Zoho Banner September 2011

Archive for the ‘Azure Active Directory’ Category

This post provides a quick introduction to the features available with Azure Active Directory Business to Business (B2B) Collaboration – currently in Public Preview.  I’ll cover how to add someone outside your organisation to your Azure AD instance, as well  as how to assign administrative privilege over the Azure subscription to the external partner through RBAC delegation.

Let’s kick things off by adding the external partner via the new Azure Portal. In this example the external partner is named Badger Lafarge and has an Gmail account.  My Azure tenant is named Fish Eagle.

Once logged into the Azure Portal, select Azure Active Directory from the left hand menu.

B2B

Select Users and Groups from the presented options.

B2B_2

Select All Users

B2B_3

The full list of existing users will appear.  Select the Add option.

B2B_4

Complete all the required information for the users and any additional profile and group in formation. Note that you have the ability to enter the text that will be sent into the body of the invitation email sent to the user.

B2B_6

You will see that in this example I have chosen to add the user to a group named MSDN Subscription Admins. This group has been delegated the Owner role to the Fish Eagle MSDN subscription.  I’ll show where this is configured later in the article.

B2B_5

After completing the setup, select Create.  At this point an invitation will be sent to the user, as shown in the example (Gmail) below.

B2B_7

The user then clicks on Get Started.  At this point Azure will determine whether an account (either in a different Azure AD or a Microsoft Account) already exists for the user based on the email address.  In my example, the user Badger Lafarge does not have any account, so one needs to be setup.  This is the normal Microsoft Account process and as such I don’t need to show it here.

B2B_8

Note that the welcome message indicates the invitation relates to access to myapps.microsoft.com.  While assigning access to apps within an Azure tenant to partners is probably the most common scenario, it is not the use case here and can be ignored.

After completing the account setup, the external partner (Badger Lafarge) is presented with the MyApps portal.  This shows the B2B setup workflow has completed successfully.  You can then see the partner account present in Azure AD.  Note the globe icon that indicates the external status.

B2B_9

Now that Badger Lafarge has been set up correctly, he can log into the Azure Portal using the credentials he configured as part of the Microsoft Account creation.  You can see from the following screenshot that once logged into the Azure Portal the external account (Badger) has access to the resources available in my tenant within my MSDN subscription (Fish Eagle).

B2B_10

With the Owner role assigned to my MSDN subscription, Badger can now do pretty much anything he wants to with my Azure resources.  He can stop and start machines, delete storage accounts, create new resource groups, generally do a lot of damage and spend up large!  This is by way of a warning – with great power comes great responsibility – be careful how you assign permissions and use the principle of ‘least privilege’ as you would normally.

In case you missed it earlier, not all external partners you add are automatically assign Owner rights over your subscription.  That would be madness!  Instead, when I created Badger as an external partner in my Azure AD I chose to add him to the MSDN Subscription Admins group.  This is not a built in group.  Instead it is a group I manually created within my Azure AD with the specific purpose of assigning Owner permissions over my subscription using Azure’s RBAC features.  Of course I could have assigned him the Owner role directly (i.e. not using an Azure AD group), but where is the fun in that?  The screenshot below shows where the Owner role assignment is configured within the Azure Portal.

B2B_11

That’s basically it.  Once you have the external partner in your Azure AD you can do other tasks such as assignment to your Apps (exposed via the MyApps portal) and delegation within our Azure AD instance.

What I really like about the B2B feature is how easy it is to set up within the Portal.  Hopefully that is clear from this blog post.

 

The other day one of my customers was testing remote access to a web application via the Web Application Proxy (WAP). Everything seemed to working except some reports. These generated “HTTP Error 400. The request URL is invalid”. Given that the reports worked well inside the corporate network it pointed to an issue with the WAP.

Further investigation revealed that the requested URL for that generated the error was unusually long (approximately 500 characters).

The WAP uses HTTP.sys under the hood. HTTP.sys is a kernel-mode device driver that first drew breath in IIS 6.0 (shipped with the now unsupported Windows Server 2003).

As it turns out HTTP.sys imposes a 260 character limit on URLs. Fortunately, this limit is configurable by modifying the registry, as described in the following KB article:

https://support.microsoft.com/en-us/kb/820129

The steps to increase the limit are:

  1. 1. Create a UrlSegmentMaxLength DWORD value under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters and set it to 600 (decimal)
  2. 2. Reboot the WAP server.

This resolved the issue for my customer. I hope it helps you too!

 

Here are two ways to find the GUID (also referred to as the TenantID) associated with your Azure Active Directory (AAD) instance.

1. Embedded in the URL in the Azure Portal

Log into the Azure Portal. Select Active Directory from the left hand pane. Click on the Active Directory instance you are interested in (you may have more than one). Copy and paste the URL into Notepad. It should look something like this:

https://manage.windowsazure.com/fish-eagle.net#Workspaces/ActiveDirectoryExtension/Directory/36bfce4d-e2cf-4066-8063-f27377df4d09/users

The GUID is highlighted above.

2. In the registry of your Azure AD joined Windows 10 workstation

If you have a Windows 10 machine that you have joined to Azure AD then you can find the GUID as a key name in the registry in the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\

TenantID

Hopefully, you found this useful. Let me know what other Azure AD topics you would like to see.

This article explains how to link your O365 tenant to an existing Microsoft Azure subscription, so that you can manage your O365 users from within Azure. Why would you want to do this? Well, perhaps you just want to centralise your administration functions, but it also gives you other benefits, such as the ability to assign Multi-Factor Authentication (MFA) and to control the cloud applications to which the users have access.

Here’s how I did it…

I have an Office 365 Small Business tenant as well as a Microsoft Azure account that I fund through my MSDN subscription’s monthly credit. Until a couple of months ago I managed these as completely separate entities, logging in with separate credentials for each. Then a friend (thanks Kev!) sent me some information on how to link the O365 directory to my existing Azure account. The process is made possible by the fact that all O365 tenant identities are stored in Azure Active Directory (AAD). Here’s a brief overview of the process:

In this example I manage my existing Azure subscription using my Microsoft Account (formerly Windows Live ID) named passport@activedir.org.  My O365 tenant is named Badger Lafarge (badgerlafarge.onmicrosoft.com)

1. Sign in to Microsoft’s Azure Management Portal with your Account Administrator account, e.g. passport@activedir.org

2. Select Active Directory from the left hand menu bar.

3. Choose New from the bottom menu bar.

custom_create

4. Select APP SERVICES->ACTIVE DIRECTORY->DIRECTORY->CUSTOM CREATE

5. Choose Existing Directory from the drop down list

existing_directory

 

existing_directory2

6. When re-directed to the sign-in page, sign-in with your O365 admin account credentials

sign_in_o365

7. Select continue when prompted and then sign back in with your Azure Account Administrator account

confirm

8. You should now see your O365 tenant listed as a new directory (see below)

aad_O365_tenant

 

That’s it! At this point you are ready to manage your O365 accounts via the Azure Portal (or via Powershell of course).

In a follow-up article I will explain how to enable these accounts for multi-factor authentication (MFA).