Category: Active Directory

This was one of the main blockers of Firefox adoption in the enterprise :



Those laptops must run the latest Windows 10 OS with all the new security features and security best practices like:

  • Apply a Hardening Security Baseline from Microsoft Security Compliance Manager (SCM)
  • Enable Secure Boot with UEFI
  • Impose Software Restrictions using AppLocker
  • Enable Full Disk Encryption.
  • Impose Restrictions on USB ports.
  • Implement Network Isolation via host firewall
  • Install and configure the Device Guard, Windows defender ATP or equivalent + Crowdstrike or equivalent
  • Don’t allow Internet access from a browser.
  • Install Minimal Software.
  • Allow Minimal Administrative Accounts (gad-xxxx accounts in our case)
  • Implement a Hardened OU for the PAWs into the GAD of MUCMSPDOM


To monitor activityID and ADFS in general:

The module file name is ADFSDiagnostics.psm1, is located under “%programfiles%\Microsoft AD Health Agent\Microsoft AD Diagnostics Service”. Note that it requires elevated access, and PowerShell 4.0 to run. Below are the cmdlets available in the module:

PS C:\Program Files\Microsoft AD Health Agent\Microsoft AD Diagnostics Service> Get-Command -Module ADFSDiagnostics

Monitor ActivityID:

Sometimes it is useful to have it in a table format. For that, use the parameter OutHtmlFilePath, and the cmdlet will format the output to an HTML file and opens up the browser:

import-module ADFSDiagnostics.psm1

Get-AdfsServerTrace -ActivityId 00000000-0000-0000-ce70-0080000000df -OutHtmlFilePath .\report.htm




If you’re looking for a deep-dive course on strategic approaches to building better cybersecurity defenses in your organization, look at the Microsoft Cybersecurity Reference Architecture.

Planning and implementing a security strategy to protect a hybrid of on-premises and cloud assets against advanced cybersecurity threats is one of the greatest challenges facing information security organizations today. Microsoft has built a set of strategies and integrated capabilities to help you solve these challenges and is continuing to invest in making this easier.

This training course explore real-life use cases to help address your organization’s security issues, and offer guidance on protecting an enterprise that spans cloud and mobile devices outside your network controls. Explore common challenges and recommended approaches for threat protection, building an identity-based security perimeter, information protection, and software as a service (SaaS) security. Plus, take a look at device and datacenter security, along with threat detection along the kill chain.

The course outline includes:

  • Overview
  • Building an Identity Security Perimeter
  • Threat Detection
  • Server and Azure Security

Watch the deep dive

Understanding ADFS and Federation by a example:

Comparing SAML, WS-FED and OAuth:

What’s new in ADFS 2016?

  • Eliminate Passwords from the Extranet
  • Sign in with Azure Multi-factor Authentication
  • Password-less Access from Compliant Devices
  • Sign in with Microsoft Passport
  • Secure Access to Applications
  • Better Sign in experience
  • Manageability and Operational Enhancements

You can upgrade an AD FS 2012 R2 farm using the “mixed farm” process described here. It works for WID or SQL farms, though the document shows only the WID scenario. Also another upgrade procedure:

  1. Active Directory schema update using ‘ADPrep’ with the Windows Server 2016 additions
  2. Build Windows Server 2016 servers with ADFS and install into the existing farm and add the servers to the Azure load balancer
  3. Promote one of the ADFS 2016 servers as “primary” of the farm, and point all other secondary servers to the new “primary”
  4. Build Windows Server 2016 servers with WAP and add the servers to the Azure load balancer
  5. Remove the WAP 2012 servers from the Azure load balancer
  6. Remove the ADFSv3 servers from the Azure load balancer
  7. Raise the Farm Behavior Level feature (FBL) to ‘2016’
  8. Remove the WAP servers from the cluster
  9. Upgrade the WebApplicationProxyConfiguration version to ‘2016’
  10. Configure ADFS 2016 to support Azure MFA and complete remaining configuration

Other links:

ADFS 2016 operations and management best practices

ADFS Required updates

ADFS 2016 deployment

ADFS 2016 design, Sign-in pages customization


PowerShell is a great language but with the power and capabilities that PowerShell has to offer also come risks. PowerShell logging is turned off by default, but there are two easy ways to enable logging so that you can get some insight into what commands are being executed and collect information for security forensics.

