IT

Azure AD Cross-Tenant Synchronization is now in Public Preview

Posted on by Adam Fowler

For a long time, the methods of having two Azure AD tenants aware of each other’s users needed to be managed in either a manual, or scripted way; accessing the data of another tenant or using their configured Apps would require each user to enrol to the other tenant and be given default guest permissions; or an admin at the destination tenant would need to set things up, send invites out, or do something else creative to make the user experience better.

I was on board Azure AD B2B in the early days; as a Microsoft MVP I had the privilege of speaking to a product manager for it that one time I went to Redmond, talking about my use case and seeing if I was ‘doing it right’. A combination of Azure AD B2B and Azure App Proxy I’d set up for guest accounts to get into an internally hosted web based application, and it worked quite well. I had my own script going through a many step process to send out an invite to the user, add the user to multiple groups and whatever other trickery I needed at the time.

Cross-tenant synchronization however, takes a lot of that pain away. You can set up a trust between two Azure AD tenants (which can be a one way sync) to allow users in Tenant A to be automatically created and managed in Tenant B as a guest user. This is great for organisations who have to frequently work with another org – and even though it’s early days for cross-tenant sync, there’s some rather good controls already. You aren’t limited to a single relationship either; I can’t see any documented limits.

Attribute Mapping allows you to configure extra rules around the attributes that get passed on, allowing you to manipulate, add or remove certain attributes (you might want to remove an employee number from employeeid, or add an extra attribute to define what tenant they were synced from; or do something that will in turn match a dynamic security group rule to automatically add your synced users to be allowed to access an application.

I’d often step through how to set this up in one of these articles, but the documentation is already detailed with step-by-step screenshots and clear instructions. It worked exactly as described when I set this up between two test tenants I have, and took about 15 minutes beginning to end, which included reading the documentation a few times to make sure I was following it correctly. It’s also possible to do via Graph API, but I did not try this method.

There’s even detailed sync logs, troubleshooting tips, and detailed reporting.

One question I’ve seen multiple people already ask is how does this relate to the Global Address List (GAL) and People Search – which the documentation claims this isn’t on by default, but easy to enable. In my testing however, the accounts showed up in the GAL with the little ‘blue person in front of world’ symbol with no extra configuration. They didn’t turn up instantly and I waited overnight, then they were there. People Search was the same. If you want to investigate this for yourself, check out the showInAddressList attribute. Other documentation also says guest objects aren’t in the GAL by default too:

and here’s the instructions on how to “Add guests to the global address list“.

As always, be aware that this is Public Preview so has less guarantees than a fully launched feature. If you have any feedback or want to see what others might be saying/asking, check out the official feedback for Azure Active Directory.

Edit 10/02/2023

Worth mentioning licensing.

As per What is a cross-tenant synchronization in Azure Active Directory? (preview) – Microsoft Entra | Microsoft Learn:

In the source tenant: Using this feature requires Azure AD Premium P1 licenses. Each user who is synchronized with cross-tenant synchronization must have a P1 license in their home/source tenant. To find the right license for your requirements, see Compare generally available features of Azure AD.

In the target tenant: Cross-tenant sync relies on the Azure AD External Identities billing model. To understand the external identities licensing model, see MAU billing model for Azure AD External Identities

The MAU billing section:

In your Azure AD tenant, guest user collaboration usage is billed based on the count of unique guest users with authentication activity within a calendar month. This model replaces the 1:5 ratio billing model, which allowed up to five guest users for each Azure AD Premium license in your tenant. When your tenant is linked to a subscription and you use External Identities features to collaborate with guest users, you’ll be automatically billed using the MAU-based billing model.

Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.

The pricing tier that applies to your guest users is based on the highest pricing tier assigned to your Azure AD tenant. For more information, see Azure Active Directory External Identities Pricing.

Then from Pricing – Active Directory External Identities | Microsoft Azure:

Each synced user needs an Azure AD Premium P1 or P2 license in their home tenant.

Each tenant receiving synced users has the Azure AD External Identities billing model which used to be a 1:5 model, but is now 50k users free, the rest a small charge per active user.

Does a synced account count as an active user? Unsure, I would guess it’s a ‘probably not’ since there’s no active login for just existing as a guest in another tenant, but verify that for yourself with your licensing reseller.

