For those who are using Azure Multi-Factor Authentication Server (on-premises) hereby a quick post to inform you there is a new version of Azure MFA Server available. The new version of Azure MFA Server (188.8.131.52) can be downloaded through the Azure Management Portal or MFA Management Portal.
Microsoft is continuously improving their Azure cloud services while new features get introduced in rapid pace. In this blog I want to consider some new Azure Active Directory Premium features which are currently in public preview. ’These features are:
- Dynamic Groups
- Azure Application Custom Domain publishing
- Azure Conditional Application Access
This week the Azure AD Product Team did a great job by updating the Azure Application Proxy service to allow you to publish NDES using Azure Application Proxy, which is great news! Pieter Wigleven, Microsoft Technology Solution Professional on Enterprise Mobility has posted a great serie of posts on setting up certificate distribution to mobile devices. A must read!
Part 1 – First tips and tricks on how to troubleshoot and check existing ConfigMgr/SCEP/NDES infrastructures.
Part 2 – After many asks for clarity, a full guide on how to install and troubleshoot ConfigMgr/SCEP/NDES.
Part 3 – Using an additional reverse proxy in a DMZ in front of NDES. The reverse proxy of choice was Windows Server 2012 R2 with the Web Application Proxy role installed.
Part 4 – Protecting NDES with Azure AD Application Proxy
In part 4 Pieter will outlines the set up of publishing NDES by Azure Application Proxy service, a cool solution that just have been made possible!
Azure AD Application Proxy (Web Application Proxy from the Cloud) lets you publish applications, such as SharePoint sites, Outlook Web Access and other web application, inside your private network and provides secure access to users outside your network via Azure.
Azure AD Application Proxy is built on Azure and gives you a massive amount of network bandwidth and server infrastructure to have better protection against DDOS attacks and superb availability. Furthermore there is no need to open external firewall ports to your on premise network and no DMS server is required. All traffic is originated inbound. For a complete list of outbound ports take a look at this MSDN page.
Azure AD Application Proxy is a feature that is available only if you are using the Premium or Basic editions of Azure Active Directory. For more information, see Azure Active Directory Editions.
If you have Enterprise Mobility Suite (EMS) licenses you are eligible of using this solution. The Azure AD Application Proxy connector only installs on a Windows Server 2012 R2 Operating system, this is also a requirement of the NDES server anyway.
Last week I faced a challenge publishing non-claims-aware application (SharePoint 2013) using Kerberos Constrained Delegation (KCD) by Web Application Proxy (WAP).
The customer environment consists of a multi-forest active directory where user accounts and server objects each stored in a separate forest. Due to the introduction of Microsoft Enterprise Mobility Suite (EMS) we added a public User Principal Name (UPN) which was required to log on using a public domain namespace.
As mentioned in my previous post I’m in Redmond (WA) to join the Enterprise Mobility deep dive airlift. During my three-day stay I’ll listen, learn and getting inspired of all cool stuff Enterprise Mobility has to offer. On the first day we covered the hybrid identity part of EMS which means – Azure AD Connect, Azure AD Premium – which provided a lot of new insights and key takeaways.
With the recent updates of Microsoft Intune it is possible now deploying certificate profiles using Network Device Enrollment Service (NDES) to mobile devices.
In this blog series I’ll cover the different aspects of certificate enrollment proces by using Microsoft Intune (standalone).
- Part 1 – Deploy certificates to mobile devices using Microsoft Intune NDES – Overview
- Part 2 – Deploy certificates to mobile devices using Microsoft Intune NDES – Connector
- Part 3 – Deploy certificates to mobile devices using Microsoft Intune NDES – Deployment
- Part 4 – Deploy certificates to mobile devices using Microsoft Intune NDES – Troubleshooting
Before going in details about NDES and hereby an brief overview of how NDES process works in relation to Microsoft Intune.
In order to take benefit of all related services to Microsoft Intune and attached services regarding Enterprise Mobility Suite (EMS) a number of DNS records must be added in your public DNS namespace. Hereby an overview of DNS records required including their associated services.
Just to be sure yourdomain.com is used as fictive placeholder and must be replaced with your own organization (public) namespace.
|enterpriseenrollment.yourdomain.com||CNAME||manage.microsoft.com||To ease enrollment process of mobile devices|
|sts||A||Required for single-sign on (SSO) and points to your AD FS server(s)|
|enterpriseregistration||A||sts.yourdomain.com||Required for Workplace Join (device registration discovery)|
|enterpriseregistration.yourdomain.com||CNAME||enterpriseregistration.windows.net||Required for Azure Workplace Join (device registration discovery)|
|enterpriseregistration.region.yourdomain.com||CNAME||enterpriseregistration.windows.net||Required for Azure Workplace Join (device registration discovery)|
|workfolders||CNAME||workfolders.yourdomain.com||Points to your Workfolders enabled File Server(s)|
|discovery||A||discovery.yourdomain.com||Required for discovery Work Folders URL|