Enterprise Mobility and Security Blog


Howdy folks

It’s been quite a year here for us on the Azure AD team. We now have over 4 million organizations using Azure AD and as of yesterday, we’ve just completed our 1 TRILLIONTH authentication.

And with the general availability (GA) of Azure AD Premium and its inclusion in the Enterprise Mobility Suite (EMS) in May, we have seen amazing customer traction for the new capabilities that we continue to ship, month-in and month-out.

With the Holidays now upon us, we have all been working like crazy to wrap up open work items by the end of the year. This means a whole bunch of projects have finished up at the same time.  So I get the privilege of sharing all the cool news about the biggest set of enhancements we’ve made to Azure AD yet:

Generally available (GA) as of today:

  • Password write-back in Azure AD Sync: Users can now change their passwords in the cloud and have the change flow all the way back to your on-premises AD.
  • The Azure AD App Proxy: This proxy makes it easy to give your employees secure access to on-premises applications like SharePoint and Exchange/OWA from the cloud without having to muck around with your DMZ.

And in public preview:

  • Question based security gates for use in password resets
  • Admins can add their own password SSO based SaaS apps to Azure AD
  • And probably the most exciting news of all – Administrative Units (AUs). AU’s are like OUs modernized for the cloud. They let you sub-divide your Azure Active Directory, enabling the separation of administrative duties and policy creation across a large company.

Finally we are making Azure AD Premium available for direct online purchase, using a credit card, in the Office 365 admin portal (you do not need to be an existing Office 365 customer to buy).

Many of these new enhancements, like the ability to purchase online, the ability to add password SSO based SaaS apps and Administrative units are things many of you have requested. I hope you’ll be as excited about these enhancements as we are.

To learn a bit more about each of them, read on!

Password Write-Back in Azure AD Sync

Today we are also announcing the General Availability of our Password Write-Back feature for Azure AD Premium customers. This feature lets you use your Azure Active Directory to improve the security and user experience and reduce the management cost for passwords in your on-premises Active Directory.

The feature detects when one of your users changes their password in Azure AD, or has their password reset by an administrator, and writes that same password back to your on-premises AD. For example, if a user forgets their password to your on-premises AD, they can reset their password using the Azure AD password reset service, and then use their new password to sign on to your on-premises AD.

This enables you to reduce your helpdesk cost for users who have forgotten their AD passwords, without deploying or managing a password management solution in your local network.

To get started, first make sure that password reset is enabled under the “configure” tab in your Azure Active Directory. Then, download the latest version of Azure Active Directory Sync and select the checkbox for password write-back from within the “optional features” selection page.

Once configuration of Azure Active Directory Sync is completed, then any password that’s changed in Azure AD is also changed in your local Active Directory.

Azure AD App Proxy is now GA

The Azure Active Directory Application Proxy allows you to extend access to your on-premises applications to users in the cloud without changing your applications and with no changes to your DMZ. Just install a lightweight connector anywhere on your network and configure access to the application in your Azure Active Directory, and you can make your SharePoint, Outlook Web Access or any other Web application available to users outside your corporate network.

The service stops unauthenticated traffic in the cloud, and ensures that only sanitized traffic is sent to your network. This enables you to protect your on-premises applications with the same mechanisms that protect Azure services, giving your users a single sign on experience, and giving you a single, easy to configure method for enforcing multi-factor authentication, and a single source for auditing and security analytics.

For the General Availability of the service we have added new capabilities based on your feedback that improve the user experience and lower the maintenance cost.

Kerberos-Constrained Delegation

With this release we have added support for Kerberos Constrained Delegation (KCD). Now, once a user has authenticated to Azure Active Directory, Azure Active Directory Application proxy can automatically authenticate users to your on-premises application. This improves the user experience by enabling users in the cloud to access on-premises applications with only a single interactive sign-in to Azure Active Directory.

Here is how Outlook Web Access configuration looks like:

The Azure Active Directory Application Proxy is available to Azure Active Directory Premium and Basic customers. For more details on the App Proxy and how it works, click here to read the deep dive blog post.

Question Based Security Gate for Password Reset

The next capability I’d like to tell you about is the preview of our Question Based Security Gate for Password Reset. We built this feature based on requests from some of our largest customers who have employees who don’t have company supplied email addresses or phones at work. This feature gives you the convenience, security, and cost benefits of the Azure Active Directory self-service password reset service even for those who don’t have easy access to their cell phone or alternate email accounts.

To get started, just enable the “security questions” option under the password reset section of your directory’s configuration page. There you can configure up to 20 questions that users can choose from when registering for password reset, as well as how many of these questions will be required for password reset and registration.

