It’s time for yet another episode of Jannick’s findings. Here are my latest finds.
Microsoft 365 Lighthouse for E5
When Microsoft started out with Microsoft 365 Lighthouse (not to be confused with Azure Lighthouse), it was only targeted at SMB customers. Better yet, it was developed for SMB customers in particular. Some time ago they, after too many Partner complaints, made M365 E3 join the service. And now, finally, M365 E5 is in as well.
Do mind, the requirements still state a maximum number of users: 2500. It’s still a sign that the more Enterprise customers should look for better ways to manage their estate. Although.. the number has been raised and they state they will keep evaluating this requirement.
Microsoft 365 Lighthouse relies on so-called Delegated Admin Privileges or DAP for short, which are permissions for Microsoft partners to manage their customers on their behalf. The users in the tenant of the Microsoft Partners Cloud Solution Provider (CSP) tenant can have access to their customer tenants. This means it’s only available for Microsoft Partners.
Granular Delegated Admin Privileges
Talking about DAP, Granular Delegated Admin Privileges is General Available now. GDAP is the successor of DAP. Because DAP is not granular at all the company I work at has prohibited the use of DAP from the start. It’s too much of a risk. 1 security group in the CSP tenant which grants Global Admin permissions to all customers at once where DAP is enabled. That’s a lot of permissions right there. And another group that grants Helpdesk Administrator. Well, Microsoft finally got the message, after the first hacks using DAP, and demanded MFA to be turned on on all accounts in CSP tenants. And now, after a long period of development there is GDAP, the granular version of DAP.
All built-in Azure AD roles can be delegated from customer to partner and in the partner tenant these roles can be mapped to any security group.
While it is so much improved compared to DAP, there are still some gaps unfortunately. Some functionality is not supported with GDAP (or DAP for that matter..). Those things could still cause Partner to have named accounts - or worse, shared accounts - in their customers tenants. Some examples, to name a few, are:
- public folders
- mail flow rules and alerts
- all things Azure AD Connect
On the other hand, there’s the added functionality of Microsoft 365 Lighthouse and other single pane of glass portals to manage multiple customers.
Temporary Access Pass
Microsoft finally closed the loop on the lifecycle of using passwordless. Onboarding new users to Hello for Business was not as easy as one would think, but now with Temporary Access Pass there is a solution.
This solution makes passwordless a viable option to sell to customers.
Group Writeback [public preview]
Microsoft announced Group Writeback where the source of authority is Azure AD. While this is probably going to create many more problems and confusion along admins, the flexibility this feature creates is so useful! Instead of having to manage group memberships in Active Directory which are replicated to Azure Active Directory, now the tables have turned and management from the cloud (using API’s like the Microsoft Graph) is possible. Access Reviews and other Azure AD Entitlement Management functionality can be used on those groups. It’s definitely a step forward in the cloud-first strategy and useful for organizations that still rely on Active Directory.
Modern auth with POP and IMAP
OAuth 2.0 provides in various authentication flows. One of them being client credential grant flow. This flow enables Service Principals in Azure AD to get access to mailboxes using POP or IMAP on behalf of the application (not on behalf of the user using the app)
These improvements are very welcomed, now that there is a new (and final) date to deprecate basic authentication, 1st of October this year.
While the AzAdvertizer site wasn’t new for me, I was sursprised it got new awesome functionaity over time. I remember it being the site where all the built-in Azure RBAC, Azure Policy Definitions and Initiatives are tracked so you can quickly tell what’s new or what is deprecated or changed. Nowadays Resource Provider Operations are tracked too. And I like the ‘Other’ tab, where very useful links are listed.
Azure Heat Map
While we’re at it. If you want an overview of what’s new in Azure, the Azure Heat Map is a great tool! It indicates visually which services had updates over time. This is usually a sign of where Microsoft is heading.
What is cool is that it now includes the Learning Explorer where you can simply click a service and the site finds all the Microsoft Learn Learning Paths, Modules, Exams and Certifications associated to the service.