Azure AD

Azure AD – Password Hash Synchronization – Non-Expiring Password Service Accounts

by

Recently I worked on implementing password hash synchronization with Azure AD Connect sync in one of the tenants I manage. This interested me on so many levels but especially the lengths that Microsoft has gone to protect this hash sync process fascinated me.

To synchronize a password, Azure AD Connect sync extracts password’s hash from on-premises AD. Extra security processing (meaning, When a user attempts to sign in to Azure AD and enters their password, the password is run through MD4+salt+PBKDF2+HMAC-SHA256 process) is applied to the password hash before it is synchronized to the Azure AD authentication service. Passwords are synchronized on a per-user basis and in chronological order.

When password hash synchronization is enabled, by default the cloud account password is set to ‘Never Expire’. This is a bit scary because if left in default state, users can still login to applications with their password that is expired in on-premise AD. Also meaning that the on-premise AD password expiration policy is not in sync with Azure AD. Users can be forced to comply with your Azure AD password expiration policy by enabling the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature.

When EnforceCloudPasswordPolicyForPasswordSyncedUsers is disabled (which is the default setting), Azure AD Connect sets the PasswordPolicies attribute of synchronized users to “DisablePasswordExpiration”

Get-MsolDirSyncFeatures

To enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature, run the following command using the MSOnline PS module

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $True

Once enabled, Azure AD does not go to each synchronized user to remove the “DisablePasswordExpiration” value from the ’PasswordPolicies’ attribute. But waits till the user’s next password change to the “DisablePasswordExpiration” from the ‘PasswordPolicies’ which is when the next password sync happens.

For this reason it is recommended to enable EnforceCloudPasswordPolicyForPasswordSyncedUsers prior to enabling password hash sync, this way the initial sync of password hashes does not add the “DisablePasswordExpiration” value to the ‘PasswordPolicies’ attribute for the users. But if you miss enabling this it is not the end of the world.

Use the below cmdlet to determine a user’s Azure AD password policy, 

$user = Read-host "Enter user's UPN:"
Get-AzureADUser -objectID $user | Select DisplayName, passwordpolicies

The issue we need to address are the service accounts that live in on-premise AD with non-expiring password and their identity is synced to Azure AD so these accounts can be used in various applications. So, if you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers feature and then enable password hash sync, your service accounts with non-expiring password will not have any password policy attached to it in Azure AD. These accounts will need the “DisablePasswordExpiration” policy set to them explicitly.

You can set this policy for all the non-expiring password account using the below script,

$ou1 = Get-ADUser -SearchBase 'OU=Users,OU=OU1,DC=domain,DC=com' -Filter ( passwordNeverExpires -eq $true -and enabled -eq $true } | Select userPrincipalName
$ou2 = Get-ADUser -SearchBase 'OU=Users,OU=OU2,DC=domain,DC=com' -Filter ( passwordNeverExpires -eq $true -and enabled -eq $true } | Select userPrincipalName #if you are syncing only certain OUs, this helps

$AllOu = $ou1 + $ou2

foreach ($account in $AllOU) {

            $t = (Get-AzureADUser -ObjectID $account.userPrincipalName).passwordpolicies
            if ($t -ne "DisablePasswordExpiration") {
               Set-AzureADUser -ObjectID $account.userPrincipalName -PasswordPolicies "DisablePasswordExpiration"                
    }
}

The Azure AD password policy for these account is empty when it is created in on-premise AD and the administrator creating the account can set the “DisablePasswordExpiration” policy on a per-account basis by running this below, 

$user = Read-host "Enter the user's UPN"
Set-AzureADUser -ObjectID $user -PasswordPolicies "DisablePasswordExpiration"

Another caveat here is, when these account’s password is changed on-premises for whatever reason the ‘PasswordPolicies’ value switched to ‘None’

This can happen when,

  • You allow helpdesk resets service account passwords
  • You allow service account owners reset account password
  • Application admins who use these service accounts quit or change job positions and the password needs to be changed
  • Administrator creating the service account on-premise forgot to set the password policy by running the Set-AzureADUser

When the ‘PasswordPolicies’ value gets set to ‘None’ as I mentioned earlier, the account sign-ins to Azure AD will fail with error code ‘50055 — InvalidPasswordExpiredPassword — The password is expired’.