Enable logging using GPO:

If you want to enable logging on more than one server, it may be more convenient to use Group Policy (or using locally GPEDIT.msc) to push out the necessary settings. In the Group Policy Management Editor, you can find the configuration settings for PowerShell under:

Computer Configuration, Policies, Administrative Templates, Windows Components, and Windows Powershell


User Configuration, Policies, Administrative Templates, Windows Components, and Windows Powershell

The Group Policy Object (GPO) setting you need is called Turn on Module Logging:




Note: specifically for the Active Directory module. Enabling logging for the core modules gives more detail in the event log when running the get-aduser cmdlet, such as to which AD objects the command binds. Once you’ve configured the policy setting and made sure the GPO is linked to an OU, you should reboot the affected server(s).

Also enable

The Group Policy Object (GPO) setting you need is called Turn on PowerShell Script Block Logging


The Group Policy Object (GPO) setting you need is called Turn on PowerShell Transcription:

and you must specify a target directory to store the result of the powershell scripts ie. d:\PS_Logs

(don’t forget to turn off PowerShell transcription because it will fill-in your disk space)


Finally how to use the results of the PS logging:

a) look the results on the PS_Logs directory

b) open Event Viewer from the Tools menu in Server Manager and expand the default Windows Powershell event log and the operational log located under: Applications and Services Log, Microsoft, Windows, and PowerShell, then select the Operational log.

Note: Modify the default Windows PowerShell log and the Operational log size to enter a greater value.


Azure AD Application proxy

Azure AD application proxy:

Security considerations:

Understand Application proxy connector:

Network topology considerations:

AzureAD PowerShell module


Azuread PowerShell module version is

Azureadpreview PowerShell module version is

Note: the preview module is the most recent and contain new cmdlet like Get-AzureADDirectorySetting or Set-AzureADDirectorySetting


Getting started with PowerShell for O365:

Azure AD PowerShell module:

Powershell cmdlets reference:


How to install the module to access Office 365/Azure AD:

The PowerShellGet module requires PowerShell 3.0 or newer. Therefore, PowerShellGet requires one of the following operating systems:

  • Windows 10
  • Windows 8.1 Pro
  • Windows 8.1 Enterprise
  • Windows 7 SP1
  • Windows Server 2016 TP5
  • Windows Server 2012 R2
  • Windows Server 2008 R2 SP1

PowerShellGet also requires .NET Framework 4.5 or above. You can install .NET Framework 4.5 or above from here.

Then from a PowerShell prompt enter:

install-module AzureAD


import-module AzureAD




example:  get-azureaduser -filter “displayname eq ‘firstname lastname'” | select displayname,mail

To list all user attributes:
get-msoluser -userprincipalname | select *

With AzureAD cmdlets (need module AzureAD):
get-azureaduser -filter “displayname eq ‘firstname lastname'” | select *




Web article:


How to test SSL/TLS:

You can easily see what SSL protocol a server supports (and even grab the certificate from there) example below with openSSL:

openssl s_client -connect myserver.mydomain.local:636 -ssl3
openssl s_client -connect myserver.mydomain.local:636 -tls1
openssl s_client -connect myserver.mydomain.local:636 -tls1_1
openssl s_client -connect myserver.mydomain.local:636 -tls1_2

All those reports successfull connection SSL handshake and present the proper server certificate.

And it is very easy anyway for a client to get supported SSL protocols on a remote server, it is how client <==> server handshake works to
select an agreed protocol supported on both sides.

I suggest you check on application side …

# nmap –script ssl-enum-ciphers -p 636 myserver.mydomain.local

Starting Nmap 6.46 ( ) at 2017-02-16 18:22 CET
Nmap scan report for myserver.mydomain.local (
Host is up (0.025s latency).
636/tcp open ldapssl
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_RC4_128_MD5 – strong
| TLS_RSA_WITH_RC4_128_SHA – strong
| compressors:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA – strong