Wouldn’t be cool to migrate all your laptops and desktops to Azure AD, but still have your on-premise file server for the people that can’t say goodbye to their network drives?
Now it is possible! Azure is supporting out of the box, Azure AD domain joined devices to connect with their on-premise domain joined counterparts with credentials (Kerberos) to the good old file and print server!
To be able to set this up, you will still need a traditional domain controller with a file/print server. On top of that you will need to synchronize the identities to Azure AD. Make sure that you enable password sync, and start joining the devices to Azure AD.
One other important thing, your device needs to be Windows 10 1607 or higher! Older versions of Windows 10 do not support the Kerberos authentication.
If you now want to map a network drive with the existing NTFS permissions, just map the drive, and start using like you used to do before!
Last week we talked about why passwords are bad. Today we will continue with part 2, how to get the passwords gone, and we will zoom in on Windows Hello for Business!
So what is Windows Hello? Windows Hello is a modern way of authenticating users on their laptop, where this will be a two factor authentication. The first factor is the integrated TPM chip in the device, and the 2nd factor is the bio-metric of the user.
By enabling the TPM chip and the bio-metric data from the end user we will eliminate the need of a password on the users device. Off course the user can use his password to unlock the device in case bio-metric verification fails because of different reasons.
If you have a on-premise domain with Windows Hello for business enabled, it is also possible to enable the convenience PIN, however, I wouldn’t recommend it, as Microsoft has disabled this in Azure AD as well. In short:
Windows Hello for Business is: An asymmetric key-pair protected and stored in the TPM, unlock with PIN or Bio-metric Authentication
Did you ever wonder what’s new in Azure, or what is updated recently? Azure keeps all its updates to Azure in a cool overview, the Azure Heatmap! Check it out using the following url: https://azureheatmap.azurewebsites.net/
Recently I received the question if it is possible to monitor Azure Backup with PRTG. Now this might seem to be a bit weird, as we could use Azure monitoring. But in this case, it was a service provider that needed a single solution for all their services, including custom dashboards and monitoring.
So, challenge accepted, lets get this done! In this case the customer has a Azure Recovery Service Vault with 2 virtual machines, with a backup schedule of only once every 24 hours with a retention of 30 days.
Our goal will be to have 3 sensors in PRTG with the completed jobs, failed jobs and running jobs. If you follow the next steps you should be able to set this up your self as well.
Microsoft is working hard on improving Azure File sync. They just announced the new release of the v7 agent. For now only current installed agents get the update. Once all current clients have been updated, the update will be available on Microsoft Update and Microsoft Download Center
Improvements and issues that are fixed
Support for larger file share sizes
With the preview of larger, 100 TiB Azure file shares, we are increasing the support limits for file sync as well. In this first step, Azure File Sync now supports up to 50 million files in a single, syncing namespace. Other existing limits, for example the number of items per directory level, still apply.
Improved Azure Backup file-level restore
Individual files restored using Azure Backup are now detected and synced to the server endpoint faster.
Improved cloud tiering recall cmdlet reliability
The cloud tiering recall cmdlet (Invoke-StorageSyncFileRecall) now supports per file retry count and retry delay, similar to robocopy.
Support for TLS 1.2 only (TLS 1.0 and 1.1 is disabled)
Azure File Sync now supports using TLS 1.2 only on servers which have TLS 1.0 and 1.1 disabled. Prior to this improvement, server registration would fail if TLS 1.0 and 1.1 was disabled on the server.
Miscellaneous performance and reliability improvements for sync and cloud tiering
There are several reliability and performance improvements in this release. Some of them are targeted to make cloud tiering more efficient and Azure File Sync as a whole work better in those situations when you have a bandwidth throttling schedule set.
In the Azure portal you can reset the password of a user, but this is always a temporary password. But PowerShell to the resque again, lets set the password in Azure AD with PowerShell with a predefined password! On your Windows device open a PowerShell prompt and connect to Azure AD. (Click here if you don’t know how to)
First we need to get the object ID from the user where we want the password to be reset. Run the following command (replace emailadres):
In the past two years, Over 50 percent of businesses experienced an unforeseen interruption, and the vast majority (81%) of these interruptions caused the business to be closed for one or more days.
Did you know that 80 percent of businesses suffering a major disaster go out of business in three years, while 40 percent of businesses that experience a critical IT failure go out of business within one year. In the case of suffering a fire, 44 percent of enterprises fail to reopen and 33 percent of these failed to survive beyond 3 years…
It’s a common mistake to think that Microsoft takes core of backups for your Office 365 environment. Yes, they do make backups, every 12 hours with a retention of 14 days. However, this is only designed for emergency purposes, and if you need it your self, they will charge you for that.
But then you might think that there is a recycle bin and versioning, yes, but these are limited as well. For email the retention is just 30 days, and for SharePoint it is 90 days. This can extended with the E3 and E5 subscriptions. But is this a real backup? and can this guarantee save data retrieval in case of a disaster? the answer is NO!
Today Microsoft has announced Azure Bastion. With this new service you will get improved security features and simplified IT managemend with a single click from your webbrowser using the HTML5 web client. This will eliminate the need for a jump server. I am looking forward in using this service in preview and GA.
— UPDATE 31-12-2019 — New disk sizes P1-P3 & E1-E3
In Azure there are several ways to implement your VM storage. I get a lot of complaints about slow storage in Azure. In this article I will try to explain why this might be slow, and what you can do about it. There are multiple locations where the limit might be hit. So I will address all in the following topics.
Virtual machine type
The first limitation might be coming from your virtual machine. Each type has its own total IOPS limit. Thus by adding more disk or faster disk than the type and size allows will not make any speed difference in the end. One of the obvious reasons for faster disk performance is to use SSD disks instead of HDD.
