Skip to content

Azure AD

Break glass accounts and Azure AD Security Defaults

Security Defaults is the best thing since sliced bread. I mean, come on! It will enforce MFA for everybody, will block that dirty legacy authentication, and even gives you features that you normally would pay big money for (Azure AD Identity Security). Good enough for a lot of (smaller) organizations out there. Today’s post is about that feature and the use of break-glass accounts. For a lot of folks, this post might be obvious, as this is their daily job… 

Read More »Break glass accounts and Azure AD Security Defaults

Goodbye legacy SSPR and MFA settings. Hello Authentication Methods Policies!

I’ve got some exciting news to share today. Microsoft has launched a public preview called “Authentication Methods Policy Convergence.” I was part of the private preview program, and I’m very happy to see this feature going public. In this post, I will give you a brief introduction to this new feature and explain why this is such a big deal. Current situation A while back, I wrote this post where I explained that the SSPR and MFA settings are very… 

Read More »Goodbye legacy SSPR and MFA settings. Hello Authentication Methods Policies!

Synchronize attributes for Lifecycle workflows – Azure AD Connect Sync

Azure AD Lifecycle Workflows can be used to automate the Joiner-Mover-Leaver process for your users. Previously, I wrote about a use case where you can use LCW to automate the issuing of a Temporary Access Pass for new joiners. Automate issuing Temporary Access Pass for joiners with LifeCycle Workflows – JanBakker.tech There are still a lot of organizations that use hybrid identities, so today, we will talk about the prerequisites for using LCW in a hybrid environment using Azure AD… 

Read More »Synchronize attributes for Lifecycle workflows – Azure AD Connect Sync

How to keep track of changes on Microsoft Docs & Learn?

When working with cloud services like Microsoft 365 or Azure Active Directory in particular, it’s very important to stay on top of new features and/or product changes. As you might know, the documentation for these services is stored on GitHub. This is where those changes will often reflect. I was inspired by the post of Albert-Jan Schot (Get notified for PnP updates from GitHub ยท CloudAppie), where he explained how to use the GitHub REST API to keep track of… 

Read More »How to keep track of changes on Microsoft Docs & Learn?

The road to Microsoft MVP and beyond

Today, a slightly different post. I think it’s time to step away from the technical stuff for a moment and tell you more about my experiences in the Microsoft tech community so far. On July 5th, 2022, I was re-awarded for the first time, entering my second year as an MVP. It seemed like a good moment to look back. I will also share some tips and lessons learned. How it started Back in 2017, I was working as a… 

Read More »The road to Microsoft MVP and beyond

Automate issuing Temporary Access Pass for joiners with LifeCycle Workflows

On September 30th, 2022, Pim Jacobs and I did a session on the brand new Lifecycle Workflows feature in Azure AD Identity Governance. During that session, I did a demo showing the integration with Logic Apps. Using this extension, I could use the Graph API to create a new Temporary Access Pass for a new hire, 7 days before the first workday. This post will describe the steps to build the solution. Introduction to LifeCycle Workflows First, let us quickly… 

Read More »Automate issuing Temporary Access Pass for joiners with LifeCycle Workflows

Take control of your guests with the External Identities Policy

  • Azure AD
  • 5 min read

Today we take a look at the brand new External Identities Policy in Azure AD. This new policy controls whether external users can leave the guest Azure AD tenant via self-service controls. By default, guests in Azure AD can leave your organization whenever they want, using the MyAccount portal. If you want to prevent this, a new policy is here that allows you to take control. It’s a tenant-wide setting, which will apply to all guest users. Setting the policy… 

Read More »Take control of your guests with the External Identities Policy

Block users from viewing their BitLocker keys

This post is mainly focused on a new tenant setting, where you can prevent your end-users from viewing their Bitlocker keys. By design, your users can see Bitlocker keys from devices they own from the MyAccount portal. My Account (microsoft.com) For some (large) enterprise organizations, this is an unwanted feature. Changing the setting Using PowerShell or Graph API, you can now disable this feature. This will apply to the entire tenant so that users without proper permissions will no longer… 

Read More »Block users from viewing their BitLocker keys

How to set up Evilginx to phish Office 365 credentials

Disclaimer Evilginx can be used for nasty stuff. It is the defender’s responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attacks. Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties, or for educational purposes. That being said: on with the show. Today a step-by-step tutorial on how to set up Evilginx and how to use it to phish for Office 365 or… 

Read More »How to set up Evilginx to phish Office 365 credentials

How to deal with orphaned objects in Azure AD (Connect)

We have done hybrid identity for a couple of years now, and it looks like the vast majority is not going to change that soon. Over the past years, we had different tools to facilitate hybrid identity. When we started this journey, there was no Azure AD Connect. We used tools like Dirsync or FIM/MIM, and that was not always easy. Still today, proper management of Azure AD Connect can be quite complex. What’s the issue? Today we are going… 

Read More »How to deal with orphaned objects in Azure AD (Connect)