This blog has been pretty quiet here for several months. I’ve been very busy. I’ve had a considerable workload and the technologies and timelines I’ve been dealing with have not provided me ample time to sit down and reflect or post. I’ve also been unable to quickly and easily articulate some of the troubleshooting without providing background, hence no layer-8 issue posts either.
So what have I been doing? I’ve had a bunch of projects – some of my classic fare: FIM 2010 deployment; MIM 2016 POC; basic O365/AAD integration – and also the real reason I’ve been so busy – deploying Azure AD Premium with a large multi-national. Or more specifically, enabling AAD-P through the design and deployment of the core hybrid identity infrastructure. What’s that? A new (20-node) federation service infrastructure (AD FS 2012 R2, SQL Server [yuck, we shouldn’t have used SQL, so I’ll finally get round to writing my “why WID is so much better than SQL for AD FS” post soon]); an Azure MFA Server (the on-premises bits, eight nodes) farm; replacing my custom FIM solution with Azure AD Connect (not quite done yet, but will inevitably provide a bunch of posts Jan/Feb); and publishing or proxying a whole raft of on-premises apps using Azure AD App Proxy (that’s another four nodes, soon to be six, spread across on-premises, Azure IaaS and AWS). And of course, the real work that required all this infrastructure – deploying SSO SaaS apps, e.g. Box and Workday; integrating MFA into existing apps, e.g. on-premises OWA (via app proxy); and, fundamentally hardest, deploying MFA to ~110,000 Office 365 E3 and E4 users (which obviously includes Outlook 2013/16 click-to-run and Modern Authentication).
I’ve also, begrudgingly (but actually quite interesting if I’m honest), been involved in a building a new on-boarding process for AAD-P/SaaS/AD FS/App Proxy apps, including scripting some of the first wave (and thus actually seeing some of the real world SAML integration layer-8 faults).
All of this has been most rewarding. Financially, in that my utilisation bonus was bigger than normal :), and more importantly in terms of skills and experience and job satisfaction. It has also armed me with a boat load of experience that can and should be posted into the community. So I’m going to try and find some time over the next month or so to start posting about this stuff. If you have any ideas for posts or questions that I might be able to answer via a post either post a comment or drop me an email at msresource at outlook dot com.
In terms of what I’m looking to post about, here’s the main themes:
- Windows Server 2012 R2 Active Directory Federation Services, a.k.a. AD FS 3.0
- Azure MFA Server, a.k.a. Multi-Factor Authentication Server, a.k.a. PhoneFactor
- Azure AD App Proxy (the cloud-based Web Application Proxy, which is really, really cool by the way)
- Azure AD SaaS apps, i.e. SSO configuration and integration
Conditional Access Policy (CAP)
- AD FS claims rules (lots of AuthZ, issuance and additional authentication rules)
- Office 2013 and Office 2016 Modern Authentication