Tag Archives: Azure AD

Working with Azure AD Extension Attributes with Azure AD PowerShell v2

In a recent blog post, https://gotoguy.blog/2017/02/17/assign-ems-license-with-azure-ad-v2-powershell-and-dynamic-groups/, I wrote about how to use extension attributes in local Active Directory and Azure AD, for the purpose of using these extension attributes for determine membership i Azure AD Dynamic Groups.

In the process of investigating my Azure AD users (synchronized and cloud based),  I wanted to see how I could use Azure AD v2 PowerShell CmdLets for querying and updating these extension attributes. This blog post is a summary of tips and commands, and also some curious things I found. There is a link to a Gist with all the PowerShell Commands at the end of the blog post if you prefer to skip to that.

Lets start by looking into one user:

image

For my example user I have the following output:

image

In the above linked blog post, I wrote about using the msDS_cloudExtensionAttribute1 and 2 for assigning licenses, so I see those values and more.

I can also serialize the user object to JSON by using $aadUser.ToJson(), which also will show me the value of the extension attributes:

image

I can look into and explore the user object with Get-Member:

image

From there I can see that that the Extension Property, which is of type System.Collections.Generic.Dictionary supports Get and Set. So lets look into how to update those extension attributes. This obviously only work on cloud homed users, as synchronized users must be updated in local Active Directory. This series of commands shows how to add extension attributes for cloud users:

image

The next thing I thought about, was how can I make a list of all users with their extension attributes? I ended up with the following, where you either can get all users or make a filtered collection, and from there loop through and read any extension attributes:

image

When I look into my extended users list object, I can list the users and values with extension values:

image

image

So to some curios things I found. As explained in the blog post https://gotoguy.blog/2017/02/17/assign-ems-license-with-azure-ad-v2-powershell-and-dynamic-groups/, if you are running a Hybrid Exchange organization you would probably use extensionAttribute1..15 instead of the msDS_cloudExtensionAttribute. In another Azure AD tenant I tested on that, but using the commands above I never could list out the extensionAttribute1..15 on my users. I never found a way to validate and check those values, but if I created a Dynamic Group using for example extensionAttribute1 or 2, members would be populated! So it was obvious that the value was there, I just can’t find a way to check it.

I even tested on Graph API, but did not find any extensionAttribute there either, only msDS_cloudExtensionAttribute. For example by querying:

https://graph.microsoft.com/v1.0/users/<userid or upn>?$select=extension_66868723f2984d3e8c18f0ebd134240f_msDS_cloudExtensionAttribute2

image

I can see my extension value.

However, if I try: https://graph.microsoft.com/v1.0/users/<userid or upn>?$select=extensionAttribute2, I cannot see the value even I know it’s there.

image

Strange thing, hopefully I will find out some more on this, and please comment if you have any ideas. I will also ask this from the Azure AD team.

Here is the gist with all the commands:

Session Recap, PowerShell Scripts and Resources from session on Azure AD Management Skills at NICConf 2017

Last week at NICConf I presented two sessions on Management of Microsoft Azure AD, Application Publishing with Azure AD – the New Management Experience! and Take your Azure AD Management Skills to the Next Level with Azure AD Graph API and Powershell!

In the last session i presented demos and scripts with some technical details, so in this blog post I will link to those PowerShell scripts together with some explanations. See also my slides for the sessions published here: https://docs.com/jan-vidar-elven-1/7677/nicconf-2017, and the session recording might be available later which I will link to.

First i talked about the new Azure AD PowerShell v2 module and install info:

Then connecting and exploring some objects and license info:

Then performing some Administration tasks including creating Dynamic Groups, setting user thumbnail photo, adding licenses and changing passwords:

In the next part of my session I went on to talk about the Azure AD Graph API and the Microsoft Graph API. The Microsoft Graph API will eventually be the “one API to rule them all”, as Azure AD also can be accessed by that API, but there are still use cases for the Azure AD Graph API.