To avoid this, you can create a scheduled task on an on-premise server which run the PS script from above maybe once a week. An issue here will be for these script to run the Connect-AzureAD cmdlet needs to be run. There are probably a thousand different ways to accomplish this but for the sake of simplicity, you can consider these two options,

  • Store your credentials in plan text in the script
  • Create an encrypted, secure string password file and use it in the script

Store credentials in plain text

This is not recommended practice and never be used but there might be scenarios where you may have to use it for some quick tests. In such a scenario, you can just do something like this,

$user = "adminaccount@domain.com"
$pwd = "MySeCur3P@$$w0rd"
$secpwd = ConvertTo-SecureString $pwd -AsPlainText -Force 
$cred = New-Object System.Management.Automation.PSCredential ($user, $secpwd)
Connect-AzureAD -Credential $cred | Out-Null

All this being said, don’t use this method and if you do, please remember to delete the script after testing.

Use secure string password file

This method is far better to securely store password for automation scripts. The idea is, you create password file which has the password stored encrypted. It goes without saying that it is not a good idea to save this file as password.txt.

To create password file,

(Get-Credential).Password | ConvertFrom-SecureString | Out-File "C:\temp\sec.txt"

To silently connect to Azure AD using stored credentials,

$User = "adminaccount@domain.com"
$File = "C:\temp\sec.txt"
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $File | ConvertTo-SecureString)
Connect-AzureAD -credential $credential | Out-Null

Keep in mind that you can only use this file on the computer or server where you created it. This happens because of how Windows Data Protection API encrypts the information from current computer or user account. If you try the file on a different computer you’ll get a ‘Key not valid..’ error. I think this is great and adds another layer of security.

Also, this won’t the password being decrypted or from reusing the encrypted password if it falls into wrong hands. The basic idea here is not to store password in plaintext. This method is not foolproof but good enough.

If you need a secure password file that needs to be used in multiple scripts and on different machines, AES encryption algorithm can be used and covering that will take this post way off the Azure AD non-expiring password accounts topic..too late for that..I know. 😁

Hope this helped you setup your environment before those password expired in Azure AD.

Thank you for stopping by..✌

Azure AD – Manage stale devices

by

A device that has been registered with Azure AD but has not been used to access any cloud apps for a specific timeframe is stale device. In a perfect world, Azure AD registered devices should be unregistered when they aren’t needed anymore..well..duh!

In the environments I manage, most of the times devices are lost, broken, forgotten in trains and taxis or have their OS reinstalled. These numbers grow fairly quickly if a process is not put in place. I had to live and learn this.

Beyond interfering with the device’s general lifecycle, these stale devices can make it hard for identifying the devices associated with the user. Plus it’s ideal to have a clean state of devices to meet various compliance requirements.

Define a policy

Similar to having policies for on-premise AD objects, it is better to define a policy of Azure AD objects.

  • Define a timeframe – It is better to pick a timeframe that follows your on-premise AD inactive objects
  • Categorize to better understand your stale device management
    • MDM-controlled devices – Retire devices in Intune or other MDM solutions before disabling or deleting it
    • System-managed devices – Don’t delete. These devices are generally devices such as Autopilot. Once deleted, these devices can’t be re-provisioned
    • Hybrid Azure AD joined devices
      • Windows 10 – Disable or delete in on-premises AD, and let Azure AD Connect synchronize the changed device status to Azure AD
      • Windows 7/8 – Disable or delete in on-premises AD, Azure AD Connect can’t be used disable or delete these devices in Azure AD. Instead, these devices must be disabled/deleted in Azure AD.
    • Azure AD joined devices – Disable or delete in Azure AD
    • Azure AD registered devices – Disable or delete in Azure AD

What happens when a device is disabled?

Any authentication where a device is being used to authenticate to Azure AD are denied.

Hybrid Azure AD joined device – Users might be able to use the device to sign-in to their on-premises domain. However, they can’t access Azure AD resources such as Microsoft 365
Azure AD joined device – Users can’t use the device to sign in
Mobile devices – Users can’t access Azure AD resources such as Microsoft 365

How to remove a registration on the client?

Even after a device is disabled or deleted in the Azure portal or by using Windows PowerShell, the local state on the device will say that it’s still registered.

This operation is by design. In this case, the device doesn’t have access to resources in the cloud. Deleting an Azure AD device does not remove registration on the client. It will only prevent access to resources using device as an identity.

