Monthly Archives: December 2013

Introduction to Windows Azure Active Directory “Premium”

Windows Azure Active Directory (WAAD) “Premium” is a paid offering that unlocks additional features of WAAD. It is currently in preview and can be unlocked in the Azure Preview Portal.

[Update: WAAD reached General Availability on April 8, 2013 whereas WAAD Premium was available in Preview in December 2013, and GA sometime later [please post a comment if you have the GA release date of Premium]

WAAD Premium adds these features:

  • User self-service password reset –Give your end-users the ability to reset their password using the same sign in experience they have for Office 365.
    For more information, see Enable self-service password reset for users.
  • Group-based application access – Use groups to assign user access in bulk to SaaS applications. These groups can either be created solely in the cloud or you can leverage existing groups that have been synced in from your on-premises Active Directory.
    For more information, see Group management.
  • Company branding – Add your company logo and color schemes to your organization’s Sign In and Access Panel pages (including localized versions of the logo for different languages).
    For more information, see Add company branding to your Sign In and Access Panel pages.

    Additional security reports – View detailed security reports showing anomalies and inconsistent access patterns.

    Once you unlock this feature in the Preview Portal, then you sign into your Azure tenant and browse to the directory that you want to enable for Premium.

    image

    image

    This gives you the ability to customize branding. The branding is shown when users access webmail via outlook.com/contoso.com or mail.contoso.com. For more information on branding see Alex Simon post here: http://blogs.technet.com/b/ad/archive/2013/12/16/custom-branding-support-in-azure-ad-now-in-preview.aspx

    SNAGHTML6cee805

    Note: During the previous period, users will need to Opt-In by clicking on this link to view customized branding https://login.microsoftonline.com/optin.srf 

    The Advanced Reports seem like they would be relevant for most security administrators to review periodically.I predict what feature request is coming next: Alerting or scheduled emails of these reports =)

     

    image

     

    And it also unlocks the password reset feature. Right now this is an all or nothing toggle, however, the technet page for this feature says that the ability to enable this for specific users is coming soon.
    image 
    image 

     

    To perform a self-service password reset

    1. Go to a page that uses an organizational account. For example, go to portal.microsoftonline.com and click Can’t access your account link.
      image

    2. On the Reset your password page, enter the user ID and captcha
      image

    3. If the account is on-premise only (ADFS) then the following message will appear:
      image

    4. Otherwise, for cloud accounts then the user will receive notification.

    image

  • 802.1x Wireless Authentication differences in Windows 7 and Windows

    Rolling out WPA2/Enterprise and all Windows 8 clients could connect fine but Windows 7 clients could not connect. Client side errors in event viewer logged Event 8002 (Reason Code 16)  “authentication failed due to a user credentials mismatch” and on the Windows NPS Server Event 6273 “Authentication failed due to a user credentials mismatch.”

    Both errors are bogus because the username and password are correct.

    Client computers can be configured to validate server certificates by using the Validate server certificate option on the client computer or in Group Policy. If this box is unchecked, then Windows 8 clients honor that and they will not inspect the NPS server’s certificate. However, Windows 7 clients are either more strict or there is a bug because they will not authenticate if the subject name field is blank in the NPS server’s certificate, even if this check box is unchecked.

    The fix was to roll out the RAS and IAS Server template in Certificate Authority per this technet article: http://technet.microsoft.com/en-us/library/cc754198.aspx 

    This is because other certificate templates might get deployed that use Server authentication in the EKU which makes it seem like the cert should work fine for NPS but the problem is they may lack a value in the subject name field of the certificate. This is what generates the bogus errors about username and password mismatch. It would have been nice if the errors had said “hey, the SSL cert on your server is missing a subject name. go fix that!”

    A few helpful netsh commands to troubleshoot wireless:

    netsh wlan show profiles

    netsh wlan show profile <profile name>

    netwsh wlan set tracing mode=yes   (try to reproduce the issue then issue the same statement with =no)  This will create a .CAB file with tons of good information, especially the report.html file inside the .CAB file