In either case, to be able to use the APIs you must create and register an Azure AD Application of type Web App/Api, and give that Application the needed permissions to access the APIs. I showed in my session how to do this in the portal, and here you have a PowerShell Script for creating that same type of Application, this example for accessing the Azure AD Graph API:

Note that for the above script, you will need to note some output and manual operations:

  • Take a note of the Application ID, you will need that later:
    azureadapp
  • Take note of the Key Secret, you will need that later also:
    azureadappkeysecret
  • Application must be manually granted permission here, as this per now cannot be automated with PowerShell:
    azureadappgrantpermission

By the way, you should newer share this App Id and key secret publically (as I have just done here 😉 Other people could use that same information to access your APIs and Azure AD info, so take care to protect that info! (Of course I have deleted that info after showing this here 😉

Now, with this App registered in Azure AD, we can now start managing Azure AD via REST API calls, for example from PowerShell. The following script shows how we can get Self Service Password Registration Activity via the Azure AD Graph API, specifically we will use the Reporting API (https://msdn.microsoft.com/en-us/library/azure/ad/graph/howto/azure-ad-reports-and-events-preview). Note that the script will need the App Id and Key value noted from above:

With that last export to a Csv file I can import it to Power BI as a table, and create a report and a dashboard on it, for example showing which password reset registration method the users configured, what user and role type did the registration and the count and date for the registrations:

PowerBIReport.PNG

In the session we also looked at the new Content Pack for Azure AD, showing sign-in and audit events, and also how you can get data from the Microsoft Graph API using a OData Feed:

I hope this scripts will be as useful for you as it is for me! Good luck with taking your management of Azure AD to the next level with Azure AD PowerShell and Graph APIs!

Protecting Norwegian National ID Number with Azure Information Protection and RMS

In Norway we have a National Identification Number which is an 11-digit personal identifier, which also is referred to a Birth Number as this is given to every Norwegian borned at birth.

The number consists of:

  • 6 first digits are birth date in the form of: ddmmyy
  • 3 next digits are personal, with the last of those 3 indicating whether you are male (odd number) or female (even number)
  • The last 2 digits are control digits, based on modulus functions on the first digits

(Source: http://www.skatteetaten.no/en/person/National-Registry/Birth-and-name-selection/Children-born-in-Norway/National-ID-number/)

The special thing about Norwegian National ID Numbers are that they are not only used for personal identification, but also in some official scenarios is used for source of authentication. This makes this ID number highly sensitive, and should not be shared around in for example documents and emails.

In this blog post I will look at how Azure Information Protection can automatically detect and classifiy documents that contains the Norwegian National ID Number, and more over how we can use Azure Rights Management Services (RMS) to automatically apply a RMS template which encrypts and sets permissions for these classified documents.

I will show this step by step, so read on for details.

Activate Azure Rights Management Services and Azure Information Protection for your Azure AD

The requirement for setting this up is that you have a Tenant with an Azure AD Directory, and licensed with EMS Suite (E3 or E5), Secure Productive Enterprise (SCE) or Azure Information Protection P1 or P2 licenses. You will need the EMS E5/AIP P2 if you want to be able to automatically classify and label documents, as E3/P1 only enables users for manual classification and labeling. You can get EMS E5 trial licenses if needed.

To active Azure RMS, if you havent already done this, go to: https://account.activedirectory.windowsazure.com/RmsOnline/Manage.aspx

If you get this message you are OK to proceed to next step:

image

Next, in a new browser window, sign in to the Azure portal as a global admin for your tenant.

On the hub menu, click New, and then select Security + Identity. In the Security + Identify blade, select Azure Information Protection. In the Azure Information Protection blade, click Create. This will enable Azure Information Protection and make it accessible for your configured services later. If you selected to pin the blade, you will have easy access for configuring Azure Information Protection later:

image

Configure Classification and Labeling

In this step we will configure the classification and labeling for the Norwegian National ID Number.

First, when I start the default configuration of Azure Information Protection, I will se these built-in classification labels:

image

These classification labels should be sufficient for a lot of protection scenarios, but in this case I will add a new label for protecting restricted content like the Norwegian National ID Number. I select to add a new label, as shown below:

image

I give the new label the name Restricted, and provide a custom tooltip for the users to see. I can select another color if I want, and for now I don’t want to add an Azure RMS template for protection.

Further down, I add visual markings, by providing a Header text:

image

And a watermark:

image

Next I can specify conditions for automatically applying a label. This is where I will check for any Norwegian National ID Numbers. First I add the Condition:

image

Then I select Custom type of condition, because the built-in ones does not contain the Norwegian ID number. Under Custom I specify a name for the condition, and select to match based on a regular expression. See explanation below. I can also match on case sensitivity (if letters) and number of occurances if I want.

image

So, the main part here is the Regular Expression (RegEx) that will discover if there could be a possible match on a Birth Number/Norwegian National ID Number.

