Azure AD premium is an identity and access management service for the larger, more demanding enterprises.
For those who don’t know Azure AD, this is the AD behind cloud services like Office 365, CRM Online, Windows Intune etc.
One of the things we encountered was the inability to reset passwords when using Dirsync with Password sync. This could only be achieved with additional configuration using 3rd party tools. Azure AD premium allows users to reset their passwords and fills in those gaps.
It is also nice to be able to brand the sign in experience that end users see when they sign on or use their Access panel.
Multi factor authentication is also introduced, which can be easily setup without deploying new software in your local network.
Below a complete list of added features in Azure AD Premium quoted from Microsoft.
“Active Directory Premium edition is a paid offering of Azure AD and includes the following features:
- Company branding – To make the end user experience even better, you can add your company logo and color schemes to your organization’s Sign In and Access Panel pages. Once you’ve added your logo, you also have the option to add localized versions of the logo for different languages and locales.For more information, see Add company branding to your Sign In and Access Panel pages.
- Group-based application access – Use groups to provision users and assign user access in bulk to over 1200 SaaS applications. These groups can either be created solely in the cloud or you can leverage existing groups that have been synced in from your on-premises Active Directory. For more information, see Assign access for a group to a SaaS application.
- Self-service password reset – Azure has always provided self-service password reset for directory administrators. With Azure AD Premium, you can now further reduce helpdesk calls whenever your users forget their password by giving all users in your directory the capability to reset their password using the same sign in experience they have for Office 365. For more information, see Enable self-service password reset for users.
- Self-service group management - Azure AD Premium simplifies day-to-day administration of groups by enabling users to create groups, request access to other groups, delegate group ownership so others can approve requests and maintain their group’s memberships. For more information, see Enable self-service group management for users.
- Advanced security reports and alerts – Monitor and protect access to your cloud applications by viewing detailed logs showing more advanced anomalies and inconsistent access pattern reports. Advanced reports are machine learning-based and can help you gain new insights to improve access security and respond to potential threats. For more information, see View your access and usage reports.
- Multi-Factor Authentication - Multi-Factor Authentication is now included with Premium and can help you to secure access to Azure, Microsoft Online Services like Office 365 and Dynamics CRM Online, and over 1200 Non-MS Cloud services preintegrated with Azure AD. Simply enable Multi-Factor Authentication for Azure AD identities, and users will be prompted to set up additional verification the next time they sign in. For more information, see Adding Multi-Factor Authentication to Azure Active Directory.
- Forefront Identity Manger (FIM) - Premium comes with the option to grant rights to use a FIM server (and CALs) in your on-premises network to support any combination of Hybrid Identity solutions. This is a great option if you have a variation of on-premises directories and databases that you want to sync directly to Azure AD. There is no limit on the number of FIM servers you can use, however, FIM CALs are granted based on the allocation of an Azure AD premium user license. For more information, see Deploy FIM 2010 R2.
- Enterprise SLA of 99.9% - We guarantee at least 99.9% availability of the Azure Active Directory Premium service. For more information, see Active Directory Premium SLA”
For a comparison between the Free Azure AD and the Premium just click the below image.
Last week I spent a couple of days in Las Vegas for the yearly Lync Conference. During this yearly returning event new features are discussed and breakout sessions are given to exchange knowledge and experience. Besides the sessions Lync Conference is all about coming together and meeting new people.
It was great meeting all the people behind the well-known blogs (Stale Hansen, Ken Lasko, Tom Arbuthnot, Ari Protheroe, etc ). Hope we meet again next year!
The keynote kicked off with Gurdeep Singh Pall. After being away for 2 years he has now returned to the Lync team to introduce the new era of “Universal Communications”
The past 2 years he has been working on artificial intelligence and wishes to bring that intelligence to Lync. He described how the work of Bayesian prediction will eventually make its way to communications systems. Would it be cool if Lync “knows” with whom you want to communicate and just present you the “John Doe” you want to call, instead of the 500 other Joe’s in your contact list and endlessly scrolling to find the right one.
