#AZURE

SPEAKING AT WORKPLACE NINJA VIRTUAL EDITION 2021

I’m excited to be chosen as a speaker at the Workplace Ninja Summit Virtual Edition 2021. The summit 2021 is again held all virtual, starting today. The event is an IT community conference focused on Endpoint Management, ConfigMgr, Intune, Microsoft Security, Azure AD, PowerShell and Azure Virtual Desktop, with Microsoft MVPs, Microsoft Regional Directors and other industry experts. Check out the event website.

OUR SESSION

I will speak together with my buddy Michael Rueefli (Azure MVP) about Azure AD identities attack and defense. Our session title and speaking slot is:

Spy vs. Spy – Azure AD identities attack and defense
– Session 2, 2PM, Room 2 –
Use this link to go to the whole session catalog: LINK

SOME WORDS ABOUT Workplace Ninja Virtual Edition 2021

The event is all virtual, as mentioned above. This year, it is the second time that Workplace Ninja Summit Virtual will be held “virtual”.

Community leaders started two years ago with the event. If you are interested in Microsoft cloud topics, this is a must event. You can join all sessions using Microsoft Teams and as it is a real community event, it’s free. However, it needs a lot of working hours to raise an event like that. So, thanks a lot to the organizers!

Community
You have the possibility to exchange and connect with other visitors and speakers of this event. Use this platform and the event as a virtual meeting zone and who knows… Possibly new synergies will arise. Would be cool to see you there, virtual!

Official hashtag used: #WPNinjS

So do not miss to check out the great speakers line-up.
See you there!

SPEAKING AT CLOUD8 – VIRTUAL SUMMIT

I’m excited to be chosen as a speaker at the Cloud8 virtual summit (Part II). Cloud8 2020 is again held all virtual, on November 13th. The event is an IT community conference focused on Microsoft cloud, datacenter, security and modern workplace topic, with Microsoft MVPs, Microsoft Regional Directors and other industry experts. Check out the event website.

MY SESSION

I will speak about Zero Trust, protecting your identities and implementing Identity Governance. My session title and speaking slot:

Identity Governance – A valid and secured Identity is gold!
– Session 17, 3PM –
Use this link to go to the whole session catalog: LINK

SOME WORDS ABOUT Cloud8

Cloud8 is all virtual, as mentioned above. This year, it is the second time that Cloud8 will be held and that’s why is called part II :-).

Community leader Drago Petrovic started in spring with this great event and first edition. If you are interested in Microsoft cloud topics, this is a must event. You can join all sessions using Microsoft Teams and as it is a real community event, it’s free. However, it needs a lot of working hours to raise an event like that. So, thanks a lot to the organizers!

HUB Zone
There ist a HUB Zone where you can meet others. In the HUB Zone you have the possibility to exchange and connect with other visitors and speakers of this event. Use this platform as a virtual meeting zone and who knows… Possibly new synergies will arise. It’s easy to join as well, just klick on the “join HUB meeting link”. Would be cool to see you there, virtual!

Official hahstag used: #cloud8

We just had our briefing call with Drago:

So do not miss to check out the great speakers line-up.
See you there!

REMOVE ADFS FARM AFTER MOVING TO AZURE AD AS IDP

Updated 31.08.2022

Currently and in the past I have done a number of ADFS to Azure AD authentication projects, where authentication is moved to Password Hash Sync (PHS) & Seamless SSO or Pass Through Authentication (PTA) including sSSO.

First of all you should know your environment when starting removing services. I assume, that you’re aware of the server that are joined to your ADFS farm. If not, STOP here and start over :-). No, you can use PowerShell to get a list of your servers and specially the primary server of your farm. Run that on one of your ADFS hosts:

Get-ADFSSyncProperties

Make sure you have migrated all authentications to Azure and you have disbled the relying party trusts for a while now. This gives you the certainty that no authentication flow still passed your ADFS environment.

You should also consider the “Application” logs on each of your ADFS server. Filter them by using “AD FS, AD FS Auditing, AD FS Tracing and ADHealth-Adfs” to confirm no auth-flow runs over ADFS.

If you still see failing authentications going over your farm, make sure they get migrated to Azure before you remove your ADFS servers. Also have a look into the Application and Services Log/ADFS/Admin. If all is clear, you can start decommissioning your farm.

On your primary ADFS server check the certificate sharing containers as you will need that later to remove it within ADSI. Do that before you removing the ADFS farm.

(Get-ADFSProperties).CertificateSharingContainer

Remove the WAP Servers

Login to each WAP server, open the Remote Access Management Console and look for published web applications. Remove any to ADFS related that are not being used any more. Make a note of the URL that you are removing – its very likely that this means you can remove the same name from public and private DNS as well once the service is no longer needed. You can accomplish this by using PowerShell:

Remove-WindowsFeature Web-Application-Proxy,RSAT-RemoteAccess

If you need an alternate solution for Remote Access Management and WAP, have a look into Azure Application Proxy

Remove ADFS Server

On your second host start PowerShell and remove the ADFS Trust incl. the Windows Internal Database Feature (If not needed for other stuff). Run the command and reboot the server:

Remove-WindowsFeature ADFS-Federation,Windows-Internal-Database

Also remove the ADFS database on the local system by running the command bellow. This will clear the folder with the ADFS database and logs.

del C:\Windows\WID\data\adfs*

Clean-up some more ADFS Stuff

Do not forget to remove:
– Internal and external ADFS specific DNS records
– Load Balancer configurations for ADFS Farm
– Firewall rules between Internet, Load Balancer, DMZ and ADFS Servers
– Revoke certificates if no longer needed
– Service accounts, Group Managed Service Accounts
– Remove IIS on the ADFS Server and/or decommissioning the Windows Server itself

If you have removed all ADFS Servers from your forest, you are now save to remove the ADSI entries under for the Certificate Sharing Container within ADSI edit: CN=Microsoft,CN=Default naming context, {your domain partition}, CN=Program Data, CN=Microsoft, CN=ADFS

Select the GUID from the ADFS properties and Delete the container

All done. Hope this helps!