Archive for November, 2019

How to choose between authn methods:




This feature allows you to migrate from federated authentication to cloud authentication by using a staged approach:

Moving away from federated authentication has implications. For example, if you have any of the following:

  • an on-premises MFA server => you must be moved to Azure MFA first
  • are using smart cards for authentication
  • other federation only features

These features should be taken into consideration prior to switching to cloud authentication. Before trying this feature, we suggest you review our guide on choosing the right authentication method. See this table for more details.

  • You have an Azure AD tenant with federated domains.
  • You have decided to move to either Password Hash Sync + Seamless SSO (Option A), or Pass-through Authentication + Seamless SSO (Option B). Although seamless SSO is optional, we recommend enabling seamless SSO to achieve a silent sign-in experience for users using domain joined machines from inside corporate network.
  • You have configured all the appropriate tenant branding and Conditional Access policies you need for users who are being migrated over to cloud authentication.
  • If you plan to use Azure Multi-Factor Authentication, we recommend you use converged registration for Self-service Password Reset (SSPR) and Azure MFA to get your users to register their authentication methods once.
  • To use this feature, you need to be Global Administrator on your tenant.

To enable Seamless SSO on a specific AD forest, you need to be Domain Administrator.



  1. Removing the user from the group disables staged rollout for the user.
  2. If you wish to disable staged rollout feature, please slide the feature back to ‘OFF’ state to turn off staged rollout.



Reference articles to secure a Windows domain:

Microsoft audit Policy settings and recommendations:

Sysinternals sysmon:!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow


Beyond domain admins:

Gathering AD data with PowerShell:

Hardening Windows computers, secure Baseline check list:

Hardening Windows domain, secure Baseline check list:

Securing Domain Controllers to Improve Active Directory Security

Domain hardening in general:

  • Implement 2 or 3 tier model against Pass the Hash threat
  • FGPP implementation
  • LAPS Implementation
  • Process for proper cleanup of unused AD accounts
  • Reset of krbtgt account,domain admins account,IT administrators account
  • Setting Up Jump servers for Tier0,1,2 users
  • Domain joining of all windows boxes
  • Proper account Management Based on privileges
  • Usage of service accounts to run application instead of local system accounts
  • Review of existing AD accounts/Deletion of Unnecessary Accounts/ Review Ou structuring/GPO etc
  • HoneyToken Account Creation in Local boxes as well domain
  • GPO changes for disabling guest accounts across system,restricted RDP mode,Password Policy changes,disabling internet in member servers
  • GPO for Jump server implementation based on PAW GPO settings
  • Rename existing builtin Administrator account and lockdown
  • Sysmon deployment and WEF setup (WEC for symon events)
  • Use Pingcastle  review to assess the AD security
  • Use Bloodhound ( to assess the AD security
  • Use ADTimeline to assess the AD security


Some interesting sites:

Windows hardening:

Privilege admin workstation:

Delegate WMI access to domain controllers:

This post originally came about after several customers asked how to remove users accounts from Domain Admins and the Administrators group in the domain. These accounts are needed to monitor the systems, so we needed to find a way to get them to read the instrumentation of the system with non-elevated privilege.


Microsoft Office 365 roadmap:

For significant updates, Office customers are initially notified by the O365 roadmap:

As an update gets closer to rolling out, it is communicated through your Office 365 Message center.

Microsoft Azure roadmap:

Microsoft cloud platform: