Mike Stephens

My feedback

  1. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    Let us look into this. Please do consider the vote count of this compared to the others. Seems reasonable.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  2. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    Most of this already exist. But I need to check on the Group Policy part. We had an issue with that, but I believe we resolved it. Stay tuned.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  3. 3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    Hmm interesting-- we'll look into this.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  4. 4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    need-feedback  ·  1 comment  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    If this remains valid, please elaborate with a use case and details. I'd like to learn more about the scenario.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  5. 7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  3 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    Sorry, No. But we are working on improving our Sync service. Merging this with other suggestions to get accurate vote count.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

    Mike Stephens commented  · 

    We completely understand -- we are working on making the sync better. Stay tuned.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  6. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    need-feedback  ·  1 comment  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    The point of Azure AD Domain Service is that its a managed service, where the health is monitor for you. Beyond what we surface on our health page, what information do you need and help us understand why?

    We provide security audit events to Log Analytics(https://docs.microsoft.com/en-us/azure/active-directory-domain-services/security-audit-events)

    We provide email notifications for alerts where we need customers to fix their virtual networks (https://docs.microsoft.com/en-us/azure/active-directory-domain-services/notifications)

    Can you help us understand the suggestion further?

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  7. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    triaged  ·  2 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    So you have a VM that you allow RDP to that host a legacy application. The VM is joined to Azure AD Domain Services--therefore it only does Kerberos authentication (username/password).

    Then, the database connection the application uses relies on Azure AD Authentication (modern authentication) rather than Windows Integrated authentication. That explains why users need to sign-in with the un/pw many times. Hmmmm...

    There's not much Azure AD Domain Services can do to help with this. However what you might be able to do (if you can change the application), is pre-authenticate the user using the application to Azure and then silently authenticate to SQL in the background, rather than relying on the Azure SQL to prompt for authentication. The design seems to have an impedance mis-match in that it uses legacy authentication for the hosting platform but modern auth for the database connectivity. The easiest way (relative) would be to have Azure SQL register a service principal name in Azure AD Domain Services and accept a Kerberos Service ticket. They could then pull the user upn out of the Kerberos ticket and "broker" the authentication so to speak.

    I'll leave this triaged, but I honestly do not see how Azure AD Domain Service can help with this, given its design is for legacy authentication.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  8. 2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  4 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    Working on it

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  9. 5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  4 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    Very interesting. Why are virtual machines being joined to the AAD DS domain? I understand the WVD infrastructure needs to join a domain (RDP is still RDP) but it would seem that the pool of VMs offered by WVD would be Azure AD joined. That would give SSO to Office and other azure applications.

    I'll leave this at Need-Feedback because I am keen at learning more about the scenario. We may eventually need to move the suggestion over to WVD category as there's not much Azure AD DS can do in this case, and Azure AD join would be a simple solution (so it seems) that provides a great customer experience.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  10. 2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    Great Feedback-- Let us look into that.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  11. 36 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →

    Hi all,

    We’ve started work on adding the Manager, ProxyAddress, and employeeID attributes to AAD-DS. Thank you for your patience!

    Erin Greenlee
    Program Manager
    IAM Core | Domain Services

    Mike Stephens commented  · 

    Thank you for the feedback. Merging this with the Custom Attribute/Schema extensions suggestion to properly represent the votes.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

    Mike Stephens commented  · 

    Understood. Merging this suggestions with the other suggestions around custom attributes.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

    Mike Stephens commented  · 

    Understood. This remains under review for now. We have some other higher priority items that we need to take care of before we can move on this. We'll leave this open. If there are other than need this-- it would be good to know the attribute you need, why you need it (the more details the better-- please no novels; but explain the use case/scenario/and application that uses it would be helpful).

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  12. 6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    need-feedback  ·  1 comment  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    The Azure Virtual Network assigns IP addresses to the devices on the virtual network. DHCP is a not a use case we've considered and mostly likely would not. But, I'm curious about the use case/scenario. We'll mark this Need-Feedback for the time being, If someone wants to build a compelling case, I'm willing to read about it.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  13. 5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    need-feedback  ·  4 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    Great Idea- What are the use cases, applications and any other relevant details you can share on how you would use Azure AD Domain Services as a trusted forest. Do you have any networking concerns-- for example what if it required an Express Route vs. Site-to-Site VPN?

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  14. 6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  4 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    Currently looks like Azure AD Domain Services is planned to launch in the German West Central Region in Q1 of 2020. (https://azure.microsoft.com/en-us/global-infrastructure/services/?products=active-directory-ds&regions=all) That date is subject to change.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  15. 14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    Interesting. Thank you for the feedback. What's the use case? I'm going to take a guess at troubleshooting, right? As I view a managed service, that should be the responsbility of the service to ensure users, groups, and password hashes are synced properly and timely. Given the current sync operation, I can understand the request. What if the sync engine just worked? Would you still need a report like this? Why?

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  16. 17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →

    Hi all,

    We’ve started work on adding the Manager, ProxyAddress, and employeeID attributes to AAD-DS. Thank you for your patience!

    Erin Greenlee
    Program Manager
    IAM Core | Domain Services

    Mike Stephens commented  · 

    Understood. Most likely this would be considered with schema extensions/additional attributes. We have other items that we need to finish but this great feedback as we consider what adding attributes looks like in Azure AD Domain Services. Thank you

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  17. 20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    need-feedback  ·  5 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    HI Folks -- Interesting request and a dangerous one as well. Having the root of your PKI in the cloud should not be taken lightly. What's missing from this request is why? Azure AD DS is not a replacement for on-prem AD DS. It's to provided legacy authentication for traditional on-premises applications so you can host them in Azure. Most public endpoints using server authentication are typically protected using a public CA issued end-entity certificate. If you need some issued from your private CA, this can still be accomplished using PFX files. So, what is the scenario where certificates must be *issued* from the cloud? Where are the private keys for the CA stored? How is that protected? What enrollment protocol will be used? What's the connectivity between the requester and the CA? All good questions that can help me create a story for why this feature is needed. And yes, sorry @RadioGenX, Azure AD DS has a strong security posture that does not allow DA or EA permissions and you need EA permissions to install a CA.

    Also, did you know that if you need to issue certificates over the web and you have an enterprise CA-- you can use CEP/CES with your windows devices to enroll certificates just fine. You may want to check that out.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  18. 49 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    triaged  ·  7 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    We're looking into it, but its a little further down on the list of things. Scenario makes sense. We'll keep this thread open for comments

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  19. 48 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  12 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    Remains under review.

    One thing to note, is Azure AD DS is not intended to replace traditional on-premises AD-DS. It is intended for lifting and shifting traditional on-premises applications that need legacy authentication such as Kerberos, NTLM, and LDAP or for VDI workloads. I'm reading a lot of comments for small companies, which is great feedback, but lets ensure your using it for the proper use case. If these customers do not have on-prem apps, then Azure AD is the right place for them and they can skip on-premises Active Directory altogether.

  20. 67 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Azure Active Directory » Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
    Mike Stephens commented  · 

    Remains in development. No ETA that we can share at this time. We'll update this once we get closer to release.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

← Previous 1

Feedback and Knowledge Base