To remove Windows 10 device registration – Go to Settings > Accounts > Access Work or School. Select your account and select Disconnect. Device registration is per user profile

For iOS and Android, Open Microsoft Authenticator, Settings > Device Registration and select Unregister device

Detecting stale devices

The ApproximateLastLogonTimestamp or activity timestamp property in Azure AD comes in handy to detect stale devices. If the difference between now and the value of the activity timestamp exceeds the defined timeframe for active devices, a device is considered to be stale. The evaluation of the activity timestamp is triggered by an authentication attempt of a device.

Cleanup stale devices

The Azure AD portal does allow you to remove stale devices but it is better to use PowerShell. Typical steps are as follows,

  1. Connect to Azure AD using Connect-AzureAD cmdlet
  2. Get list of devices using Get-AzureADDevice (Get-AzureADDevice cmdlet excludes system-managed devices by default)
  3. Disable device using Set-AzureADDevice cmdlet (disable by using -AccountEnabled option)
  4. Define and wait for grace period depending on your environment before deleting devices
  5. Remove device using Remove-AzureADDevice cmdlet

The account updating devices in Azure AD will need one of the following roles assigned:

  • Global Administrator
  • Cloud Device Administrator
  • Intune Service Administrator

To get all devices and store the returned data in a CSV file:

Get-AzureADDevice -All:$true | select-object -Property AccountEnabled, DeviceId, DeviceOSType, DeviceOSVersion, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv stale-devicelist.csv -NoTypeInformation

To get all devices that haven’t logged on in 120 days and return data in a CSV file:

$sd = (Get-Date).AddDays(-120)
Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $sd} | select-object -Property AccountEnabled, DeviceId, DeviceOSType, DeviceOSVersion, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-olderthan-120days.csv -NoTypeInformation

Disable devices that haven’t logged on in the past 120 days:

$sd = (Get-Date).AddDays(-120)
Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $sd}
foreach ($Device in $Devices) {
Set-AzureADDevice -ObjectId $Device.ObjectId -AccountEnabled $false
}

Delete disabled devices that have been inactive the past 120 days. Remove-AzureADDevice will delete devices without prompting. There is no way to recover deleted devices.

$sd = (Get-Date).AddDays(-120)
$Devices = Get-AzureADDevice -All:$true | Where {($_.ApproximateLastLogonTimeStamp -le $sd) -and ($_.AccountEnabled -eq $false)}
foreach ($Device in $Devices) {
Remove-AzureADDevice -ObjectId $Device.ObjectId
}

Remember that when configured, BitLocker keys for Windows 10 devices are stored on the device object in Azure AD. If you delete a stale device, you also delete the BitLocker keys that are stored on the device. Confirm that your cleanup policy aligns with the actual lifecycle of your device before deleting a stale device.

Thank you for stopping by.✌

Azure – Integrate Azure AD B2C with ServiceNow

by

If you aren’t familiar with Azure AD B2C, it is a customer identity access management (CIAM) solution and is a separate service from Azure Active Directory (Azure AD). It is built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allow anyone to sign up into those applications with no restrictions on user account. Azure AD B2C uses standards-based authentication protocols including OpenID Connect, OAuth 2.0, and SAML.

In an earlier post, I detailed steps on how to configure ServiceNow with Azure AD SSO. In this post, I will go through steps on how to integrate Azure AD B2C with ServiceNow.

Below is a diagram show the high level implementation steps on how to do this integration,

OpenID Connect (OIDC) is an identity layer built on top of the OAuth protocol, which provides a modern and intuitive Single Sign-on (SSO) experience. ServiceNow supports OIDC to authenticate users in Azure B2C.

I will not cover the Azure AD B2C tenant creation steps in this post.

Create new user flow

A user flow lets us determine how users interact with our application when they do things like sign-in, sign-up, edit a profile, or reset a password.

