Update an WVD Application Group Based on a Windows AD Security Group

WVD Security Groups

One unfortunate aspect of working with Windows Virtual Desktop is the inability to assign users to an Application Group based on group management. Microsoft has heard this complaint and an upcoming version of WVD portal management will include App Group access based on group membership. Until that is available, I created a script that should help.

Continue reading “Update an WVD Application Group Based on a Windows AD Security Group”

Active Directory Domain Service, Azure Active Directory and Azure Active Directory Domain Service Explained

Active Directory Domain Service, Azure Active Directory and Azure Active Directory Domain Service

Microsoft has a couple of options available for identity and authentication services including Active Directory Domain Services, Azure Active Directory, and Azure Active Directory Domain Services.  This can lead to confusion, especially considering three of the options have “Active Directory” in the name.  It also leads to the question “do we still need domain controllers?”  This post reviews these three different options, outlining the functionality and comparing how they work together in Microsoft and Azure.

Continue reading “Active Directory Domain Service, Azure Active Directory and Azure Active Directory Domain Service Explained”

VM has reported a failure when processing extension ‘joindomain’

The Problem

It has been about two weeks since the Azure Windows Virtual Desktop preview was announced.  I have had several people ask about a specific issue when adding Windows Virtual Desktops to a domain during the provisioning process.  The error is related to adding the new hosts to the Active Directory Domain and the message looks like below, indicating the “VM has reported a failure when processing extension ‘joindomain’’

Continue reading “VM has reported a failure when processing extension ‘joindomain’”

Azure AD Application Proxy and IIS

I had the pleasure of spending a significant amount of time elbows deep in a Remote Desktop Services deployment this week.  As part of the effort, I published the RDS RDWeb IIS page with the Azure AD Application Proxy so MFA can be leveraged for remote desktop services.

Continue reading “Azure AD Application Proxy and IIS”

Microsoft 365 E3 and E5 Bundels

Microsoft 365 LicensingFor all the technical challenges I’ve ran into, nothing is more frustrating than trying to understand Microsoft Licensing.  I put together an infogram as an attempt to explain Microsoft licensing and the relationship between the O365, EMS and the new Microsoft 365 license bundle.  Supporting links are below as well as a video I put together to explain how each product relates to the other.  This is meant to be informational only, please seek assistance from a Microsoft licensing professional before making any purchasing decisions. Continue reading “Microsoft 365 E3 and E5 Bundels”

Azure AD and Named Locations

I am at the beginning of implementing Azure AD Premium in an environment and got hung up on the simple task of configuring Named Location for Conditional Access. Now, this was a minor nuisance at best, but thought I would outline what happened as the Microsoft documentation is a bit misleading.

As a background for those of you unfamiliar, Named Location is a feature of Azure AD Premium that lets you define know locations in your AD tenant. This is used for with Identity Protection and login risk assessments. It can also be part of Conditional Access. For example, don’t force MFA when a user logs in from a Named Location. More information can be found here:

Continue reading “Azure AD and Named Locations”

Microsoft Direct Access and Azure Single Sign On

Microsoft Direct Access and Azure Single Sign On

Once the Azure implementation of Active Directory Federation Services (ADFS) was in place I ran through the test process.  Single Sign on works as expected from inside the network.  Going to microsoftonline.com passes my client to the internal ADFS server where I enter my user name and get redirected to the Office 365 landing page.  Doing the same from outside the corporate network works similarly only directing me to the external servers where I had to enter my domain UPN (username) and password.  All well, but then…

The problem was connecting to an Office 365 site from a domain joined computer connected outside the corporate network via Direct Access (DA).  In this scenario I get the prompt for username and password.  This is not ideal, the end users expectation is to have the same experience through DA as in the office. Continue reading “Microsoft Direct Access and Azure Single Sign On”

Accessing Office 365

Accessing Office 365

Over the next few weeks I undergo a move of critical organization services to Office 365.  Most of the subsequent posts will be related to activities required
to prepare the existing environment for O365.  This post  will focus on the three options for allowing users to access O365.

In order for users to access O365, they need to authenticate.  Office 365 authenticating takes place with the help of Azure Active Directory.   There are three options for authenticating to O365:
Continue reading “Accessing Office 365”