I will not dive into details on Regular Expressions here on my blog, but in short the following expression will match if the first 6 digits are a valid date. For example 31 days in the months Jan, Mar, May, July; Aug, Oct and Dec, and 30 days in the rest. In addition, this will not check for leap years, so will accept 29 days for each Feb to simplify. The last 5 digits are accepted if they are 0-9.

(0[1-9]|[1-2][0-9]|31(?!(?:0[2469]|11))|30(?!02))(0[1-9]|1[0-2])\d{7}

This expression could be even better, and I might look into that later:

  • If the 3 digits after the date were checked to be in the right group based on birth year
  • If the last 2 digits were in fact modulus calculating on the previous

But for now this should be sufficient.

After adding that condition, I specify a tooltip for the end users:

image

All that is left now is to save and publish my new classification label:

image

Download and Install the Azure Information Protection Client

Next step is to Install the Azure Information Protection client on a PC that has Office installed. Download the client from from the Microsoft download center, https://www.microsoft.com/en-us/download/details.aspx?id=53018.

Run AzInfoProtection.exe and follow the prompts to install the client. As we have configured the tenant with the default and customized label, it doesnt matter if you install the demo labels as the tenant settings will override.

After installing the client and starting any Office program we will se the toolbar as shown below:

image

Testing Automatic Classification of National ID Number

If I open a new document in Word and type in as below for an example valid National ID Number:

image

I then have to save the document, because the validation of conditions for classification labels happens at save time.

And as expected, the document has now been automatically classified as Restricted, with the explanation that a Norwegian National ID Number has been detected:

image

I also see the watermark and the header text for the document:

image

At this point we are able to automatically classify the document as restricted and sensitive, but the document can still be shared unencrypted if the user wants to do that.

In the next step we will see how we can configure automatic data protection for this classification label.

Configure Data Protection

If we want to configure automatic data protection for classified documents I will need to either use an existing or create a new Azure RMS Template. In this case I will create a new template. This must, for now, be done in the old Azure Portal at manage.windowsazure.com, and under your Azure Active Directory and Rights Management settings.

image

When you enable Azure Rights Management for your tenant you will have two default RMS templates specified:

  • <organization name> – Confidential
  • <organization name> – Confidential View Only

I will now create a new RMS template for my organization, which I will use for protecting documents that are classified as Restricted. First I specify language, name and description for the new template:

image

After creating the RMS template I can now configure rights, scope and optional configurations.

image

Under Rights I have added a couple of groups from my Organization where I configure a Rights role of Viewer:

image

The Viewer Role has the following custom rights, which suits my scenario where I want to restrict sharing for Restricted Sensitive Information.

image

I can define the scope of the RMS template, which defines who in my organization can apply this template. I want everybody to be able to use this template, so I will not change any scoping settings now:

image

At the configuration section I can choose to Publish the template, and change settings for additional languages, content expiration and offline access. I have left the default settings on and publish the RMS template as ready to use:

image

With the new RMS template ready, I can now go back to Azure Information Protection and Configure the Protection settings for my “Restricted” classification label. I select my new RMS template from the dropdown menu:

image

After that I hit Save, and then Publish the policy:

image

I can now see that my Restricted classification label both have Marking, Protection and Conditions defined:

image

Testing Automatic Protection

We will now test this in a new Word document. Once again I type a National ID Number and Save the document. And now I see that the document both is automatically classified and protected:

image

As I am the owner of the document, I can share it internally to any user in my organization, but they will be prohibited to do any operations besides viewing the document.

And if I share the document to an external user outside my organization, they will be prohibited to view the document and contents as well, as they are not able to open and view the document without an Azure AD user from my organization:

image

If I wanted to restrict my users from even sharing it internally, I would need to configure an Office 365 Data Loss Prevention (DLP) Policy, which can apply to Exchange Online, SharePoint Online and/or OneDrive for Business, and look for Norwegian National ID Number there. But that would be a topic for another blog post!

Classifying and Protecting Outlook E-mail

Does this only apply to Office documents? No, when you install the Azure Information Protection client you get the opportunity to classify and protect e-mails sent with the Outlook client as well.

When I send an e-mail message that contains a Norwegian National ID Number and after I hit the Send button, the automatic classification and protection will be applied to the e-mail:

image

The external receipient of the e-mail will se this message, and will not be able to see the e-mail content:

image

Conclusion

In this blog post I have shown how you can use Azure Information Protection (AIP) to classify Office documents and Outlook e-mails and how you can use conditions to automatic apply that classification based on for example a Norwegian National ID Number detection with the use of a regular expression.