Motorola MA1 Wireless Car Adapter For Android Auto™ Review

Posted on by Adam Fowler

Do you have a car?
Does it have Android Auto?
Does it only support wired connections and not wireless?
Do you use an Android phone?
Do you like dongles?

If you answered ‘yes’ to all of those questions, then this is the product for you.

I’ve been using the MA1 for about two months. I’ll start with the “Before MA1 Time”:

My new car had Android Auto support, but only via USB plugged in via the middle console of the car. I had high hopes for using Android Auto, particularly for mapping as I’d be confident it’s better than any car’s build in GPS and map solution; but jumping in the car and having to plug the phone in every time is a pain. It might sound like a small pain, but it’s enough to not bother – getting the phone out my pocket, docking it in a phone holder and plugging the USB-C cable in is enough, but then there’s the 20-30 seconds it takes to detect and start actually working. I slowly did this less and less, until I’d only go through it when I had a new destination to go to and knew that before getting to the car.

This has a few negatives, partly the mixed experience in navigating the car’s entertainment system depending if I was plugged in or not, but also not having the benefits of Google Maps telling me where there were delays on each trip and suggesting alternate paths (which comes in handy driving to work where there’ll be an inevitable daily car crash somewhere, holding up traffic).

Enter the Motorola MA1 Wireless Car Adapter For Android Auto™. A small enough dongle designed to make a wired only Android Auto car, wireless. It does what it says on the box, and very simple to pair via Bluetooth and get started with. Once paired, there’s nothing to do – I get in the car, turn it on, and within 10 seconds Android Auto is up and running with my phone still in my pocket.

This means I can do things like quickly scroll to the address of work as I take off in my car and get those traffic benefits. Or, I can control my Podcast app and pick a different item to listen to (legally – my car blocks the touch screen when the car is moving, but allows dial/button controls which I can do at red light).

Answering and making calls was already fine by normal Bluetooth – it’s probably easier to look up contacts now but I’d normally use a Google voice command to call someone anyway. No real difference there.

The only negatives I can call out about this device are that the cable between USB port and dongle is a bit stiff and can’t be twisted – if inconvenient though, I’m sure a USB extension cable would work to get the dongle in a preferred location. The second is that because it’s now running via Bluetooth, I do have a rare occasional dropout and I think it’s actually when I drive in a certain physical location near a hospital; possibly something’s getting in the way of Bluetooth itself. It does take about 20ish seconds to recover, but will do so without having to do anything but wait.

I purchased mine via Telstra Plus Rewards with some points that were going to expire, but you can also buy via Amazon.

Worth checking out for those that answered ‘yes’ to all those questions at the start – it’s a lot cheaper than getting a new car with wireless Android Auto.

A Tale of Two TVs

Posted on by Adam Fowler

On second count there’s 6 TVs referenced in one way or another, but don’t let that throw you off my story:

My very cheap ‘FFalcon’ brand TV (which I believe is a rebadged TCL) which for a 65″ 4K TV cost ~$500AU from JB Hi-Fi (link is for a similar model). It actually functioned fine for a year or so, but like a frog slowly heating up in a pot of water, the backlight slowly went from reasonable, to the state you see below and I finally noticed how bad it was; which I couldn’t unsee:

New TV time! I started my research and read article after article, while keeping an eye out for potential bargains. One TV came up – an 85″ Samsung Q80B which has a hot sale down from ~$6000AU to ~$2300AU direct from the Samsung site. As I spoke to their online chat about it to answer a few questions about panel type, the TV sold out. I was annoyed at the effort it took to get to that point, found a great price and missed out. The person on chat gave me a discount coupon to use on any other product, but the prices had gone up across the board and nothing seemed worth it.

A few days later during my sadness of a great deal lost, a new deal came up. 1 day only – the Linsar 82″ TV was down to $999 from $1799. There was also a way to buy the TV via eBay, sign up for Zip and get $150 off – after delivery, that price came up as $904. For an 82″ TV, I thought it was worth a shot!

The TV arrived a few days later, and after having a friend reinforce the wall mount for the TV weight going from less than 20KG up to 41KG, we put this giant rectangle up on the wall, with my brain having visions of a smashed TV lying on the ground, and half the wall ripped out:

55″ TV in background for reference (also a Ffalcon, but no issues with that one and was stupidly cheap a few years ago at $350AU, still going strong)

There was no TV smashing. However, when turning on the TV for the first time, I had a different disappointment:

That line isn’t supposed to be there. It wasn’t an absolutely broken line of pixels or anything like that, but a clear difference in brightness or contrast running down the TV. It was reasonably visible in most shows I watched – and after a bit of back and forth with The Good Guys, they organised a replacement to be sent out and for this TV to be sent back, a relatively easy process thankfully.