  1. Sign in to the Azure portal
  2. Make sure you’re using the directory that contains your Azure AD B2C tenant. Select the Directories + subscriptions icon in the portal toolbar
  3. On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch
  4. In the Azure portal, search for and select Azure AD B2C
  5. Under Policies, select User flows, and then select New user flow
  1. On the Create a user flow page, select the Sign up and sign in user flow
  2. Under version, select Recommended, and then select Create
  1. Enter a Name for the user flow. For example, su_si-1
  2. For Identity providers, select Email signup
  3. Under User attributes and token claims, choose the claims and attributes to collect and send from the user during sign-up. Select Show more, and then choose attributes and claims. Click OK. Below screenshot shows the attributes I’m collecting but it is up to you. These attributes can be modified in the user flow at any time
  1. Click Create to add the user flow. A prefix of B2C_1_ is automatically prefixed to the name

Create App Registration

  1. Stay logged into the Azure portal
  2. Make sure you are in the B2C directory
  3. In the left navigation menu, under Manage, Click App registrations, and then select New registration
  4. Enter a Name for the application. For example, ServiceNow
  5. Under Supported account types, select Accounts in any identity provider or organizational directory (for authenticating users with user flows)
  6. Under Redirect URI, select Web then enter your ServiceNow instance with /navpage.do in the URL text box
  7. Under Permissions, select the Grant admin consent to openid and offline_access permissions check box
  8. Click Register

Create a client secret

The client secret is also known as an application password. The secret will be used by ServiceNow to exchange an authorization code for an access token

  1. In the left menu, under Manage, select Certificates & secrets
  2. Click New client secret
  3. Enter a description for the client secret in the Description box. For example, SnowSecret
  4. Under Expires, select a duration for which the secret is valid, and then select Add
    • Note down the secret’s Value for use in ServiceNow. This value is never displayed again after you leave this page

Information needed to configure ServiceNow instance

  1. Click on the Overview, copy the Application (client) ID
  2. Next Click Endpoints
  3. Copy the value in Azure AD B2C OpenID Connect metadata document
  4. Replace with the User flow name we created earlier e.g. B2C_1_su_si-1. Browse to the URL in a Web browser to confirm you have the right URL
  5. You should have these 3 values,
    • Application (client) ID
    • Client Secret Value
    • OIDC well-known endpoint

Configure ServiceNow Instance

Hopefully, you already have SSO enabled in your ServiceNow instance. If not, please refer to this earlier post of mine

  1. Search for multi-provider sso and click Properties
  2. Enable multiple provider SSO
    • You’ll be asked to setup a recovery account
  1. Under Multi-Provider SSO and click Identity Providers
  2. Click New
  3. Click OpenID Connect
  4. In the Import OpenID Connect Well Known Configuration window, provide following information
    • Name = Name of the IdP you wish. Example, B2C
    • Client ID = Application (client) ID from Azure B2C application
    • Client Secret = Client Secret Value we created earlier in the application
    • Well Known Configuration URL = URL we constructed earlier with the policy name
  5. Click Import
  1. Make sure the new IdP is marked Active and Show as Login option is checked
  1. Click on the OIDC Entity tab and click to open the OIDC Entity
  2. Click on OAuth Entity Scopes, double-click on OAuth scope and replace openid with the below value
    • Use your Application (client) ID from B2C app registration
<Application (client) ID> openid offline_access profile email

This OAuth Scope value is required to generate an access token and without that ServiceNow will error out with a missing parameter. I realized this later on based on my research. I initially left it at openid and searching with the error, lead me to this.

  1. Click Update to save changes
  2. Click on OIDC Provider Configuration
  3. Click on OIDC provider value
  1. Update the User Claim to emails
  1. Click Update
  2. To keep things simple, I’m not enabling the Automatic user provisioning option
    • You can choose to enable automatic user provisioning during user login. When automatic user provisioning is enabled, a user record is automatically created in the ServiceNow instance if that user record does not exist.
  3. Back in the Identity provider window, Click Update to save the OIDC Identity Provider values
  4. Navigate to the login page of the instance to verify that IdP appears as a login option
  1. Create a test user in ServiceNow and login with the credentials to test if the IdP configuration works
  2. Optionally you can browse to the login page with the URL in following format,
    • To determine the sys_id, open the OIDC Identity provider we created, right-click on the grey bar and click Copy sys_id
    • Replace this sys_id in the URL below
    • This URL will take you directly to the sign-in page
https://<yourinstance>/login_with_sso.do?glide_sso_id=<sys_id>

Hope this post helped you in setting up your ServiceNow instance with Azure AD B2C.

Thank you for stopping by. ✌

Azure AD – Create Dynamic Groups

by

In Azure AD you can create dynamic groups based on user or device properties. Users or devices can be automatically added or removed based on the group’s definition, so you don’t have to maintain the list of users in this group manually.

Whenever any property of a user or device changes, all dynamic group rules in your Azure AD tenant are reevaluated to determine if the user or device should still remain in the group. If a user or device satisfies a rule on a group, they are added as a member and If they no longer satisfy the rule, they are removed.