Gurdeep stressed we came to an era of Universal communications, in which mega trends like social media, technology, changing work / life balance and the continuing improving devices play an important part. There isn’t a user that does not want all of his / her information available on all devices. They have to communicate with each other to sync all information to all devices. The cloud also plays a major part in this.
As an example Gurdeep mentions : What is you search for John on your computer, then wanted to call the same John on your mobile 5 mins later. Would it be great if your mobile knows which John you searched for, and finds the John you wanted to find? That’s the power Gurdeep wants to bring into UC.
Besides Gurdeep’s vision on where Unified (Universal) Communications is going, Derek Burney also spoke on the keynote, introducing (and demoing ) some great new features for Lync.
Since introduction a lot has changed on the mobile clients, and there is still more to come!
Last year the “One click join” was introduced, now they came up with something even better. No click join. No click join works like a “Siri” like voice control for Lync. It shows, creates and joins meetings, if you ask it to.
Apart from the voice control features for mobile Derek also mentioned a Lync mobile client for Andoid tablets. Probably it’s released the end of June and available in de Google play store.
Anonymous join is also shown for, in any case, Ipad and Iphone. As well as content sharing (PowerPoint) for these devices just like you would share content on fat clients.
Derek also demo ’d interoperability between Tandberg (Legacy) systems and Lync server, which will probably be available to the public in the next Lync version.
A long expected feature is multimedia through the browser, presenting audio and video through a public facing website or intranet. Derek demo ‘d this feature using a Medical website in a doctor / patient scenario. First with only chat functionality, later adding audio and video to explain what his complaints where. The doctor could see the patient and suggest possible treatments.
From a medical perspective this is awesome, it saves valuable time when diagnosing patients and in some cases can even save lives.
Last but not least, Derek talks about Lync and Skype. Microsoft works hard on the integration of both. Some of the long awaited features is Video support between Lync and Skype. Derek’s demo showed how a Lync user started a video conference to a pawn shop using skype.
Little fun fact: Almost a third of all the long distance calls take place via Skype. Microsoft already has lots of telecomunnications running on their platform and call themselves the #1 UC voice market leader. This is exactly the reason Microsoft sets an ambitious goal on integrating features with Lync and Skype.
Lync Online was also mentioned in between. Lync Online will soon support large meetings up to 1.000 users. PSTN in- outbound calling is also coming to Lync Online. No technical content yet, also no roadmap and no information about which region PSTN calling will be provided. More on that later this year.
Want to see the keynote for yourself? Go to the Lync Conference website.
I participated the Support sessions mostly. Advanced troubleshooting, network issues and best practives. A recap of those sessions will be blogged separately. And overview of all the sessions are on the Lync conference website under Sessions.
If you want more information about the sessions do not hesitate to contact me.
In the exhibit hall partners and vendors had the opportunity to present their services or product. There were enough booths to enjoy yourself for hours. ( Also some nice goody bags ).
Vendors like Jabra, Plantronics and Sennheiser presented their new range of product with nice demo’s. You could also get advice on the product from consultants of sales representatives.
Plantronics stood out this year, well, at least I found it interesting :). They call it Seamless Call transfer. An evolution in Wearable Technology in my opinion. Seamless call transfer makes it possible to seamlessly transfer a Lync based call to a Mobile phone using proximity sensors within the headset. When going “out of range” Lync calls the mobile ( while maintaining the existing connection ) and seamlessly transfers the call when de users picks up.
Plantronics has a nice demo on youtube embedded below.
Hope to be there again next year!
But I’m planning to resume blogging.
First of all I know I want to point out that anyone who is using ADFS with auto certificate rollover should use this script. I know it’s been around for a while but I noticed it’s not well known among administrators.
So what does the script actually do?
