Strange times in which we live, this made my day today…
Strange times in which we live, this made my day today…
New calculator released, get it now and size your deployments correctly!
When I spoke with one of the Identity Management PMs couple of months ago in Redmond, he observed that many customers are deploying ADFS incorrectly or not following best practice, leading in turn to a Support overhead far above what was originally envisaged. ADFS is definitely not fun to troubleshoot, due to certificates, multiple load-balanced ADFS and WAP servers (4 in all) etc and you can go read a great blog post about all of that here: Ask Premier Field Engineering (PFE) Platforms – ADFS Deep-Dive: Troubleshooting.
Great news today then, that SSO deployment looks to have gotten easier thanks to Pass-Through Authentication and Seamless Single Sign-on via Azure AD Connect. It’s still in Preview, but I can already see our deployments getting easier. Read the article below.
Today’s news might well be our biggest news of the year. Azure AD Pass-Through Authentication and Seamless Single Sign-on are now both in public preview!
When we talk to organizations about how they want to integrate their identity infrastructure to the cloud, we often hear the same set of requirements: “I’ve got to have single sign-on for my users, passwords need to stay on-premises, and I can’t have any un-authenticated end points on the Internet. And make sure it is super easy”.
We heard your feedback, and now the wait is over. I’m excited to announce we have added a set of new capabilities in Azure AD to meet all those requirements: Pass-Through Authentication and Seamless Single Sign-on to Azure AD Connect! These new capabilities allow customers to securely and simply integrate their on-premises identity infrastructure with Azure AD.
Click for video:
Azure AD pass-through authentication provides a simple, secure, and scalable model for validation of passwords against your on-premises Active Directory via a simple connector deployed in the on-premises environment. This connector uses only secure outbound communications, so no DMZ is required, nor are there any unauthenticated end points on the Internet.
That’s right. User passwords are validated against your on-premises Active Directory, without needing to deploy ADFS servers!
We also automatically balance the load between the set of available connectors for both high availability and redundancy without requiring additional infrastructure. We made the connector super light-weight so it can be easily incorporated into your existing infrastructure and even deployed on your Active Directory controllers.
The system works by passing the password entered on the Azure AD login page down to the on-premises connector. That connector then validates it against the on-premises domain controllers and returns the results. We’ve also made sure to integrate with self-service password reset (SSPR) so that, should the user need to change their password, it can be routed back to on-premises for a complete solution. There is absolutely no caching of the password in the cloud. Find more details about this process in our documentation.
Single sign-on is one of the most important aspects of the end-user experience our customers think through as they move to cloud services. You need more than just single sign-on for interactions between cloud services – you also need to ensure users won’t have to enter their passwords over and over again.
With the new single sign-on additions in Azure AD Connect you can enable seamless single sign-on for your corporate users (users on domain joined machines on the corporate network). In doing so, users are securely authenticated with Kerberos, just like they would be to other domain-joined resources, without needing to type passwords.
The beauty of this solution is that it doesn’t require any additional infrastructure on-premises since it simply uses your existing Active Directory services. This is also an opportunistic feature in that if, for some reason, a user can’t obtain a Kerberos ticket for single sign-on, they will simply be prompted for their password, just as they are today. It is available for both password hash sync and Azure AD pass-through authentication customers.
Download the latest version of Azure AD Connect now to get these new capabilities! You’ll find the new options in a custom install for new deployments, or, for existing deployments, when you change your sign-in method.
I encourage you to download the new version of Azure AD Connect today and start testing out these new functions.
As with all previews there are some limits to what we currently support. We are working hard to ensure we provide full support across all systems. You can find the full list of supported client and operating systems in the documentation, which we’ll be updating consistently as things change.
Also, keep in mind that this is an authentication feature, so it’s best to try it out in a test environment to ensure you understand the end-user experience and how switching from one sign-on method to another will change that experience.
And last but by no means least, it’s your feedback that pushes us to make improvements like this to our products, so keep it coming. I look forward to hearing what you think!
Alex Simons (Twitter: @Alex_A_Simons)
Introducing #AzureAD Pass-Through Authentication and Seamless Single Sign-on
Customer Action required by October 31, 2016…
Canadian Customers with data residency requirements who would like to have their core customer data moved to the Canada datacenter region, will need to request a move before October 31, 2016. Data moves will complete within 24 months after the enrollment period. We recommend that you take no action, unless your organization needs core customer data to be stored at rest in the Canada datacenter region. By choosing to move your data, customers limit Microsoft’s possibilities to optimize the location of their core customer data at rest in either their current or the Canada datacenter region.