Manually adding or removing users from dynamic groups is not allowed.

Why use Dynamic Groups?

Simply put, dynamic groups have query-based memberships. This helps in maintaining group membership and application access depending on the query defined. For example, A dynamic group can be defined for all Marketing department users based on the value filled in the ‘department’ attribute. The conditions can also be combined. Following the same example above, a dynamic group of all Marketing department users from New York or a dynamic group with a list of users who report to a specific manager and need access to an application.

In a scenario where you are maintaining user access to applications based on the department, location, this comes in handy.

Note: You need Azure AD P1 and above to be able to create dynamic groups.

Dynamic Groups in Azure AD

Azure AD admin center provides a rule builder to create and/or update the dynamic group rules.

In the below steps I’ll create a dynamic group in my tenant with users who are in the Marketing department,

  1. Sign in to the Azure AD admin center portal (https://aad.portal.azure.com/) as global administrator
  2. Select Azure Active Directory –> Click on the Groups tab –> New group
  3. In New Group:
    • Select Security as the group type
    • Enter ‘Marketing Department Users’ as the name and description for the group
    • Change Membership type to Dynamic User
  4. Select Owners and in the Add Owners blade search for any desired owners. Click on the desired owners to add to the selection
  5. Click Select to close the Add Owners blade
  6. Click Add dynamic query in the Dynamic user members
Creating new group
  1. On the Dynamic membership rules blade:
    • In the Property field, click on the existing value and select department
    • The Operator field as Equals
    • Select the Value field and type ‘Marketing Department Users’
membership rules

Azure AD now provides an option to validate dynamic group rules. On the Validate rules tab, you can validate your dynamic rule against sample group members to confirm the rule is working as expected. This feature is now in public preview.

validate rules

The rule builder supports the construction of up to 5 expressions. You also need to use the text editor for setting operator precedence, and for writing more complex rules. The rule builder can’t be used to reproduce every rule.

‘Add Expression’ disabled after 5 expressions defined

If the rule builder doesn’t support the rule you want to create, the text box can be used. And below are some of the scenarios to use the text box,

  • Rule with more than 5 expressions
  • Direct reports rule
    • For the rule to work, make sure the Manager property is set correctly for users. If you are syncing from your on-premise AD, make sure the Manager attribute is filled
    • When the manager’s direct reports change in the future, the group’s membership is adjusted automatically
    • This rule can’t be combined with any other membership rules
  • Setting operator precedence
    • All operators are listed below in order of precedence from highest to lowest. Operators on same line are of equal precedence:
      1. -eq -ne -startsWith -notStartsWith -contains -notContains -match –notMatch -in -notIn
      2. -not
      3. -and
      4. -or
      5. -any -all
  • Rules with complex expressions
    • Property consists of a collection of values; specifically, multi-valued properties
      • assignedPlans
      • proxyAddresses
    • Expressions use the -any and -all operators
      • -any (At least one item in the collection matches the condition)
      • -all (All items in the collection match the condition)
    • Value of the expression can itself be one or more expressions

Constructing a membership rule

Three parts of a simple rule are Property, Operator and Value

Supported properties

Three types of properties that can be used to construct a rule are Boolean, String and String collection.

The following are the user properties that can be used to create a single expression.

Boolean

PropertiesAllowed valuesUsage
accountEnabledtrue falseuser.accountEnabled -eq true
dirSyncEnabledtrue falseuser.dirSyncEnabled -eq true

