Just reporting about a quick issue I found when configuring Entra Cloud Sync. The user that was trying to configure the agent had Global Administrator assigned through PIM for Groups, meaning he was eligible member of a Group, and the group was active Global Administrator.

This will cause an error message:

Please provide the Azure AD credentials of a global administrator or a hybrid administrator

To fix, add yourself as a Global Admin in other means than through being eligible for a group – such as directly!

I am often asked to come up with solutions for populating different types of applications with user data. One fairly common thing is to require Entra ID users to be populated in a database of some sort, and while we could very easily PowerShell our way through that, reading from the Graph and send SQL queries, we want an out of the box solution. This exists, and is called ECMA Connector Host.

And what does ECMA stand for? ECMA stands for Extensible Connectivity Management Agent and stems from the world of Microsoft Identity Manager (MIM). Using the Connector Host, Entra ID has a feature to actually run MIM connectors, without requiring the full MIM installation.

Let’s dive into configuring this!

Continue reading “Populating a SQL database directly from Entra ID using ECMA Connector Host” →

With the public preview of the new API-driven inbound provisioning for Entra ID (Previously known as Azure Active Directory), Microsoft is enabling new methods for integrating HR systems or other sources of record for employees or users. These APIs can be used by HR vendors to directly integrate their HR systems to Entra ID, or by system integrators reading data from services like ERP and writing it to Entra ID. There has of course always been the option of creating users through Microsoft Graph, but this does not support on-premises Active Directory.

Just as with how the Workday and SuccessFactors integrations have been working up until now, hybrid configurations with plain old Active Directory is also supported through a provisioning agent, which we will configure in this blog post.

Continue reading “Testing out the Entra ID inbound provisioning API” →

Azure AD protected actions, currently in public preview, is a feature where certain actions (currently a very limited set of actions revolving conditinal access) can require a specific authentication context before being allowed. Let’s have a look at what we can use this for. We are going to try out creating a policy to ensure that only users using a phishing resistant form of authentication can actually manage conditional access policies and named locations. The feature can also be used to, say, require the user to be in a trusted location to manage conditional access, or to require a compliant device.

Continue reading “Testing out Azure AD protected actions for securing conditional access policy management” →

Up until recently, Azure AD login to virtual machines was severely limited, because your device had to be joined to the same Azure AD as the virtual machine. For many, this was fine, but with external consultants this soon becomes cumbersome.

However, this is no longer the case, and you can actually sign in with any user in the same tenant as the virtual machine (No B2B currently). Let me show you how!

Continue reading “Signing into Azure joined virtual machine from any device” →

The Azure AD Terraform Provider has finally gotten support for Entitlement Management, let’s test it out! But let’s first discuss a few scenarios where this can come in handy.

Continue reading “Terraforming your way through Azure AD Entitlement Management” →

Azure AD Cross-tenant synchronization is a feature currently in preview, that allows a tenant to synchronize its users as guests into other tenants, maintaining attributes and eventually deleting the guests when no longer needed (such as when an employee leaves the company). In this blogpost we will take a look under the hood of the feature, trying to understand how this feature really works.

Continue reading “A look under the hood of Azure AD cross-tenant synchronization” →

This blogpost will be a quick howto for configuring an Azure Resource Manager (ARM) Service Connection in Azure DevOps, using a Service Principal with a certificate. Why should you use a certificate instead of a secret? It is more secure, that’s it.

Continue reading “Azure DevOps ARM Service Connection using certificate” →

So, you are attacking Azure? Or you want to test out something in the context of a user assigned identity? In this blogpost I’ll show you how create an access token for any Azure API, Microsoft Graph API, etc. for a user assigned identity.

Continue reading “Creating an access token for a user assigned identity in Azure” →

Many people have to work with several Azure AD and Microsoft 365 tenants, several user accounts in the same tenant, or a combination of both. I often see people working using a single browser, or using incognito mode, signing in and out all the time.

I work with several customers, several lab and demo environments, several different users – often in the same tenant, and I work super effectively. How? Let me show you!

Continue reading “How I work effectively with multiple Azure AD tenants and user accounts” →