But keep in mind, not all virtual machines do support Premium SSD Storage, with an effective limit of 500 IOPS per disk, like in the Av2 series. And then there is host caching, that effects performance as well. A few examples:
From the Office 365 Admin portal it is possible to deploy Office plugins to users, both specific as all users. With this manual we will deploy a plugin from the store, but you can deploy custom apps as well. The advantage of using plugins from the store is that the plugins get automatically updated, so nothing you have to worry about anymore!
Step 1: Login to the office portal, go to the admin center, and from there go to Settings, Services & add-ins, and Deploy Add-in
Today we will learn how to deploy Azure AD Domain services. So let’s go to the Azure portal and let’s get you started!
Step 1: Go to Azure AD Domain Services and create a new Azure AD Domain services!
Step 2: Now we can start te setup of ADDS, fill in your preferred domain name. You can leave the default which is the same as your Azure Active Directory name ending with .onmicrosoft.com, but I would recommend a public URL like in my case adds.2azure.nl.
Where Azure MFA is only included in the paid Azure Active Directory Premium subscriptions (P1/P2 and EM+S suites), there is a free version for the Office 365 apps.
It is always a good idea to enable multi factor authentication, in case your credentials get stolen, the thief will not be able to use them because of the 2nd authentication factor. Microsoft is encouraging all their users to start using MFA, so the made it free of charge for all the apps of the office 365 suite, including Outlook, Teams, Excel, Word and many more.
The 2 factor authentication can be setup up fairly easily by the end users self. This can be enforced by the administrator by requiring 2 factor authentication. The first time a user logs on, he or she will get a notification message to setup MFA. Or you can redirect your users to the following portal to setup MFA: https://aka.ms/mfasetup
How to setup MFA for your end users?
In the office 365 portal go to the Active Users tab, and go to the Setup multifactor authentication page (see below)
You still have your old network drives? Still need to setup a VPN to access your file shares? Or have you migrated all your files to Azure file share but you need a higher performance for your Autocad files?
Wait no longer, Azure File Sync to the rescue! Where you would have your Azure File Share for sharing files, you can use Azure File Sync to make a local cache of your Azure files, or sync your local file server to Azure Files. In this manual we will help you setup Azure File Sync with a existing Azure File Share. I already have a Azure File Share, mapped as a network drive Z:
Enterprise Mobility + Security is a Microsoft solution specially developed for management and securing users, company data and applications. This gives you and your users always secured access to your company information without ever worrying about security!
With EM+S we are moving from a managed device to data management and security. This means that it will not only protect your device, but most important, it will take care of security on a document level where you can prevent that confidential data is readable by unauthorized persons.
By using this security suite you can prevent abuse of stolen credentials when one of your users is tricked by a phishing email. You can limit access to company data to only trusted devices (Company and BYOD) by using the Intune portal. But we can limit access to it as well with IP black / white listing. This includes Geoblocking as well, it is impossible to travel from the Netherlands to Russia for example in 5 minutes.
To protect your valuable company data I recommend to always use EM+S for optimal protection. If you want the security to be at its best, E5 is your way to go!
Simple management and security of your devices
Multifactor authentication (MFA)
Selfservice portal for password reset en securitygroep management
Application company portal
Mobile device management (MDM)
Integrated device management (Laptop/Desktop)
Securing company data en restrict access to company data
Conditional access (geo-blocking and more)
Advanced Threat Protection with reporting
Risk-Based conditional access (E5 only)
Privileged identity management (E5 only)
Intelligent data classification and labeling (E5 only)
There are cases where you want or need to uninstall an Office update. Office 365 installations use a different update than the old Office 2013 & 2016 installations. Where the old installations are a point in time installation, click-to-run always downloads the latest version and then runs the setup. You can revert to an older version but its different than in the past where you could just uninstall an KB update.
Step 1: Check build number and find previous build number
Recently we created an AAD tenant that has no on-premises AD domain counterpart. Now we are facing an issue where we want to be able to use the identities in this tenant to log into some servers. It would appear that we would need to domain join these servers, but we can’t do this without AD. The question is, how can we continue to setup these servers?
But today we are going to install a new domain on-premise. The domain name isn’t relevant for the sync with Azure AD / Office 365. But the UPN for the end users is important! So first we can add the UPN domains by going to the Domain and Trusts console. Add the required domain names.
Within Azure there are multiple ways to setup MFA. Where you would install MFA server in the past, there is a new extension. Microsoft is going to leave the MFA server behind in the near future (security updates will remain being published for now).
Besides the NPS extension and the MFA on-premise server the best practice is to run MFA from the Azure cloud where possible. But that isn’t always an option. So let’s move on to the NPS extension. Lets start with the requirements.
Requirements: – Server 2016/2019 with ADFS version 4 – Server 2016/2019 hosting NPS services which performs Radius authentication. – Users must be synchronized between local Active directory and Azure Active Directory – Azure AD Premium or EM+S license must be assigned to the user – NPS Extension for Azure MFA (Download link: https://aka.ms/npsmfa)
Recently I received an comparison from Azure with competitors. In the comparison there was stated that by default Azure provides an SLA of 99.95%. However, this is not entirely correct. By default a single basic virtual machine has no SLA at all!
I hear you thinking, what??? let me explain what the options are. First we need to know a bit more of the setup in Azure. For this explanation I will use West & North Europe. These regions do have Availability zones, but this might not always be the case. In the picture below you can review the Azure regions with their options.
So lets zoom in a bit further. In the picture below we have our 2 regions (West & North Europe). Within Region 1 we have 3 separated buildings, creating 3 availability zones.