String

PropertiesAllowed valuesUsage
cityAny string value or null(user.city -eq “value”)
countryAny string value or null(user.country -eq “value”)
companyNameAny string value or null(user.companyName -eq “value”)
departmentAny string value or null(user.department -eq “value”)
displayNameAny string value(user.displayName -eq “value”)
employeeIdAny string value(user.employeeId -eq “value”)
(user.employeeId -ne null)
facsimileTelephoneNumberAny string value or null(user.facsimileTelephoneNumber -eq “value”)
givenNameAny string value or null(user.givenName -eq “value”)
jobTitleAny string value or null(user.jobTitle -eq “value”)
mailAny string value or null (SMTP address of the user)(user.mail -eq “value”)
mailNickNameAny string value (mail alias of the user)(user.mailNickName -eq “value”)
mobileAny string value or null(user.mobile -eq “value”)
objectIdGUID of the user object(user.objectId -eq “11111111-eeee-1111-aaaa-111111111111”)
onPremisesSecurityIdentifierOn-premises security identifier (SID) for users
who were synchronized from on-premises to the cloud.		(user.onPremisesSecurityIdentifier -eq “S-1-1-11-1111111111-1111111111-1111111111-1111111”)
passwordPoliciesNone DisableStrongPassword DisablePasswordExpiration DisablePasswordExpiration, DisableStrongPassword(user.passwordPolicies -eq “DisableStrongPassword”)
physicalDeliveryOfficeNameAny string value or null(user.physicalDeliveryOfficeName -eq “value”)
postalCodeAny string value or null(user.postalCode -eq “value”)
preferredLanguageISO 639-1 code(user.preferredLanguage -eq “en-US”)
sipProxyAddressAny string value or null(user.sipProxyAddress -eq “value”)
stateAny string value or null(user.state -eq “value”)
streetAddressAny string value or null(user.streetAddress -eq “value”)
surnameAny string value or null(user.surname -eq “value”)
telephoneNumberAny string value or null(user.telephoneNumber -eq “value”)
usageLocationTwo lettered country/region code(user.usageLocation -eq “US”)
userPrincipalNameAny string value(user.userPrincipalName -eq “alias@domain”)
userTypemember guest null(user.userType -eq “Member”)

String Collection

PropertiesAllowed valuesUsage
otherMailsAny string value(user.otherMails -contains “alias@domain”)
proxyAddressesSMTP: alias@domain smtp: alias@domain(user.proxyAddresses -contains “SMTP: alias@domain”)

Supported expression operators

Operators can be used with or without the hyphen (-) prefix. Contains operator does partial string matches but not item in a collection matches. Following are the supported operators and their syntax for a single expression,

SyntaxOperator
-neNot Equals
-eqEquals
-notStartsWithNot Starts With
-startsWithStarts With
-notContainsNot Contains
-containsContains
-notMatchNot Match
-matchMatch
-inIn
-notInNot In

Supported values

Values used in an expression can consist of several types, including:

  • Strings
  • Boolean = true or false
  • Numbers
  • Arrays = number array, string array

To specify a null value in a rule, you can use the null value. The -not operator can’t be used as a comparative operator for null.

Common rules in a typical environment

Below, I will go over some of the rules that are typically used in production environments

“Direct reports” rule

This rule supports only the manager’s direct reports. A group consisting of manager’s direct reports and their reports can’t be created.

Use below syntax. Object ID can be found in the user’s(in this case, the user who is the manager) profile in Azure AD.

Direct Reports for "{objectID_of_manager}"
Direct reports rule

“All users” rule

Include only members of your organization and exclude guest users.

(user.objectId -ne null) -and (user.userType -eq "Member")
all users

Device Rules

A rule to select devices objects can also be created for membership in a group. Both users and devices as group members is not allowed.

Below are the device attributes,

Device attributeValuesExample(s)
accountEnabledtrue false(device.accountEnabled -eq true)
displayNameany string value(device.displayName -eq “Bob iPhone”)
(device.deviceOSType -eq “iPad”) -or (device.deviceOSType -eq “iPhone”)
(device.deviceOSType -contains “AndroidEnterprise”)
(device.deviceOSType -eq “AndroidForWork”)
(device.deviceOSType -eq “Windows”)
deviceOSVersionany string value(device.deviceOSVersion -eq “9.1”)
(device.deviceOSVersion -startsWith “10.0.1”)
deviceCategorya valid device category name(device.deviceCategory -eq “BYOD”)
deviceManufacturerany string value(device.deviceManufacturer -eq “Samsung”)
deviceModelany string value(device.deviceModel -eq “iPad Air”)
deviceOwnershipPersonal, Company, Unknown(device.deviceOwnership -eq “Company”)
enrollmentProfileNameApple Device Enrollment Profile name, Android Enterprise Corporate-owned dedicated device Enrollment Profile name, or Windows Autopilot profile name(device.enrollmentProfileName -eq “DEP iPhones”)
isRootedtrue false(device.isRooted -eq true)
managementTypeMDM (for mobile devices)(device.managementType -eq “MDM”)
deviceIda valid Azure AD device ID(device.deviceId -eq “d4fe7726-5966-431c-b3b8-cddc8fdb717d”)
objectIda valid Azure AD object ID(device.objectId -eq “76ad43c9-32c5-45e8-a272-7b58b58f596d”)
devicePhysicalIdsany string value used by Autopilot, such as all Autopilot devices, OrderID, or PurchaseOrderID(device.devicePhysicalIDs -any _ -contains “[ZTDId]”) (device.devicePhysicalIds -any _ -eq “[OrderID]:179887111881”) (device.devicePhysicalIds -any _ -eq “[PurchaseOrderId]:76222342342”)
systemLabelsany string matching the Intune device property for tagging Modern Workplace devices(device.systemLabels -contains “M365Managed”)