HOW DOES THIS AFFECT ME?
If your organization has a requirement to store core customer data at rest within Canada, you will have to request a move via the Office 365 admin center. The deadline for requesting your move is October 31, 2016. Data moves will complete within 24 months after the enrollment period. No action is required if you do not have data residency requirements or if you were previously notified of a data move completing. If you do not request to move your data, we may still move your customer data to the Canada datacenter region as part of our optimization procedures. In either case, Microsoft will respect the data residency commitments made in the Microsoft Online Services Terms.
What do I need to do to prepare for this change?
You can review the location of your core customer data at rest and request to move your data in the Organization Profile section of the Office 365 admin center. Please click Additional Information to learn more about the move program and instructions to request a move.
How to request your data move
On the Organization Profile page, scroll down to the Data Residency Option section.
Reports on the current Office 365 location of Client data at rest for Exchange, SharePoint and/or Skype for Business will say “North America” for US datacenters or “Canada” once moved to Canada.
Data residency option
Canadian customers will have this option available until Nov 1, 2016 and is provided to accommodate organizations that have strict Canadian data residency requirements and require their core customer data to be stored at rest in the Canada datacenter region. By choosing to move your data, your Data will be in Toronto or Quebec datacenters. More information and frequently asked questions about this move program are available on the TechNet move site.
To opt-in to move your data click on Data residency option “Edit”
If the customer elects to move their data to Canada they will see a confirmation message “Your organization has requested to move its core customer data to the Canada datacenter region.”
You can also confirm the eligibility and request confirmation vi the message center: https://portal.office.com/adminportal/home#/MessageCenter
I think I said somewhere recently that I’m technical lead on a rather large (well for Canada) Exchange 2007 > 2013 migration. I’ve also been doing assessments on several other large (80,000+ mbx) environments with a mix of Exchange 2007/2010/2013 as the install base. For the most part these large enterprises have dedicated Active Directory/networking/storage/Exchange staff running SCOM and full monitoring suites, where the server health is usually stable and optimized. But now and then I get asked to look after smaller deployments, where High Availability and true Site Resiliency are nothing other than a Christmas wish. Where buying a pair of KEMP Hardware Load Balancers is a serious budget consideration. Quite often these small shops don’t bother too much about applying the latest Exchange Cumulative Update or Rollup Updates for Exchange. Or patching the underlying Windows Server OS…or even the Domain Controllers. Dig in a little deeper and you often see a “if it’s not broke don’t fix it” attitude.
Newsflash: you might want to revisit that nonchalance and remember it’s all about what happens when you have that major outage…when mail stops flowing and your CEO is screaming down the phone at the IT Director at 3am…when you make “the call” to your friends at Microsoft Premier Support. They quickly find out you are several Rollup Update/Cumulative Updates behind…or even worse running different mixed version of RU and CU together! They tell you to call them back when you’ve updated your environment. A shiver runs through you as you think of all that must be accomplished to bring the environment up to date…if only you had planned a little better. Do you really know how to patch an environment with no disruption? Did you ever use the Maintenance Mode script functionality supporting the DAG? Do you really know which DBs are hosting the active and passive copies of your data on which server and in which datacenter? When was the last time you logged into your perimeter devices and upgraded the firmware?
It happens all the time and there’s no excuse. If this is you it’s time you watched this session from Ignite 2016…
Design your Exchange infrastructure right (or consider moving to Office 365)
I didn’t make it to Microsoft Ignite 2016 – but no worries it’s all available online! As usual, Michel de Rooij MVP has developed a script that will download all the Ignite videos and slide decks. You can find his script here on the TechNet gallery:
Having much fun delivering some training to our customers in my home port of Edmonton today. We’ve taken over the Microsoft office for the day. Got a full session on Azure IaaS and ARM etc. Exposure like this allows us to demonstrate some of the new and/or cool stuff available in Azure in a hands-on lab environment.