Well, it creates a scheduled task which will automate the update of the Microsoft Office 365 federation metadata. The federation metadata contains certificate validity information for token-signing and token-decrypting and had to be updates with each change to one of the certificates..
When Auto Certificate rollover is enabled for ADFS, the ADFS service creates a new secondary certificate 20 days prior to expiration of the primary certificate. 5 days before expiration the primary and secondary certificates are switched and the new certificate goes live. The time in between is called the grace period
It is critical the federation metadata is updated prior to the end data of the grace period. If it is not this will result in the loss of access to all Office 365 services.
Source : http://technet.microsoft.com/nl-nl/library/jj933264.aspx#BKMK_GracePeriod
To prevent this from happening the script was created, this will automate the update task so there will be no manual intervention when the certificates are updated.
The script can be downloaded from the Microsoft Gallery. Make sure you check the gallery on a regular base because it does get updated from time to time.
To execute this tool successfully:
- You must make sure that you have installed the latest version of the Microsoft Online Services Module for Windows PowerShell
- You need to have a functioning AD FS 2.0 Federation Service
- You need to have access to Global Administrator credentials for your Office 365 tenant
- You need to have at least one verified domain in the Office 365 tenant must be of type 'Federated'
- This tool must be executed on a writable Federation Server
- The currently logged on user must be a member of the local Administrators group
- The Microsoft Online Services Module for Windows PowerShell must be installed. You can download the module from http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx
To create the scheduled task I logged on with the service account on the machine because the task is created with the logged on user.
After you download the tool onto your internal ADFS server, you need to right-click on it and unblock it. Otherwise you will get errors like “the script is not digitally signed. The script will not execute on the system.”
Also, if you get an error that “Failed MSOL credential validation.” it is because you are running the script in the regular Windows Powershell or ADFS PowerShell module. You need to make sure you run this in the window “Microsoft Online Services Module for Windows PowerShell” that looks like this on the desktop:
Run the installation script as follows.
It is recommended to also use a non expiring service account in Office 365 the entering the MSOL credentials. These credentials are stored in the credentials vault in Windows and need to be changed everytime the password is changed.
Once the script is run there will be a scheduled task in the task scheduler.
The schedule can be adjusted to your needs, but I ( and also Microsoft ) recommend to update metadata at least once a week.
A cool feature is that the script discovers all federeted domains within your tenant and will add this to the update script every time it is run. It also adds the –Supportmultipledomain switch when the command initially fails.
A logfile is written to the following folder:
The logfile will show the result for each domain name discoved for both the internal ADFS and Office 365.
In the results below the certificate has already been updates so there is no “nexttokensigningcertificate” known in the internal ADFS log. Office 365 defaults back to the “old” certificate which is shown in the “nexttokensigningcertificate”
And at the end it will show if the update works with or without the –supportmultipledomain switch and if the update had succeeded.
Hope this will help you in automating renewals in your Single Sign On solution.
The beginning of this month Microsoft released the new 2013 mobile client.
The client is available for the following platforms:
The server backend must have the February 2013 (CU1) updates installed.
These can be downloaded at http://support.microsoft.com/kb/2809243
Below you will find a feature list for Lync 2013 mobile clients on different platforms.
It’s now possible to start audio / video calls over Wifi or 3G.
In the options menu is an option to require Wi-fi for audio / video calls.
I recommend selecting this to reduce bandwith usage and reduce cellular costs. You can also disable photo’s to reduce bandwith usage.
The contact list and contact card.
From the card you can initiate chat, audio call, video call or email.
When clickin the call button you can initiate a call.
When initiating a Lync call the client automatically dials the number or creates a peer to peer session. Within the Lync 2010 mobile client the server always called back to initiate a call.
The chat and video calling functionality.
Also new is when you are added to a response group, the response group call will also ring on your phone and you have the ability to pickup this call on your mobile.
The keypad still looks the same.
The voicemail is also available from the client and you have the ability to delete of call back.