New version of Azure MFA Server available (7.0.0)

image

For those who are using Azure Multi-Factor Authentication Server (on-premises) hereby a quick post to inform you there is a new version of Azure MFA Server available. The new version of Azure MFA Server (7.0.0.9) can be downloaded through the Azure Management Portal or MFA Management Portal.

Continue reading “New version of Azure MFA Server available (7.0.0)”

Azure AD Premium Public Preview Features…a closer look

image

Microsoft is continuously improving their Azure cloud services while new features get introduced in rapid pace. In this blog I want to consider some new Azure Active Directory Premium features which are currently in public preview. ’These features are:

  • Dynamic Groups
  • Azure Application Custom Domain publishing
  • Azure Conditional Application Access

Continue reading “Azure AD Premium Public Preview Features…a closer look”

Publish NDES by Azure AD Application Proxy

This week the Azure AD Product Team did a great job by updating the Azure Application Proxy service to allow you to publish NDES using Azure Application Proxy, which is great news! Pieter Wigleven, Microsoft Technology Solution Professional on Enterprise Mobility has posted a great serie of posts on setting up certificate distribution to mobile devices. A must read!

Part 1 – First tips and tricks on how to troubleshoot and check existing ConfigMgr/SCEP/NDES infrastructures.
Part 2 – After many asks for clarity, a full guide on how to install and troubleshoot ConfigMgr/SCEP/NDES.
Part 3 – Using an additional reverse proxy in a DMZ in front of NDES. The reverse proxy of choice was Windows Server 2012 R2 with the Web Application Proxy role installed.
Part 4 – Protecting NDES with Azure AD Application Proxy

ndes_azure_application_proxy

In part 4 Pieter will outlines the set up of publishing NDES by Azure Application Proxy service, a cool solution that just have been made possible!

—————————————————————————————-

Azure AD Application Proxy (Web Application Proxy from the Cloud) lets you publish applications, such as SharePoint sites, Outlook Web Access and other web application, inside your private network and provides secure access to users outside your network via Azure.

Azure AD Application Proxy is built on Azure and gives you a massive amount of network bandwidth and server infrastructure to have better protection against DDOS attacks and superb availability. Furthermore there is no need to open external firewall ports to your on premise network and no DMS server is required. All traffic is originated inbound. For a complete list of outbound ports take a look at this MSDN page.

Important notes:

Azure AD Application Proxy is a feature that is available only if you are using the Premium or Basic editions of Azure Active Directory. For more information, see Azure Active Directory Editions.
If you have
Enterprise Mobility Suite (EMS) licenses you are eligible of using this solution. The Azure AD Application Proxy connector only installs on a Windows Server 2012 R2 Operating system, this is also a requirement of the NDES server anyway.

Read more…

Name Suffix Routing into the rescue publishing Non-Claims-Aware application using Kerberos Constrained Delegation

Last week I faced a challenge publishing non-claims-aware application (SharePoint 2013) using Kerberos Constrained Delegation (KCD) by Web Application Proxy (WAP).

ADFS cross forest Mirosoft Intune Infrastructure

The customer environment consists of a multi-forest active directory where user accounts and server objects each stored in a separate forest. Due to the introduction of Microsoft Enterprise Mobility Suite (EMS) we added a public User Principal Name (UPN) which was required to log on using a public domain namespace.

Continue reading “Name Suffix Routing into the rescue publishing Non-Claims-Aware application using Kerberos Constrained Delegation”

Making hybrid identity simple with Azure AD Connect

As mentioned in my previous post I’m in Redmond (WA) to join the Enterprise Mobility deep dive airlift. During my three-day stay I’ll listen, learn and getting inspired of all cool stuff Enterprise Mobility has to offer. On the first day we covered the hybrid identity part of EMS which means – Azure AD Connect, Azure AD Premium – which provided a lot of new insights and key takeaways.

image

Continue reading “Making hybrid identity simple with Azure AD Connect”

Part 1 – Deploy certificates to mobile devices using Microsoft Intune NDES – Overview

With the recent updates of Microsoft Intune it is possible now deploying certificate profiles using Network Device Enrollment Service (NDES) to mobile devices.