1: Admin Configuration for Password Reset Security Questions


2: End-User security question registration experience


3: End-user resetting a password using security questions


Read more about how to configure this feature in the password reset documentation.

Add Your Own Password SSO Based Apps and Application Links in Public Preview

Today we are also introducing a public preview of two new ways to give your employees access to any web application and have it appear in your users Azure AD Access Panel:

  • Add your own Password-based single sign on SaaS applications – New in this release is the ability to configure password-based single sign-on for any web application that has an HTML sign-in page, regardless of whether or not it exists in Azure AD application gallery. For example, if your organization relies on a custom web application that requires password authentication, and you want to manage user accounts and access without distributing passwords, you can now configure and use Azure AD password-based SSO for this application in the Azure management portal. Password-based SSO, also referred to as password vaulting, enables you to manage user access and passwords to web applications that don’t support identity federation. It is also useful for scenarios where several users need to share a single account, such as to your organization’s social media app accounts.
  • Links to any application on the Access Panel
    This release also includes a capability requested by many customers: enabling an administrator to add links to any application to your organization’s Azure AD Access Panel, independent of single-sign on method and whether or not they exist in the Azure AD application gallery. For example, you can add links to custom web apps that currently use Azure Active Directory Federation Services (or other federation service) instead of Azure AD for authentication. Or, you can add deep links to specific SharePoint pages or other web pages that you just want to appear on your user’s Access Panels.

By using either of these features to grant access to an application, you can also to enable other benefits of Azure Active Directory such as multi-factor authentication, and security and audit reporting.

To check out these new capabilities, sign into the Azure management portal using your Azure Active Directory administrator account, and browse to the Active Directory > [Directory] > Applications section, select Add, and then Add an application from the gallery.

If an application you wanted to enable password-based SSO for isn’t in the gallery, you can custom add it using either the new Custom category on the left, or by selecting the Add an unlisted application link that is shown in the search results if your desired app wasn’t found.

After selecting the option to add an unlisted application my organization is using and entering a Name for your application, you can configure the single sign-on options and behavior.

First Public Preview of Administrative Units

Administrative Units, an Azure AD Premium feature, are also now in public preview. This set of capabilities has been the #1 ask from our largest customers and we’re excited to be able to share it with you.

Administrative Units exist to help large enterprises delegate administrative permissions across their complex organizations. Do you need to allow a set of people to manage a sub-set of the users in your company? Is management of IT in your company delegated by region or business unit? On-premises this was accomplished using a rich set of features in Windows Server Active Directory including Domains and Organizational Units. Today, with the new Administrative Units in Azure AD, we are taking the first step in providing the ability to model and delegate administration in the cloud.

In this first preview release we are providing a way to model regions and departments of users. For example, let’s say Lee is the company admin for a large enterprise, Contoso, and Contoso is made up of two divisions, East Coast and West Coast. If Lee wants want Jennifer to manage the West Coast division he can do this by creating an Administrative Unit that includes only the users in the West Coast division, and then adding Jennifer to the User Account Administrator role “scoped” to the West Coast Administrative Unit. This scoped role assignment means Jennifer will be able to assign licenses, reset passwords, and update profile information only for users who are a member of the West Coast Administrative Unit.

If you are familiar with role-based access control (RBAC) you can think of Administrative Units as custom resource scopes that can be defined to represent the administrative boundaries of your organizations and then applied during role assignments.

Diagram 1: One conceptual model for the use of Administrative Units (AU’s)

So, how do you use them? In this first preview, all of the configuration of Administrative Units is done using PowerShell (in future updates we will add UX for this). Taking the example above, here’s how Lee would grant Jennifer the ability to manage users in the West Coast division using PowerShell.

First, Lee would create the West Coast Administrative Unit using the New-MsolAdministrativeUnit cmdlet. Lee will use this Administrative Unit later when assigning Jennifer the User Account administrator permissions

“West Coast”
“West Coast region”

Next, Lee would add the users in the West Coast division to the Administrative Unit using the Add-MsolAdministrativeUnitMember cmdlet.

#Add all users where Department = West Coast to the West Coast AU

Department “West Coast”

Foreach ($user
$westCoastUsers) {

$westCoastAU.ObjectId –AdministrativeUnitMemberObjectId $user.ObjectId


Lastly, Lee would assign Jennifer the User Account Administrator role, scoped to the West Coast Administrative Unit.

“User Account Administrator”


$userAdminRole.ObjectId -ScopeId $westCoastAU.ObjectId -RoleMemberObjectId $jennifer.ObjectId

That’s it. Jennifer is now able to manage only the users in the West Coast Administrative Unit. As users are added, she will automatically be able to manage them. It’s important to note that we could have switched the order of steps #2 and #3 and achieved the same results. Also, if Lee wants Jim to be a Password Administrator only for the West Coast division, he could reuse the West Coast AU when adding Jim to the Password Administrator role.

