Samuel Devasahayam

If you did not get to this, check out the aka.ms/adfs2aad link.

@kevin_chalet @Alex_A_Simons Kevin, could u DM me specifics?

@Alex_A_Simons @MrADFS Any idea, @MrADFS? 😀

@Alex_A_Simons hey. Do you know if there are plans to update Azure AD/Microsoft Account to support returning code_challenge_methods_supported in the server configuration document?

@anders_abel @Alex_A_Simons @azuread @anders_abel , we are looking into it. Will DM you since we may need some additional data.

@Alex_A_Simons @azuread @MrADFS We finally found the reason. A line break in an attribute value causes AAD to create an incorrect signature. Our guess is it happens when using AD sync. See github.com/Sustainsys/Sam… for analysis if you want to follow up on it.

I have SAML2 compatibility issue with @azuread. I've tested two different XML Signature validation tools and it looks like AzureAD might sometimes create incorrect signatures. Do I know someone with contacts in the AAD team that can help find the right person to look into it?

Hey folks! We just added a set of new features to help customers move their apps/authentication off ADFS (3P IDP) over to Azure AD & secure them better with Conditional Access! Check it out!

@Luis_P_743 @jsnover Hey Luis, did this get resolved? If not could u clarify the scenario. It seems like an automated device provisioning scenario.

@jsnover Have you heard any progress on using PS to AAD join/enroll a device? PPKG expirations are a pain and not everyone wants to use AP.

@DrAzureAD @zatennisfan @Secureworks Thanks for the detailed post! As mentioned, this requires GA (which you should be protecting at all costs) and treat your ADDS/ADFS physical infrastructure as is normally recommended for Tier0 infra.

@zatennisfan @Secureworks This doesn't actually need AD FS infrastructure at all. Global Admins can register fake agents to any tenant with Azure AD P1 or P2 subscription and use them to spoof sign-ins log. #registering-fake-agents-with-aadinternals-v0-5-0-and-later" target="_blank" rel="nofollow noopener">o365blog.com/post/hybridhea…

Ever thought can you trust #AzureAD sign-ins logs? Check out the latest @Secureworks Threat Analysis to find out! New #AADInternals tools and write-up at o365blog.com will be released during the weekend - stay tuned! secureworks.com/research/azure…

Heads up, #ActiveDirectory #sysadmin's. This free utility evaluates your AD against 59 different IoEs, orders them by severity, and maps them to the MITRE ATT&CK framework. @MrADFS

@IwisVC Which log is this? ADFS logs? If so, I need to check with my engineering team. Let me know if you still need help.

@MrADFS I'm looking for help. for one of our customers we've had to go through the unified audit log and found in the properties UserAuthenticationMethod=16. Through docs we think it is "Secure PIN Reset". What is it exactly?MFA deleted? PIN of WHfB PIN reset locally?

@jayvdz Yes, it is still supported.

@MrADFS hey Samuel, are Custom Attribute Stores still supported on #ADFS 2019? There's no documentation for them beyond this old article (docs.microsoft.com/en-gb/archive/…). My customer has an issue uplifting a 2016 CAS for 2019, just want to check before I warm up the lab to investigate.

Howdy folks, we have released Microsoft Defender support to monitor and detect intrusions on #ADFS servers. We recommend close monitoring of your ADFS servers just like you would do for domain controllers. techcommunity.microsoft.com/t5/microsoft-s…

We continue to make it simpler for you to manage authentication for your users with Azure AD! Also get to password-less as quickly as you can!

@andiekaran @Alex_A_Simons @Steve_C_Brown Andrea, let me know what the issue is.

@Alex_A_Simons @Steve_C_Brown @MrADFS Yes please hehe 😁

Not sure if you are the correct POC @Alex_A_Simons, but do you have any insight into when passwordless #Authentication will work with federated accounts? #federated-accounts" target="_blank" rel="nofollow noopener">docs.microsoft.com/en-us/azure/ac… #ADFS #SurfaceHub2 #Microsoft365 #MicrosoftAuthenticator

@Steve_C_Brown @Alex_A_Simons @andiekaran Steve, pwdless (FIDO, authenticator, WHFB) already work for federated accounts for AAD apps. Can you clarify?

@Alex_A_Simons @andiekaran @MrADFS Thanks! @MrADFS - any insight? :)

After the craziness of the last 7 days politically in the US (including debates) all I can say is #RegisterToVote #Vote #VoteEarly!!! Make your voice heard & count(ed)!

@miketheitguy Hey Mike, do work with your GTP contact to file this as a blocker with some clarity on use cases (e.g. air gapped vs on-prem only app)

@miketheitguy Hi Mike, we are still completing FIDO in AAD. Currently we have no plans to bring FIDO natively to on-premises. Things could always change!

@tonyszko @DebugPrivilege @miketheitguy @gvnshtn MFA on ADFS is usually used when using third party MFA providers integrated with ADFS or if the customer is using smart cards for MFA. We'll add more in Azure AD to natively support this in the future.

@DebugPrivilege @miketheitguy @gvnshtn Additional considerations are - where things like MFA are done (on the AD FS or in Azure AD etc.) - some customers do MFA on-premises instead on #AzureAD side.

@msimonsen Shoot!

@MrADFS Need some help with Azure AD DS. Can we get in touch?

@AlexFilipin @markwahl @azuread @markmorow @citrix Yup. Should work. Front end auth to Citrix via AAD B2B, token contains the UPN that has been provisioned in Citrix server AD environment. FAS acts like an impersonation service that provisions a short lived certificate to the client that is used to RDP.

Has anyone combined the AAD Citrix FAS integration with B2B user-writeback to on-prem AD ? Should work or ? 🤔 @markwahl @azuread @markmorow e.g. to publish a desktop for a B2B user @citrix

@MrAzureAD @nicolonsky Tobias we have no immediate plans for per app configuration. Do raise this via Florian. Also device CA at AAD does work.

@nicolonsky Device Code flow is a problem on its own when using ADFS and a 3rd party MDM as everything on ADFS is evaded. This is the perfect way for data leakage. My opinion is that device code flow should be an optional configuration per app and off by default. Any news here @MrADFS ?

Why device code flow doesn't always get along with Conditional Access policies: tech.nicolonsky.ch/device-code-au…