Search This Blog

Dec 2, 2022

How "Authentication Context" Works in Azure

 First of all, let's just say "Authentication Context" has little to do with authentication, not sure why MS picked such a misleading name. It's really a labeling system to give content owner more control over what should be protected, and how.


    1. Create the context
      It's a label can be defined in AAD | security - in here, everything is just a text tag. It has no meaning now until after you use it in a Conditional Access Policy
    2. Link the "auth context" created in step 1 to a "sensitivity label"
      "auth context" created above will be shown as an option for you to choose from in your Sensitivity Label'| site setting | "Define external sharing and device access settings" page, there is an option called "Use Azure AD Conditional Access to protect labeled SharePoint sites", under which you will see the label you created in step #1
    3. Link the context to an access policy
      Create a conditional access policy targeting this label (traditionally you can only target applications, user actions, but now you can target a tag/label)
    4. How everything works together
      For documents with the abovementioned sensitivity label, its access settings -> context name -> access policy in scope for the context
    5. This way, the level of protection is not limited to be defined only by Azure admin, but by content owner as well.
      In other words, Azure AD admin defines a protection option, content owners decide if they want to use that option themselves (by enabling the label) (compare to the old way where Azure admin push down a policy for all things in scope)
Tags:

Dec 1, 2022

LDAP filter syntax for time based attributes - Active Directory

AD uses 2 types of data to represent time in attributes:

Type 1: stored as long integer, LastLogonTimeStamp, pwdLastSet falls under this category

Convert the value you want to use to long integer.

    $longIntTimeValue=(Get-Date).AddDays(-60).ToFileTimeUtc()

    $ldapfilter="(lastLogonTimeStamp<=$longIntTimeValue)"


Type 2: store as LDAP date type. For example, whenCreated/whenChanged. Use below filter to query

    YYYY MM DD HH mm ss.s Z

    Where Z signals end of the value and is mandatory

    example

    (whenCreated>=20221130000000.0Z)


To make a ldap filter in powershell from datetime object

    $date.ToString("yyyyMMddHHmmss") + ".0Z"

Tags: , , ,

Oct 21, 2022

Sync custom AD attributes to AAD and other ways to have custom attributes

Custom attributes from on-prem AD (by extend schema) can be sync'ed to AAD:


Azure AD Connect sync: Directory extensions - Microsoft Entra | Microsoft Learn

How to sync Custom Active Directory Attributes to Azure AD? (rebeladmin.com)

Sync'ed attributes can be retrieved thru a pre-built app called "Tenant Schema Extension App"


This is not the same as "external identities | custom attributes", or "B2C | user attributes", but using same mechanism behind the scene.

In fact, using same mechanism, you can just "extend" AAD to have custom attributes without the help of ADC or external ID or B2C. 

Azure AD Graph API Directory Schema Extensions | Microsoft Learn

Please note, it's not a true extension of AAD schema (MS won't allow that), but a clever way of utilizing an app to store such "extended attributes".

This is also different from "custom security attributes". Not sure if "custom security attributes" is using same technique (likely not)

Other reads/Best summary:

Custom security attributes in Azure AD part 1: a trip down memory lane | Blog (michev.info)


See also specific case of syncing on premises AD extend attributes to AAD (extend attributes in this context is any attribute that is not included by default by ADC engine)

Sync additional attributes from on-prem AD to AAD


Tags: ,
Subscribe to: Posts (Atom)