There are some principles to be aware of when using Administrative Units. First, only members of the Company Administrator role can create and manage Administrative Units. This ensures that Administrative Unit admins can’t just add people to their Administrative Units and start managing them.

Second, a user can be members of more than one Administrative Unit, and all Administrative Unit admins will have authority to manage him.
This is a very important difference between AU’s in Azure AD and OU’s in Windows Server AD. We made this choice based on feedback from customers that the strict hierarchical structure of OU’s was ill-suited for today’s enterprises and that a more flexible model was required.

This initial public preview of Administrative Units has some limitations that we are busy working to address. These include:

  • Administrative Units are only available in PowerShell today, and support in Graph and the Azure AD portal is coming soon.
  • Administrative Unit-scoped User Account Administrators cannot create or delete users.
  • Groups are not supported as members of Administrative Units, and Administrative Unit-scoped User Account Administrators cannot create or delete groups.
  • Currently only User objects are supported as members of Administrative Units, so only the User Account Administrator and Password Administrator support scoped role assignments (these are the role specific to user management).

Finally, MSDN documentation on Administrative Units is available here.

(Note: AU’s are being deployed across our datacenters today so some of you may not see them turn on in your tenant until later this afternoon)

Azure AD Premium is now available for purchase in the Office365 portal

Finally, I want to close with what for many of you will be the most exciting news in this entire blog. You can now purchase Azure AD Premium through the Office 365 commerce catalog. Many of you who don’t have EA agreements with Microsoft have asked us to be able to purchase online in email, in person, on Twitter, and in the press. You can now easily add Azure AD Premium services such as self-service password reset and group management, as well as premium reports and application access management capabilities to your directory.

Here are the steps you should follow if you want to purchase Azure AD Premium online. If you have Azure AD free, Office 365, or any other Microsoft Online service you can use your global or billing administrator account to login to the Office 365 commerce catalog. If you don’t have any of these yet you can sign up for an Office 365 trial through Office 365 premium business if your organization has less than 300 users, otherwise Office 365 enterprise.

Office 365 Enterprise E3 trial signup page

After adding your company information, creating your account, and doing a simple phone verification you will land in the Office 365 portal. From here you can navigate to Office 365 Admin portal by selecting Office 365 from the Admin drop down.

Office 365 portal

To buy Azure AD Premium you can go directly to the Office 365 commerce catalog or navigate to the subscriptions page by selecting “BILLING” and “Subscriptions” from the left hand navigation pane and clicking on the “+New subscription” option at the top.

Office 365 Subscriptions page

This will take you to the Office 365 commerce catalog where you can try or buy Azure AD Premium.

Azure AD Premium on Office 365 commerce catalog

Once you completed your purchase you can navigate to the Azure AD management portal by selecting Azure AD from either the “Admin” drop down or left navigation tree.

Azure AD links in Office portal

f you already have Microsoft Azure access you will with your Administrator account you will immediately be taken to your Azure AD management portal at http://manage.windowsazure.com.


Manage your directory in Azure AD

Otherwise, if you have any paid Microsoft Online subscriptions (e.g. Office 365, Azure AD Premium, Intune, etc) you will be directed to activate your Azure AD access with a simple phone verification. You can also access this experience here. Once you complete the phone verification selecting “Sign up” will complete the activation. You will now be able to access the Azure AD management portal by clicking the “Portal” button in the top right of your screen, Selecting Azure AD from the office 365 portal or navigating to http://manage.windowsazure.com.

Activate access to Azure AD

Note: If you have a trial subscriptions or are not a global administrator you will need to activate an Azure trial here, or purchase a pay-as-you-go subscription here.


Choose a Microsoft Azure trial or Pay-As-You-Go subscription

Many of you are probably wondering why we’re making this available for purchase in the Office365 portal but not in the Azure portal. Great question! We want to make it available in both. Because of the way Microsoft’s ecommerce systems work, it was easy to make it available in the Office experience (Office already sells per-user licensed services so the plumbing was already there) so we did. We’re also working on making it available for purchase in the Azure experience, however that is a lot more engineering work (since it will be the first per-user licensed service sold in Azure). It will be a few more months before we turn that option on.

I’m just completely pumped that we’re releasing this much innovation all at the same time. Really proud of the work the team has done here. And I’d be remiss if I didn’t also send out a big “Thank you!” to all of our customers. Their willingness to work hand in hand with us to design and validate these new features makes all of this possible, and it makes our jobs incredibly rewarding!

And as always, we’d love to hear any feedback or suggestions you have.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity and Security Division