The replacement TV did not have the same line in question, but it did have worse backlighting line issues – again quite visible when watching anything on the TV and to me, not really acceptable even in a cheap unit.

After visiting The Good Guys again, and their sales people telling me how bad Linsar is and complaining that they shouldn’t even sell them with statements like “If you want another Linsar I won’t sell it to you”, but then trying to upsell me to $3000AU+ TVs, I asked for a refund (which they had no issue in providing) and went back to the drawing board.

More research again, and I landed on the TCL C825. Reviews were very positive in the value of the TV compared to cost, and complementing the Mini LED technology in it. The TV had been quite cheap recently (sub $2000AU) but had gone up again at most places to mid $2500’s or more, with an ETA of a few months for more stock to arrive. Other models (C7xx, C6xx) didn’t have overly positive reviews, and the C9xx was pricier. I managed to find the unit in stock at Appliances Online for $1745 delivered (including a $50 off voucher) which despite not being as big as the 82″ TV and twice the price, was still an amount I was happy to pay to get a decent TV experience.

After receiving the TCL 825 and mounting it on the wall, the first test of course was a grey screen:

I was much happier with these results!

Everything about this TV is better than the last one – apart from the 7″ less viewing surface I have, it’s a great image quality experience. Impressively, the inbuilt Google TV feels faster than the Chromecast with Google TV device I had plugged in, so I’ll actually use the native experience; first time I’ve been happy with that.

As always, it takes me a while to be completely happy with all the screen settings and I’m fine tuning them searching for perfection, but out of the box I was already content with what it was doing.

The inbuilt sound is fine by me, including a small subwoofer in the back of the TV itself. I’m not audiophile, but I don’t hear anything tinny or annoying.

What is the point of this story? A few lessons learnt – try to find out if the place you’re buying a TV from has a decent returns policy (better to search online than purely ask and trust them), but also taking a shot at a bargain TV that has no reviews online whatsoever may be worth it, but don’t expect it. Also, giant TV boxes are annoying and hard to get rid of.

Upgrading my Ubiquiti UDM to a UDM Pro SE

Posted on by Adam Fowler

I’ve previously covered my home setup, mostly Ubiquiti powered; I’d bought the UDM (UniFi Dream Machine) myself as my security gateway which was working fine. However, after moving house and acquiring a rack, I asked Ubiquiti if there was any chance of send me a UDM Pro SE to try out – thankfully for me they obliged!

My rack was filled with non-rack items, beyond some shelves that I’d bought. Functional, but a bit sad, and I’d hit capacity on the Switch 8 PoE previously provided.

Beyond going from a giant pill shaped device to a 1RU rack mountable device, what’s the difference between a UDM and UDM Pro SE? And what about the UDM Pro?

Here’s a breakdown of the differences – full specs of each device on the hyperlink title:

HardwareUDMUDM ProUDM Pro SE
Networking interface
(4) LAN 10/100/1000 RJ45 Ports
(1) WAN 10/100/1000 RJ45 Port		(8) 10/100/1000 RJ45 LAN Ports
(1) 10/100/1000 RJ45 WAN Port
(1) 1/10G SFP+ LAN Port
(1) 1/10G SFP+ WAN Port		(1) WAN: 2.5 GbE RJ45 port
(8) LAN: 1 GbE RJ45 ports
(1) WAN: 10G SFP+
(1) LAN: 10G SFP+
PoEN/AN/A(2) PoE+ (pair A 1, 2+; 3, 6-)
(6) PoE (pair A 1, 2+; 3, 6-)
System Memory2 GB DDR RAM4 GB DDR44 GB DDR4 
On-Board Flash Storage16 GB16 GB eMMC16 GB eMMC
Integrated 128 GB SSD
Wi-Fi Standards802.11 a/b/g/n/ac/ac-wave2N/AN/A
IDS/IPS Throughput850 Mbps3.5 Gbps3.5 Gbps
TouchScreenN/A1.3″1.3″
UniFi OS ApplicationsNetworkNetwork, Protect, Talk, AccessNetwork, Protect, Talk, Access

Calling out the specifics between the three – the UDM is a more self contained solution which is why it includes inbuilt Wi-Fi, but will also happily manage downstream devices.

