
DirSync and federation. After configuring all this, I was able to access Azure AD and Office 365 through federated logon on my ADFS v3.0
box, but still not on my ADFS v2.0.
–
After comparing the federation trusts between ADFS v2.0 and Azure AD, and between ADFS v3.0 and Azure AD I saw the following
difference:
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image298.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image299.png)
Figure 4: Signature Hash Algorithm On The RP Trust On ADFS v3.0 For Azure AD/Office 365 (Default Config) – WORKING
–
21 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image300.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image301.png)
Figure 5: Signature Hash Algorithm On The RP Trust On ADFS v2.0 For Azure AD/Office 365 (Custom Config) – NOT WORKING
–
For whatever reason, in the past I had changed the signature hash algorithm on the RP Trust On ADFS v2.0 For Azure AD/Office 365 AND I
had forgoĴen about it. It took me some time to find this one, but by just changing the signature hash algorithm on the RP Trust On ADFS v2.0
For Azure AD/Office 365 from SHA-256 to SHA-1, everything started to work again! Yiiihhaaaaaa!
–
PS: this has NOTHING to do between the usage of ADFS v2.0 and ADFS v3.0. This was a configuration mistaken I made when playingaround
in the test/demo environment
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Active Directory Federation Services (ADFS), Azure AD Sync, DirSync, DirSync, Federation Trusts, Office 365, SSO, Transform
Rules, Windows Azure Active Directory | 1 Comment »
(2014-09-25) Changing The Service Account And/Or Security Groups For Azure
AD Sync Services
Posted by Jorge on 2014-09-25
22 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
i
1 Vote
If you used the default configuration, you will end up with a local service account (e.g. AAD_Ġ304599ae39) for the Azure AD Sync Service
and local security groups will be used (ADSyncAdmins, ADSyncOperators, ADSyncBrowse and ADSyncPasswordSet). This blog post helps
you change either one, local service account or local security groups, or both to use domain objects. This blog post assumes you want to
change both the service account and the security groups. In that case perform all steps. If you only want to change either one, then only
perform the corresponding steps.
–
Step 1: Create the new Azure AD Sync Service service account in AD
Example: ADCORP\SVC_R1_AADSyncSvc
–
Step 2: Create the new Azure AD Sync Service security groups in AD
Example: ADCORP\AADSyncAdmins
Example: ADCORP\AADSyncOperators
Example: ADCORP\AADSyncBrowse
Example: ADCORP\AADSyncPasswordSet
–
Step 3: Establish correct memberships
Example: ADCORP\AADSyncAdmins <– make the Azure AD Sync Service service account in AD and any AD based user/admin account
that fully manage the AAD Sync Service a member of this group
QUESTION: do you know which other group needed to be created in FIM, but is not needed anymore in AADSync?
–
Step 4: Configure the new Azure AD Sync Service service account in AD with the correct user rights on the server with Azure AD Sync
Service installed
Give the new Azure AD Sync Service service account in AD the following user rights on the server with Azure AD Sync Service installed
“Deny logon as a batch job”
“Deny logon locally”
“Deny logon through Terminal Services”
“Deny access to this computer from the network”
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image244.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image245.png)
Figure 1: Required User Rights For The New Azure AD Sync Service Service Account In AD
–
If you do not know the password of the current Azure AD Sync Service Service Account stop the ʺMicrosoft Azure AD Sync (ADSync)ʺ
service, reset the password of the current Azure AD Sync Service Service Account, reenter credentials for the ʺMicrosoft Azure AD Sync
(ADSync)ʺ service and start the ʺMicrosoft Azure AD Sync (ADSync)ʺ service.
23 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image246.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image247.png)
Figure 2: ReseĴing The Password Of The Current (Local) Azure AD Sync Service Service Account
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image248.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image249.png)
Figure 3: Re-Entering Credentials For The ʺMicrosoft Azure AD Sync (ADSync)ʺ Service
–
When changing the Azure AD Sync Service Service Account, the new Azure AD Sync Service Service Account must be configured with the
encryption keys securing the secret data in the database. To be able to do that you must export the keyset, if not already available.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image250.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image251.png)
Figure 4: Exporting The KeySet Using The Azure ADSync Encryption Key Management Wizard
–
24 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image252.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image253.png)
Figure 5: Providing The Credentials Of The Current (Local) Azure AD Sync Service Service Account
–
The default folder is: ʺC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Azure AD Sync\ʺ and make sure a existing keyset does
not already exist with the same filename
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image254.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image255.png)
Figure 6: Providing The Path Of The Encryption File
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image256.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image257.png)
Figure 7: Configuration Summary
–
25 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image258.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image259.png)
Figure 8: Configuration Result
–
Now it is time to start the change install
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image260.png)
(hĴps://jorgequestforknowledge.files.wordpress.com
/2014/09/image261.png)
Figure 9: Starting The Change Install For Microsoft Azure AD Sync
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image262.png)
26 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image263.png)
Figure 10: Microsoft Azure AD Sync Maintenance Wizard – Welcome Page
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image264.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image265.png)
Figure 11: Microsoft Azure AD Sync Maintenance Wizard – Maintenance Options Page
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image266.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image267.png)
Figure 12: Microsoft Azure AD Sync Maintenance Wizard – Features Page
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image268.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image269.png)
27 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Figure 13: Microsoft Azure AD Sync Maintenance Wizard – Azure AD Sync Service Service Account Credentials Page
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image270.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image271.png)
Figure 14: Microsoft Azure AD Sync Maintenance Wizard – Azure AD Sync Service Security Groups Page
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image272.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image273.png)
Figure 15: Microsoft Azure AD Sync Maintenance Wizard – Initiating Install Page
–
If you did not configure the Azure AD Sync Service Service Account with the user rights as shown in figure 1, you will get the following
warning.
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image274.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image275.png)
Figure 16: Warning About Azure AD Sync Service Service Account Not Being Configured In Secure Manner
–
If you get the following error, make sure to check this blog post (hĴps://jorgequestforknowledge.wordpress.com/2014/09/21/change-installof-the-azure-ad-sync-service-throws-wmi-namespace-error/) AFTER the wizard has finished!!!
28 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image276.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image277.png)
Figure 17: Warning About Azure AD Sync Setup Not Being Able To Configure WMI Permissions On A Non-Existent Namespace
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image278.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image279.png)
Figure 18: Restoring The Keyset For The New Azure AD Sync Service Service Account
–
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image280.png)
(hĴps://jorgequestforknowledge.files.wordpress.com/2014/09/image281.png)
Figure 19: Change Install Of Microsoft Azure AD Sync Setup Finished
–
And you’re done!
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided ʺAS ISʺ with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: hĴps://jorgequestforknowledge.wordpress.com/disclaimer/ (hĴps://jorgequestforknowledge.wordpress.com/disclaimer/)
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### hĴp://JorgeQuestForKnowledge.wordpress.com/ (hĴp://JorgeQuestForKnowledge.wordpress.com/) ########
———————————————————————————————
Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment »
« Previous Entries
29 of 30
12/11/2015 12:51 AM
Windows Azure Active Directory « Jorge's Quest For Knowledge!
30 of 30
https://jorgequestforknowledge.wordpress.com/category/windows-azure-a...
Blog at WordPress.com. | The Andreas09 Theme.
12/11/2015 12:51 AM