Doing it all again in Vancouver tomorrow…
Haven’t written much in the last few weeks due to the time of year – everyone is on vacation here in Western Canada (everyone it seems apart from me!). I was also wrapping up a few odds and ends and doing alot of presales which is too boring to write about.
Today though I finally kicked off a large 50,000+ user Exchange 2007 > Exchange 2013 on premise upgrade for a large Enterprise customer as technical lead. I imagine this project will give me lots to discuss in the coming weeks and months. Working with legacy Exchange 2007 is like going back to the bad old days of messaging (imagine working with clustering instead of DAGs)!
As always the art of successfully delivering large scale migrations is in Planning and Communication. The techy stuff is the easy part…
Meanwhile I am off to Seattle next week for more Azure Architect training, which is actually a sequel to the event I attended back in May. It was so successful and the feedback was so positive that they have decided to deliver more of an immersive “hands-on” technical lab format this time. So can’t wait for that to start and I’ll post some stuff about it once it’s underway. I’ll need to write a couple of certs soon with the accumulated knowledge. Initial agenda items are below. Particularly interested in the “vending machines” topic – how to hack a vending machine in Azure? Who knows 🙂
Sample Case Study Workshop Topics
Sample Hackathon Topics
I was finishing up an Exchange Hybrid deployment for a customer this week and came across an interesting bug in the new Office 365 Security and Compliance Centre.
The requirement was a mass PST ingestion to the Online Archive mailbox for each freshly migrated user. I’m going to cover this rather time-consuming and annoying process in a future blog post, describing the wonders of the Azure AZ Copy Tool which seems to be permanently in Preview.
I was having a look around and noted that the S&C center allows a degree of Exchange recipient management. I was particularly interested to see that it allows you the option of enabling an Archive mailbox for an Exchange user when you go to https://protection.office.com/#/archiving.
We all know that although you can do this via the Exchange Online admin GUI, when you tick the box to enable the archive you get an error. The same happens with remote PowerShell to Exchange Online. The PowerShell error is shown below:
Enable-Mailbox user-15 -Archive:$true
(checkout Rod Milne’s blog for a walk-through)
I figured I’d try enabling an archive mailbox anyway, somehow hoping i wasn’t going to be faced with the dreaded PST import copy process described above. And it worked! At least no error message and I even logged out and in again and tried it for a couple of different users. The archive mailbox was provisioned when viewed in OWA (didn’t test with Outlook). Thinking I must have missed this new functionality announcement – which would be awesome given the fact that doing it via GUI should be possible IMO – I had a search through the documentation and blogs and could not see anything that discussed this. Trying to enable via the EAC still results in failure, so clearly there was a mismatch happening between portals.
Thanks to the power of twitterland, I tweeted to the community, in particular the guru of all things Hybrid…Michael van Hybrid (@vanhybrid). He confirmed:
This isn’t the first time I’ve found product bugs. A few years ago when I used to do a fair amount of GroupWise and Lotus Notes migrations, I’d find bugs in the Quest Migration Manager for Active Directory and Exchange product. That code was originally written by Aelita Software, which employed a team of about 375 software developers in Russia. No surprises for guessing then that some of that Russian code never translated correctly into English. If I remember correctly I had three official bug fixes included in future version releases.
I don’t think the Office 365 environment will provide such rich pickings, there’s a remarkable amount of QA that goes on before any net new functionality such as the Security and Compliance center goes into Prod. However, when you have multiple engineering teams collaborating, things can get missed and this was a biggie in my opinion.
A few days later the esteemed Tony Redmond (@12knocksinna) confirmed the bug was accepted, which made me smile…cool!
Great article by Tony Redmond digging into the stats for O365 Q1 SLA
Microsoft recently posted the Q1 2016 performance against SLA for Office 365 and reported a 99.98% outcome, which is the same number that they posted for the two previous quarters. Overall, things have been pretty consistent in terms of Office 365 service recently.
That’s not to say that Office 365 has not been without its problems. Looking at the Service Health Dashboard (SHD) for any tenant is likely to turn up some issues for any given period. It’s the nature of a very complex infrastructure that is in a state of perpetual software and hardware updates that some glitches will occur.
However, the sheer size of Office 365 and the number of tenants and users it now supports means that any single support incident or outage is unlikely to dent performance against SLA. At their Q3 FY16 analyst briefing, Microsoft said that Office 365 has 70 million active users, so…
View original post 403 more words