In this blog series I’ll cover the different aspects of certificate enrollment proces by using Microsoft Intune (standalone).

Overview

Before going in details about NDES and hereby an brief overview of how NDES process works in relation to Microsoft Intune.

Microsoft Intune Standalone NDES

Continue reading “Part 1 – Deploy certificates to mobile devices using Microsoft Intune NDES – Overview”

Create DNS records for Microsoft Intune including Workplace Join & Work Folders

In order to take benefit of all related services to Microsoft Intune and attached services regarding Enterprise Mobility Suite (EMS) a number of DNS records must be added in your public DNS namespace. Hereby an overview of DNS records required including their associated services.

Just to be sure yourdomain.com is used as fictive placeholder and must be replaced with your own organization (public) namespace.

Entry Type Address Purpose
enterpriseenrollment.yourdomain.com CNAME manage.microsoft.com To ease enrollment process of mobile devices
sts A Required for single-sign on (SSO) and points to your AD FS server(s)
enterpriseregistration A sts.yourdomain.com Required for Workplace Join (device registration discovery)
enterpriseregistration.yourdomain.com CNAME enterpriseregistration.windows.net Required for Azure Workplace Join (device registration discovery)
enterpriseregistration.region.yourdomain.com CNAME enterpriseregistration.windows.net Required for Azure Workplace Join (device registration discovery)
workfolders CNAME workfolders.yourdomain.com Points to your Workfolders enabled File Server(s)
discovery A discovery.yourdomain.com Required for discovery Work Folders URL

Use Alternate Login ID implementing Enterprise Mobility Suite in a Multi-Forest scenario

Last week I came across a scenario where Alternate Login ID feature of Active Directory Federation Services (AD FS) came at its best.

Scenario

Part of an Enterprise Mobility Suite (EMS) implementation we were facing a challange to overcome. In this scenario the customer has multi-forest (fictive contoso.local & adatum.local) AD structure with a two-way forest trust relationship. The user resources are currently located in te frabrikam.local (blue) where all server resources are part of the contoso.local (grey) domain including AD FS.

ADFS cross forest Mirosoft Intune Infrastructure

As fabrikam.com is the public domain namespace used, we added a UPN suffix for the fabrikam.local domain to make sure the user objects synced from the on-premise Active Directory – by Azure Active Directory Sync – matches the public User Principal Name (UPN) domain namespace.

Continue reading “Use Alternate Login ID implementing Enterprise Mobility Suite in a Multi-Forest scenario”

Update: Hotfix solves issue publishing Network Device Enrollement Service (NDES) through Web Application Proxy (WAP) KB30137609

UPDATE! Hereby a quick note that you no longer have to contact support, it’s available in the in the December Windows Update. Just install the latest Windows Update on your Windows Server 2012 R2 and you should be good to go. December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 http://support.microsoft.com/kb/3013769

UPDATE! A private hofix (for now) is available that fixes URL length issues with Windows Application Proxy (applicable for NDES deployments) KB523052. This hotfix can be requested through a PSS case. For more details click here.

For those who are using Web Application Proxy (WAP) and intent or already have been published Network Device Enrolment Service (NDES) might noticed this isn’t working, even when pass-through preauthentication is configured. This post will go into details how NDES is working including a brief explanation of the issue.

The Network Device Enrollment Service (NDES) allows mobile devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP). The user certificates can be used for managing company resource access (E-mail, WiFi- and VPN profiles) instead of using user name + password. This existing technique is recently emphatically re-evaluated by the use and application for mobile device management in relation to BYOD scenarios.

Continue reading “Update: Hotfix solves issue publishing Network Device Enrollement Service (NDES) through Web Application Proxy (WAP) KB30137609”

Troubleshooting: Federation for Windows Intune

During a Windows Intune proof of concept (PoC) I was facing some issues configuring federation in order to enable Signle Sign On (SSO).

Proxy Authentication

When configuring federation we couldn’t convert the the default domain to a federated domain type. By using the –Verbose –Debug parameters of convert –MsolDomainToFederated cmdlet the root cause became clear. Proxy Authentication was required and therefore we couldn’t convert the domain. One down two to go!

clip_image001_thumb[3] Continue reading “Troubleshooting: Federation for Windows Intune”