Skip to main content

Lessons learned while implementing Azure AD Privileged Identity Management (PIM)

In this blogpost I will share my experiences with implementing Azure AD Privileged Identity Management (PIM).  PIM is a service that enables you to manage, control, and monitor access to important resources in your Azure environment. These resources include resources in Azure AD, Azure, and other Microsoft Online Services like Exchange Online, SharePoint Online or Microsoft Intune. 

PIM provides the following functionality: 

  • Just-in-time privileged access to Azure AD and Azure resources 
  • Assign time-bound access to resources using start and end dates 
  • Require approval to activate privileged roles 
  • Enforce multi-factor authentication to activate any role 
  • Use justification to understand why users activate 
  • Get notifications when privileged roles are activated 
  • Conduct access reviews to ensure users still need roles 
  • Download audit history for internal or external audit 

This article will cover the following topics:

Note: This post reflects the status of Azure AD Privileged Identity Management as of March 24th 2020. Functionality may change, even right after this post has been published.

Read More

Announcing WMUG_NL Saturday, on March 28 2020

On Saturday March 28th, 2020 the Windows Management User Group Netherlands (WMUG_NL) will organize a full Saturday with Workshops. Together with Peter Daalmans I will host a workshop on the topic of Conditional Access, the workshop partly be based on the blog articles I wrote about the subject earlier this year. Also Adnan Hendricks will host a session on Threat Hunting, which will be very interesting as well.

Also this year Fast Lane, a learning solutions provider located in Utrecht is hosting the location and providing us with food and drinks. See: Windows Management User Group Netherlands – WMUG Saturday 2020 on Meetup if you want to join us. Attending is free, the only thing you need to do is RSVP on the Meetup page, so that we know you are coming.

Windows Management User Group Netherlands
Read More

Speaking at RDW Techday on April 1st 2020

On Wednesday April 1st, I have the opportunity to present at the RDW Techday. RDW Techday is a community event organized by the RDW, the goal is to stimulate knowledge sharing within the company and between companies in the same region. I had the pleasure to present at earlier events already and received some really positive feedback.

RDW is the Netherlands Vehicle Authority in the mobility chain. RDW has developed extensive expertise through its years of experience in executing its statutory and assigned tasks. Tasks in the area of the licensing of vehicles and vehicle parts, supervision and enforcement, registration, information provision and issuing documents.

Read More

License requirements for administering Microsoft 365 services

Microsoft licensing is tough and vague but something we must deal with while implementing our solutions. I’m also aware that some of the features I describe on my blog are only available in the most expensive licensing options Microsoft provides, making some of the features I describe not usable for some of my readers.

Update June 23rd 2020: Microsoft has removed the Intune license requirement for administrators, see this blogpost by Peter van der Woude for more information: Quick tip: Allow access to unlicensed admins

If you administer Microsoft 365 services like Azure Active Directory (AzureAD), Exchange Online (EXO), SharePoint Online (SPO), Intune and many other products the license requirements for your administrative accounts are extra vague. I’ve asked Microsoft in December last year to clarify this, but until now no response was given.

There is some fragmented information available in the Microsoft documentation, that in combination with some other information to be found on the internet, like on twitter concludes that the license requirements are indeed very vague and could really use some official documentation from Microsoft to clear things up.

One thing in known, is that when asked about licensing requirements for the online services provided by Microsoft the statement returned is: “When the user benefits from the service, a license is required”

So let’s see what I found available online and see if it makes sense in some way…

Read More

Microsoft is going to disable basic/legacy authentication for Exchange Online. What does that actually mean and does that impact me?

Update: On April 3rd 2020, the Exchange Team announced that due to the COVID019 crisis, they will postpone disabling legacy authentication until the second half of 2021.

Update: On April 30 2020, the Exchange Team announced that OAuth 2.0 authentication for IMAP and SMTP AUTH protocols is now available. In order to leverage this functionality mail clients need to start using it (so they need an update). Michel de Rooij did a nice article on how to configure Thunderbird for oAuth2 which you can read here: Configuring Exchange Online with IMAP & OAuth2

Update: On May 28 2020, the Exchange Team announced that OAuth support for POP is now also available for Exchange Online.

Update: On June 30th 2020, the Microsoft Exchange Team announced support for Modern Authentication in scripts using the new Exchange PowerShell module, see: Modern Auth and Unattended Scripts in Exchange Online PowerShell V2

On March 7, 2018 the Microsoft Exchange Team announced that on October 13, 2020 it would stop the support for Basic Authentication (also called Legacy authentication) for Exchange Web Services (EWS) in Exchange Online (EXO), the version of Exchange offered as a service part of Office 365. EWS is a web service which can be used by client applications to access the EXO environment. The team also announced that EWS would not receive any feature updates anymore, and suggests customers to transition towards using Microsoft Graph to access EXO.

One and a half year later, on November 20, 2019 the Exchange Team also announced to stop supporting Basic Authentication for Exchange ActiveSync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP) and Remote PowerShell on October 13 2020 as well. Authenticated Simple Mail Transfer Protocol (SMTP) will stay supported when used with Basic Authentication.

Instead of supporting Basic/Legacy authentication Microsoft will move towards only supporting Modern Authentication for most of the methods used to connect to Exchange Online.

Read More