Update an existing rule

  1. Sign in to the Azure AD admin center portal (https://aad.portal.azure.com/) as global administrator
  2. Select Azure Active Directory –> Click on the Groups tab –> All groups
  3. Select a group to open it
  4. On the profile page for the group, select Dynamic membership rules
update an existing rule
  1. After updating the rule, select Save

Dynamic Groups with PowerShell

To create dynamic groups

Use the New-AzureADMSGroup cmdlet,

New-AzureADMSGroup -DisplayName "Sales Department Users" -Description "Sales Department Users" -MailEnabled $false -MailNickname "SalesDepartmentUsers" -SecurityEnabled $true -GroupTypes "DynamicMembership" -MembershipRule "(User.department -eq ""Sales"")" -MembershipRuleProcessingState "On"
PowerShell: New-AzureADMSGroup

To update dynamic groups

Use the Set-AzureADMSGroup cmdlet,

Set-AzureADMSGroup -Id '23c2768b-6cef-4006-a052-d9b288b4d17c' -MembershipRule "(User.department -eq ""Sales"") and (user.city -eq ""Tulsa"")"
PowerShell: Set-AzureADMSGroup

Another interesting part I came across when I was exploring dynamic groups is, I was trying to create a dynamic group of administrators to whom I can assign an Azure AD role. And it turns out, the membership type for role-assignable groups must be Assigned and can’t be an dynamic group. This makes sense as automated population of groups could lead to unwanted access being granted.

Thank you for stopping by. ✌

Azure AD – Implement Single Sign-On with ServiceNow

by

In this post I will go over the steps required to implement Azure AD SSO integration with ServiceNow. With this in place, it is easier to control access to your ServiceNow implementation and also allow your users to login with their domain credentials.

ServiceNow also supports user account provisioning which I will cover in a later post.

I’ve updated this post for ServiceNow San Diego version. The earlier versions may have different UI options but the steps behind the integration mostly remains the same.

High level implementation steps

In Azure AD add ServiceNow to Enterprise Applications

To configure this integration, first step is to add ServiceNow from the gallery to your list of managed SaaS apps. Below are the steps,

  1. Login to Azure AD Admin Center and click on the Enterprise applications tab
  2. To add new application, Click New application
  3. In the Browse Azure AD gallery section, enter ServiceNow in the search box
  4. Select ServiceNow and you can name it to differentiate from development to production instance with a prefix but in this scenario, I’ll leave it as default as in screenshot below. Click Create
  5. It takes a few seconds for the app to be added
Search ‘ServiceNow’
add ServiceNow by clicking ‘Create’

Configure Azure AD SSO

Below steps details how to enable SSO in Azure AD portal for the ServiceNow application,

  1. On the ServiceNow application page, select SAML-based Sign-on under the Manage section. Select SAML
  2. Select the edit icon in the Basic SAML configuration section
Basic SAML config

Your ServiceNow administrator should know this information and if not, you can contact ServiceNow support. But in general, this information is easy to figure out. I’ve mentioned the format of these URLs below. and I have used my own instance’s URL in the screenshot.

Identifier (Entity ID)https://{your-instance-name}.service-now.com
Reply URLhttps://{your-instance-name}.service-now.com/navpage.do
https://{your-instance-name}.service-now.com/customer.do
Sign on URLhttps://{your-instance-name}.service-now.com/login_with_sso.do?glide_sso_id=[sys_id of sso configuration]
Logout URLhttps://{your-instance-name}.service-now.com/navpage.do

Please follow along and I have a step below on how to determine the sys_id value from ServiceNow for the Sign on URL. Refer to Step 16. under the ‘Configure ServiceNow’ section below.

