Friday, May 29, 2015

Microsoft Azure MFA authentication options

Microsoft Azure MFA and the equivalent for the on-premise installation is coming with 3 options for user verification:

- MFA service calls the user's phone
- MFA service sends a text message (aka SMS)
- Use of a MFA app on you mobile phone

So which option should we allow users to use and why?

Thought #1: The most generic and reliable option, and the option which can even be used with a landline phone is the option to give the user a call.

Thought #2: Send a text is more silent as option 1 and typically all cellphones can receive text messages while landline phones can't. If you are a global organisation and have users in different countries with different wireless providers you will may encounter that text messages sometimes need a long time before they arrive and sometimes they just silently disappear. So that needs to be considered.

Thought #3: The only solution which does not require a wireless signal to receive a call or text is the MFA app. But it requires a smart phone. I am very often in data centers and the cell phone reception is usually bad there, not just because of the noise. So I prefer using the app.

In general users should not be trained like a Pavlov's dogs to just accept phone calls without listening anymore because the get 500 calls per day. so use MFA wisely.

In conclusion all methods have pros and cons, but might for end users the phone call verification is the best, it can be for admins the smart phone app.

Fiddler and TLS 1.2 support

After all the issues we have seen in the last year with SSL/TLS a lot of web applications have already disabled SSL entirely and started using TLS 1.2.
Therefore I want give an update on my Fiddler post:
Fiddler2 cannot handle TLS 1.2 traffic, so you should upgrade to Fiddler4.
In short Fiddler4 is using the .Net Framework 4 which can handle TLS 1.2 traffic while framework 2.0 cannot.

see also, just select the different framwork versions and see yourself.

Friday, May 8, 2015

Microsoft Ignite - Identity Manager

Reviewing this week being at the Ignite conference I can say I was there because of the presentations Mark Wahl ( has given about Identity Management. Here the highlights:

- Microsoft Identity Manager 2016 is still coming mid-year 2015 (actually the technical preview from April is saying 2015, but all new server apps are 2016 versions)
- Privileged Access Management (PAM, don't be confused with the Unix PAM - Pluggable Authentication Module) is integrated
- MS will not provide management agents for MIM for all SaaS applications as they provide that as functionality in Azure AD
- Cloud password reset will be supported only through the new Azure AD connect tool (you can think about it as Dirsync with more features) not through the FIM or MIM Azure AD management agent
- MIM certificate management works completed without ActiveX controls. The new Internet Edge web browser in Windows 10 - aka Spartan web browser - will cut the support for ActiveX controls anyway
- time-limited groups managed by MIM
- in-place upgrade from FIM 2010 to MIM 2016 is supported (no major changes e.g. no API changes)

Your are welcome to see the presentations on Channel9:

Wednesday, May 6, 2015

Microsoft Ignite - Federation Services and Publish Applications

I am at the Ignite again. Tuesday was the day for application publishing and AD Federation Services for me.

I just want focus on the main points:

- AD FS 3.0 is using OAuth2 as the strategic protocol (reasons: platform support much broader, no api pre-requisited, always a web logon experience (consent to use app, MFA integration))
- AD FS 3.0 will allow other LDAP servers as authentication system

Web Application Proxy Service:
- strategically seen from Microsoft as the successor of UAG and TMG
- Features will be first introduces in Azure AD and then later also be available with the new Windows Server 2016
- The WAP service on Azure requires the install of a small agent on one of your on-premise servers. Interesting is that this client requires only outgoing traffic but no incoming ports. Is that a relief for you  or does it scare you? What will your Information Security team think about that? Do they think about it like about a Trojan Horse, possible. So get prepared for their questions.
- The WAP connector can be installed on multiple machines to provide fault-tolerance and load-share. Microsoft has plans to allow to have connectors in multiple locations and to bind URLs to a specific connector, e.g. you run a app in a co-location and all others in you main datacenter.
- Microsoft will also add better monitoring and logging to the WAP service. Right now troubleshooting is very limited.

So if you ask me, the Web Application Proxy service in Azure is they way to go. And if you see how easy it is to configure it, you probably do not want go back to the old days with UAG and TMG.

btw: WAP is used from Microsoft as acronym for Windows Azure Pack and Web Application Proxy, so don't get confused. Here it is all about the Web Application Proxy

If you want watch the sessions online go here


Monday, May 4, 2015

Microsoft Ignite - Identity and Access Management Everywhere

On my first day the most important session was BRK3863 - Identity and Access Management Everywhere.
The video on Channel9 is not yet available, but it might will when you read this. So check out

Here in short the highlights:
- Dynamic groups for app access - Yuppie, finally. E.g. groups for managers get automatically updated if someone works now for that manager or not any longer; or anyone in sales based on the user description field
- Group of people have access to a application with a single user, e.g. Twitter Enterprise account, and with password rollover only Azure AD internally knows the password, not an admin
- Azure AD detects and tracks inconsistent access patterns, e.g.g log on s from the US and China at the same time. (Note: They will catch me a lot because I am accessing the system for several reasons from different places on the planet through proxies or VPN connections all the time)
- End user and social identity identities can be added to Azure AD soon
- Workday is the first HR cloud app allowing user to be added in Azure AD
- Approval for app access requests
- Adding B2B capabilities soon
- Windows 10 Workspace AD Join will work directly with Azure AD, that gives you now options of enrolling machines for your workforce

You might know that you can access thousands SaaS applications through Azure AD and all is configured in Azure AD and not on a onpremise federation server. Azure AD can also provision user accounts in SaaS applications, so that minimizes the lead time for connecting a SaaS application to your Azure or onpremise Active Directory.

Microsoft Ignite - MIM vNext April 2015 release, Windows Server 10 technical preview 2


I am at the Microsoft Ignite Conference this week in Chicago, IL and I will blog about news I got from the conference sessions and related information.

So starting with that:

- There is a new version of Microsoft Identity Manager (successor of FIM 2010 R2) available as technical preview on Microsoft Connect.
Go to and log on. Then go to the Identity and Access Management page and go to the Download section.

- We also got a new technical preview for Windows Server 10.
Hyper-V Server 10 can be found as technical preview there as well.

More to come...