How Microsoft Improved Its Identity Products & Services - August 2022
Microsoft’s identity portfolio is huge and includes products and services like Active Directory, AD...
Brace yourselves! In the coming months, Microsoft is planning another round of Windows server updates, which means admins must prepare now for the major changes impacting Active Directory and Entra ID.
As a feature of Windows Server, Active Directory sees a new major release roughly every three years. Microsoft Entra ID (formerly known as Azure AD), on the other hand, sees several new releases per day. The yawning gap between these two release cycles poses many challenges to identity admins. However, things have gotten considerably harder over the past few years with Microsoft raising the bottom line on information security in Active Directory, something I referred to as the Kerberos Kerfuffle. And guess what - another wave of changes are coming our way.
Now, while we could brace ourselves and simply exclaim, ‘Winter is coming!’ we can also be proactive and choose to fully prepare and can get ahead of these changes. We can be diligent and determine the scope of the work and the changes that will need to be made within our Active Directory domains and within our Entra ID tenants. We can do this without resorting to the delay of critical Windows updates, and without having to apologize to end-users about their changing cloud experiences. We can get in front of this, before people start breathing down our necks when the entire Identity and Access Management (IAM) solution comes crushing down…
*Note: The dates below have been publicly announced but may change. When these dates change, they are typically delayed providing admins more time to prepare!
In the coming months, Microsoft plans to make the following staggered changes to Active Directory through the monthly cumulative Windows updates for all supported Windows Server versions:
On October 10th, 2023, the information security measures that address weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing (CVE-2022-38023) become fully enforced. KB5021130 describes these changes.
Microsoft attempted applying these measures in compatibility mode on November 8th, 2022, and is applying these measures without rollback on July 11th, 2023. Effectively, the changes will be enforced, unless admins refrain from installing the July 11, 2023, cumulative updates and cumulative updates beyond these updates.
On October 10th, 2023, the information security measures that address the Kerberos security bypass and elevation of privilege vulnerability (CVE-2022-37967) involving alteration of Privilege Attribute Certificate (PAC) signatures become fully enforced. KB5020805 describes these measures.
Microsoft attempted to apply these measures on November 8th, 2022 and is applying these measures on July 11th, 2023. In both cases, admins could still roll back using the KrbtgtFullPacSignature registry key. However, with the October 10, 2023, cumulative updates, these measures will be automatically applied and there will be no way to roll back. Effectively, the changes will be enforced, unless admins refrain from installing the October 10, 2023, cumulative updates, and cumulative updates beyond these updates.
In the coming months, Microsoft plans to make the following changes to Entra ID:
Admins who manage Entra ID (formerly known as Azure AD) in the Azure portal, will be redirected to the Entra portal to manage all aspects of the service.
Microsoft is currently rolling out a change to the registration campaign feature (also known as the ‘Nudge’ feature). People in the organization will only be able to skip the multi-factor authentication registration process 3 times. As people can currently skip this one-time registration indefinitely, this change is poised to produce some service desk incidents.
When an Entra External ID guest user is prompted to sign into a resource Entra ID tenant, the background and logo branding reflects that of the resource tenant. As soon as the guest enters their sign-in name (typically the userPrincipalName, UPN), the logo changes to that of the home tenant, but the background branding remains the same.
Microsoft is working on changing this branding experience for cross-tenant collaboration authentication requests. In the new experience, when a guest user is prompted to sign in, after entering the UPN, they’ll be redirected to their home tenant sign-in page, and the branding experience will reflect that of the home tenant instead of the resource tenant. After successfully signing in, the user will be signed into the app in the resource tenant.
The Terms of Use (ToU) feature is being modernized. When rolled out, it redirects from the legacy Profile page to the My Account portal and features a PDF viewer to review previously accepted terms of use. Many organizations have documented procedures to perform certain steps. These procedures need to be updated to reflect the above change.
Beginning October 2023, Microsoft is improving end-user experiences in the following ways:
As with all ‘improvements’ made by Microsoft, in some environments it would result in uncertainty with end users asking themselves whether they are still doing the right thing. Documented procedures, of course, will need to be updated to reflect these changes as well.
Also starting in October 2023, the legacy PhoneFactor portal will be modernized to better align with the Microsoft Entra admin center look and feel. I think most organizations have already adopted the Security Defaults and Conditional Access to prompt for multi-factor authentication in a more granular fashion, but some organizations still rely on the Per-User MFA options provided in the legacy PhoneFactor portal. If so, it would feel a lot less like it’s 2012 for admins in these organizations.
When looking beyond the third and fourth quarter of 2023, more changes are coming. The processes you adopt today can help you face changes in Active Directory and Entra ID in the future. If you're concerned about Domain Controllers being affected by changes in Windows updates, ENow’s Active Directory Monitoring Tool provides near real-time information on the health of your Domain Controllers. This way, updates that impact Active Directory and cause the inability to sign in and use Active Directory-integrated functionality, are identified fast and judiciously rolled back.
Always be prepared.
Having an robust Active Directory monitoring tool in place that provides a single dashboard for monitoring all critical components of Active Directory not only reduces the workload on central administrators – it’s crucial to the health and security of your network. ENow’s OneLook dashboard displays all vital components of Microsoft Active Directory, enabling admins to quickly identify issues before they become outages.
Additionally, with ENow's AD monitoring tool, synthetic transactions actively probe for faults and failures across all critical AD components: domain controllers, replication, DNS, and more. Admins can protect Active Directory, improve security awareness and compliance through visibility into data that empowers admins to remove user accounts that have inappropriate access from privileged groups (Schema Admins, Domain Administrators), and see exactly what users are doing across your environment. And with robust reporting capabilities, you’re able to better understand and optimize your Active Directory with real-time data and historical trends, allowing admins to accurately forecast necessary resources to meet growing demands and determine if SLAs are being met.
Contact ENow today for more information around monitoring, managing, and securing Active Directory - the foundation of your network.
Sander's qualities extend beyond the typical triple-A stories in the area of Identity and Access Management. Of course, authentication, authorization and auditing are necessities but my out of the box solutions get the most out of software, hardware and the cloud. Rapid technological advancements have resulted in cutting-edge solutions around Active Directory, Azure Active Directory and Identity Management. Keeping up with these is just a small challenge, compared to my true goal: helping people use the technology on a daily basis. In a way that ICT is not a mere hurdle, but an infinite enabler. His work as a consultant, blogger and trainer are all means to achieve this goal. His multiple Microsoft Most Valuable Professional (MVP) status, Veeam Vanguard status and extensive certification aids him. Through direct communications with the product teams in Redmond, he remains up to date, exchanges feedback and accelerates support. Sander is also a Virtual Product Owner for AppGov and ENow.
Microsoft’s identity portfolio is huge and includes products and services like Active Directory, AD...
Microsoft Ignite was held on October 12 to 14th 2022, and was a truly hybrid event, with in-person...