Below screenshots show values from my environment. I constructed the Sign on URL based on the sys_id information I got from ServiceNow as mentioned above

  1. In the SAML Signing Certificate section, find Certificate (Base64). Click Download to download Certificate(Base64), and then save the certificate file to your computer.
Download Certificate(Base64)

Create ServiceNow test user

  1. In ServiceNow portal, go to User Administration > Users
  2. Click New, complete the properties for your new user, and click Submit

Most organizations do ‘Automated user provisioning’ and this way you won’t have to create all the users in your Azure AD domain onto ServiceNow. But to make the SSO part easier, co-ordinate with your ServiceNow administrator and create an user account in ServiceNow with the email ID of a user in your Azure AD.

Configure ServiceNow

  1. Login on to your ServiceNow application portal as an administrator
  2. In the left pane, search for the System Definition section from the search box, and then select Plugins
ServiceNow plugins
  1. Search for Integration – Multiple Provider single sign-on Installer
  2. Right-click, and select Activate/Repair
search plug-in and activate
  1. Select Activate
Click Activate
wait till activation complete
Click Close & Refresh List
  1. In the left pane, search for the Multi-Provider SSO, and then select Properties
  1. Enable multiple provider SSO option is not active as in screenshot below and this is because Account Recovery is not setup. This comes in handy if something goes wrong with the SSO configuration and prevents admins from being locked out.
Enable multiple provider SSO not active
  1. Place a checkmark next to Enable account recovery to enable it
Account recovery properties
  1. Now back on the Customization Properties for Multiple Provider SSO page, place check mark next to below options,
    • Enable multiple provider SSO
    • Enable Auto Importing of users from all identity providers into the user table
    • Enable debug logging for the multiple provider SSO integration
    • The field on the user table that…,
      • email
Customization Properties for Multiple Provider SSO options
  1. Click Save to save configuration
  2. In the left pane, search for the Multi-Provider SSO, and then select Identity Providers
  1. Click New
  1. select SAML
  1. In the Import Identity Provider Metadata, select URL
    • The Metadata Url can be found in the Azure AD ServiceNow application SAML Signing Certificate section
    • Copy the App Federation Metadata Url value
Azure AD App Federation Metadata Url
  1. Paste the App Federation Metadata Url from Azure AD under Enter the URL and click Import
Paste the App Federation Metadata Url value
  1. Right click on the grey bar at the top of the screen and click Copy sys_id and save this value in a notepad to construct your Sign on URL in Azure AD
  1. The import metadata url reads the metadata and populates all the necessary information
    • Enter a name for your configuration. I’ve named it ‘Azure AD’
    • Confirm the NameID Policy is set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    • Select Advanced. In User Field, enter email
SSO config
  1. Scroll down to the Encryption And Signing tab and X.509 Certificate section, and select New
  2. Open the .cer file with notepad which was downloaded from Azure AD and saved to your PC
    • copy the entire content and leave it in the clipboard
Azure AD certificate open using notepad
  1. Paste the contents in PEM certificate section
    • Provide a Name
    • Select Format as PEM
  2. Click Submit
x.509 certificate
  1. Click Update
Click Update
  1. Click Test Connection at the upper-right corner of the page
    • Sign-in using the test user account created earlier in the ‘Create ServiceNow test user’ section
    • Click Close
  1. Click Activate
Click Activate
  1. Ensure Default and Active are checked like in screenshot below
Active enabled
  1. To ensure ServiceNow auto-redirects the users to Azure AD SSO, click on the Set as Auto Redirect IdP in the Related Links section
Set as Auto Redirect IdP
Auto Redirect IdP is enabled
  1. Click Update to save the configuration

Test SSO

  1. Open ServiceNow portal
    • Use Incognito or InPrivate mode to avoid previously saved cookies
  2. The portal should auto-redirect to login.microsoftonline.com and prompt a sign-in

Issues you may encounter and How to fix it

Error: Ensure that the user you are trying the test connection with is present in the system.
Ensure that ‘User Field’ property value corresponds to the value set in the IDP returned through ‘Subject NameID’ in the response.

Fix: I tried the SSO with a user ID that only existed in Azure AD and not in ServiceNow. The System didn’t know what to do and hence the error..duh!

Error: SAML2ValidationError: Signature cryptographic validation not successful

Fix: I imported the PEM certificate from Azure AD into ServiceNow but I forgot to save it by not clicking update

This should help you with the Azure Active Directory single (SSO) integration with ServiceNow. I believe I’ve covered everything in this process.

Thank you for stopping by.✌