In addition I have shown how you can use Azure RMS and a template to automatically encrypt that document and set the permissions for the users in my organization that only allows viewing.

Speaking at NIC 2017

I’m very happy that I have been selected as a speaker again for next years NIC 2017!

I will have at least one session to present, and hoping for a second session but the organizers have a lot of interesting session proposals to choose from so we’ll see.

My session will be about Enterprise Applications and Publishing in the new Azure AD Management Experience:

image

In this session we will look into the new management experience of Azure AD Applications in the new Azure Portal. The session will cover publishing and management of Application Proxy applications, Web App/API Applications and Enterprise Applications including SaaS Applications, and how and in which scenarios we can use the new Azure Portal, PowerShell or the Classic Portal for administration. Another important topic that will be covered is how you can configure Conditional Access for those applications for Users and Devices with the Enterprise Mobility & Security offering.

NIC 2017 is 2nd and 3rd of February, with a Pre-Conf day at the 1th. Read more at www.nicconf.com.

Hope to see you there!

Speaking at #ExpertsLive 2016 Netherlands

Next week at Tuesday 22nd of November I will be back speaking at ExpertsLive 2016, at CineMed Ede, Netherlands. After my first visit and speaking there last year, I always wanted to go back to this great community event, and I’m very happy and honored to be invited to speak again.

ExpertsLive NL 2016 will feature over 50 sessions, plus Keynote and Closing note, in as much as 9 different tracks ranging from Azure and Azure Stack, to Managebility, Automation, Windows Server 2016, Office 365, Security and Windows 10! In addition there will be great sponsors and networking. What more can you ask of a conference. There will be over 1000 attendees mostly from Netherlands, but also from visiting nearby countries.

My session will be on Azure Active Directory and how you can perform Premium Management and Protection of Identity and Access with Azure AD, covering solutions like Privileged Identity Management, Identity Protection, Multi-Factor Authentication and Azure AD Connect Health. It is very important to protect your identity now, let me show you how, and I will show some nice demos as well, hope to see you there!

Read more about ExpertsLive here: http://www.expertslive.nl

EXPERTSLIVE.5011_email-signature_spreker_ENG_630x180

Speaking at UC Day UK 2016

I’m excited to be speaking at UC Day UK at the National Conference Centre, in Birmingham, 24th October 2016. If you are interested in attending or reading more, visit this link http://www.ucday.uk.

My session will be on Azure Active Directory and how you can perform Premium Management and Protection of Identity and Access with Azure AD, covering solutions like Privileged Identity Management, Identity Protection, Multi-Factor Authentication and Azure AD Connect Health. I will show some nice demos as well, hope to see you there!

JoinSkillriverPremiumIdentityManagementAzureAD

In addition to my session I will during the day be interviewed on The Skype Show (www.theskypeshow.com) about Azure AD and Identity and Access, some of these sessions will go live on Microsoft Channel 9 if logistics permit, or via Skype for Broadcast Meetings or Skype Meetings, and in anyway be recorded and released on Channel 9, Youtube and The Skype Shows website.

image

UC Day will cover technologies like Skype for Business, Exchange, Office 365, Azure and Cloud, and with 25 breakout sessions over 5 tracks, together with expo and sponsors, keynote and closing note. I very much look forward to come there!

Missing groups prevents upgrade of Azure AD Connect

This is just a short blog article on a problem I experienced when upgrading Azure AD Connect from a previous version. This was a small environment where the Azure AD Connect server was running on the Domain Controller.

When starting the upgrade process I noticed that a message was displayed that a “Group with name ADSyncAdmins was not found in the Machine context”. When I clicked to Upgrade anyway, an error message was displayed that it was “Unable to upgrade the Synchronization Service”:

image

Looking into the event log, I found this error:

Product: Microsoft Azure AD Connect synchronization services — Error 25037.The groups entered do not all exist or cannot be found. Verify that each group name is correct, and then try again.

image

Since this was a Domain Controller, and there is no Local Users and Groups, I created the ADSyncAdmins group in Active Directory, as a Domain Local Security group. Trying the upgrade again, I got a new group that was missing:

image

So I ended up creating these 4 groups that was missing:

  • ADSyncAdmins
  • ADSyncBrowse
  • ADSyncOperators
  • ADSyncPasswordSet

After that I was able to successfully finish the upgrade of Azure AD Connect.