The UDM Pro lacks Wi-Fi because really, who needs Wi-Fi coming from the inside of a rack? But it does bring more ethernet ports, RAM, higher IDS/IPS Throughput (threat management traffic), and a niftly little 1.3″ touchscreen to perform simple tasks like rebooting the device. It also has NVR storage capabilities, meaning it can manage and record supported cameras. There’s also IP Phone support, and access support (like card reader through door access).

Finally, the UDM Pro SE really is a ‘special edition’ of the UDM Pro, giving the ethernet ports PoE support. It also brings 128GB of integrated storage for a bit more wiggle room for the UniFi OS Applicaitons. The ethernet WAN port gets bumped from 1GbE to 2.5GbE for those who somehow have the internet data coming through at speeds greater than gigabit.

The useful little 1.3″ touchscreen
The UDM Pro SE installed, with the cable management project planned for Q1 2023.

My experience on migrating from the UDM to UDM Pro SE was an easy one. Using the admin web interface is pretty much the same as before, apart from having the extra options around the extra OS applications:

The always entertaining Lars Klint made a video around upgrading from the UDM Pro to the UDM Pro SE which is pretty much the same process as going from the UDM to UDM Pro SE:

You could also just take the upgrade approach of starting from scratch, plugging everything in – downstream devices will still be detected, but require either takeover with the old password, or a factory reset on each device physically to allow you to re-set up.

I am still really happy with the Ubiquiti stack of devices, the central view and management of the entire network the platform gives me (including making it easy to see a problem where my wife’s work laptop was constantly uploading data due to a corrupt Outlook profile), making sure the 34 active network based clients are behaving and having a good experience.

Getting a Pixel 7 Pro As Cheap As Possible

Posted on by Adam Fowler

I thought I’d document the efforts I’ll go to, to get something at the cheapest price possible. It was a few days before the release of Google’s latest phone, the Pixel 7 / Pixel 7 Pro and I wanted to upgrade from my still decent Samsung S21+…

The Google Pixel 7 Pro RRP for Australia is $1299 for the 128GB version, and this is the price you’ll see it at most places. Some will have small discounts or bonuses as part of their promotions; Google themselves sent me a 10% off coupon if I pre-ordered.

However, the best deal was JB Hi-Fi, but it had to be timed right. OzBargain.com.au is a great source of information to find bargains, and a lot of what I found was through there. The JB Hi-Fi pre-order deal was a free Chromecast with Google TV + Google Nest Hub, and a $100 JB Hi-Fi gift card.

Source: JB Hi-Fi

The Pixel 7 Pro was due to be released on October 13th – but as you’ll see from the screenshot above, the offer of this deal actually ends on October 16th; in theory meaning you wouldn’t have to pre-order to get this, but could wait until release. This is very important, because there was a second deal that if you traded in an old phone, you received a $300 off voucher for the Pixel 7 or Pixel 7 pro – but this couldn’t be on pre-orders. This gave a 3 day window between release and the first bonus deal expiring.

Source: JB Hi-Fi

I had an old iPhone 8 lying around, so traded that in for $100 credit, plus the $300 voucher. I already had another $150 voucher from an old phone that had been smashed and wasn’t worth being repaired. This left a gap of $749…

Again, Ozbargain helps with that by showing where you can get discounted gift cards and at what rate. I’m a Budget Direct member, so I can get 5% off cards there. It saves $37.45, so I’m really paying $711.55 out of pocket.

I’ll also be claiming a portion of the phone cost on tax as it’s partly used for work purposes. I’ll hand the receipts to my accountant and let them work that part out though.

I’m still left with a Samsung S21+ though, which when I bought it, I took out Samsung Care+. This means I can swap it out for a brand new replacement for $129. These are going for around $700 on eBay brand new.

I’ve still then got the $100 JB Hi-Fi gift card + Chromecast ($99)+ Google Nest Hub ($124) to come – which I could sell off the hardware or keep; undecided at this stage.

Considering all the above, upgrading my phone should cost me almost nothing. I’ll probably spend more on a screen protector and case than what I’ll be out of pocket for the upgrade itself.

Yes there’s a lot more effort involved than adding the phone to my cart and putting in a credit card number, but in scenarios like this, the effort is worth the payoff.