Azure RMS is the protection technology behind Azure Information Protection (AIP). I have written many articles about Azure RMS & Azure information protection features before but how it really works? what is the technology behind it? 

In high-level, I can explain the Azure RMS data protection process as following, 

• When a user protects data, Azure RMS will encrypt the content of the file and attach an access policy to it. this policy decides what other users can do with the protected data. 

• When other users access the file (after successful Azure AD authentication), Azure RMS will decrypt the file and apply the access policy to it. 

In high-level it sounds simple, but let's go through this process in detail to understand the technology behind it. 

The best way to understand the technology behind the encryption & decryption process is to go through a scenario. Rebeladmin Inc. employee Andrew is sending a document with sensitive data to another employee Selena. He does not want anyone else in the sales team to have it. So, he is going to use AIP to protect the document. This is the first time both users going to use this solution. 

Since this is the first time Andrew and Selena use this AIP, they both need to go through the one-time user environment preparation process. As the first step, Andrew installs the Azure information protection client in his pc. It can be download via https://www.microsoft.com/en-gb/download/details.aspx?id=53018 . 

1. Then he authenticates into AIP using his Azure Active Directory Account. 

2. After successful authentication, the session will be redirected to the AIP tenant. Then it issues a certificate that will use to authenticate into Azure RMS in the future. This certificate will automatically renew after 31 days by the AIP client. Copy of this certificate will also store in Azure. If the user changes the device, Azure RMS will recreate the certificate using the same keys.

Now the user environment preparation process is done. The next step is to protect the word document. 

In my previous blog post about Azure Windows Virtual Desktop (Preview), I have explained what is it and how to publish full desktop using it. You can find it via http://www.rebeladmin.com/2019/04/step-step-guide-azure-windows-virtual-desktop-preview/ . However, in an infrastructure not every user required full desktop access. Some users may only be using certain applications. Azure Windows Virtual Desktop (Preview) also can use to publish an application. In this demo, I am going to show how to publish an application using Azure Windows Virtual Desktop (Preview).

Before we go ahead with the configuration, please make sure you have the following ready. 

Prerequisites

Windows Virtual Desktop Host Pool – Before we publish applications, we need to have a host pool up and running. This is already described on http://www.rebeladmin.com/2019/04/step-step-guide-azure-windows-virtual-desktop-preview/ . Please follow the guide and configure the host pool.

Install Applications – Any application available on the host's start menu can publish as a remote app. Therefore, please make sure you install the required applications in hosts. 

Windows Virtual Desktop PowerShell module – We will be using PowerShell commands to publish the app. Please following https://docs.microsoft.com/en-gb/powershell/windows-virtual-desktop/overview and install the module. 

In my demo environment, I already have a host pool configured as follows. 

I am going to create a new Remote app group and publish the Microsoft Word application which is already installed in the hosts. To do this,

1. Launch PowerShell console as Administrator.

2. Run Import-Module -Name Microsoft.RDInfra.RDPowerShell to import Windows Virtual Desktop PowerShell module

3. Then run Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com and login to Windows Virtual Desktop environment using an account who has TenantCreator role assigned. 

In any identity infrastructure attack, attackers are going after the "privileges". The more privileged account they own, the more damage they can do. There can be privileged accounts in a system that only used once a month to do a privileged task. In any IT system, we used to believe administrators are trustworthy people. Therefore, most of the time we do not really worry about what they are doing with given privileges. what if they misuse the permissions? how we can ensure they only doing what they supposed to do? also if a privileged account got compromised, how we identify genuine activity from a malicious activity? 

Privileged access management in Azure AD & Office 365 provides an answer to all of the aforementioned challenges and protect cloud resource from identity attacks. With this solution, users will not have privileges attached to their accounts all the time. instead, they have to request privileges when they required. Then a workflow attached to it will decide if it should grant or not. Once permissions are granted, users can do the relevant privileged task. The permissions, however, will not be available for the users all the time. It is time-bounded. After the approved time, permissions will be removed automatically. In one of my previous blog post series, I demonstrate how to set this up with Azure AD. You can find it here http://www.rebeladmin.com/2016/07/step-step-guide-azure-ad-privileged-identity-management-part-1/ 

In this blog post, I am going to demonstrate how to do the same with office 365. 

As the first step, we need to create a group to approve the privilege access requests. If you already have an IT admin/management group, you can 

Create Admin Group

1. Log in to Office 365 Admin panel as a global administrator

2. Then go to Groups | Groups

3. Then click on Add a Group

4. In the new group window, select mail-enabled security as the group type. Then provide a name for the group. you also can add a description if you like. At the end click on Add to proceed. 

In order to manage Azure AD, we use Azure Active Directory option in https://portal.azure.com. By default, any user under Azure AD can access this option event they do not have a Directory role. In my demo setup, I have a user called "Emily Braun". She doesn't have any Directory role assigned. 

Then I log in to Azure portal https://portal.azure.com as the user and then go to Azure Active Directory option. It didn't block me accessing it. 

I can go to All users and see user account details. 

I even can see the Groups memberships details. 

Also, can view application assignments. 

As an end user I also can see the Azure AD Connect details. 

Finally, the long wait is over and Microsoft virtual desktop infrastructure (VDI) solution "Windows Virtual Desktop" preview is now available in Azure. If you ever worked with on-premises VDI solutions such as Microsoft RDS or Citrix solution, you may already know how much planning, management involve with it. It is costly as performance & availability of the solution depends on so many things such as networking, hardware resources, skills, connection, etc. But now with a cloud-based solution, we can create a robust, scalable VDI solution with few clicks. 

According to Microsoft we can do following with Windows Virtual Desktop,

• Set up a multi-session Windows 10 deployment that delivers a full Windows 10 with scalability
  
• Virtualize Office 365 ProPlus and optimize it to run in multi-user virtual scenarios
  
• Provide Windows 7 virtual desktops with free Extended Security Updates
  
• Bring your existing Remote Desktop Services (RDS) and Windows Server desktops and apps to any computer
  
• Virtualize both desktops and apps
  
• Manage Windows 10, Windows Server, and Windows 7 desktops and apps with a unified management experience
  

Source: https://docs.microsoft.com/en-gb/azure/virtual-desktop/overview 

Windows Virtual Desktop's Key capabilities are recognized as following,

• Create a full desktop virtualization environment in your Azure subscription without having to run any additional gateway servers.
  
• Publish as many host pools as you need to accommodate your diverse workloads.
  
• Bring your own image for production workloads or tests from the Azure Gallery.
  
• Reduce costs with pooled, multi-session resources. With the new Windows 10 Enterprise multi-session capability exclusive to Windows Virtual Desktop and Remote Desktop Session Host (RDSH) role on Windows Server, you can greatly reduce the number of virtual machines and operating system (OS) overhead while still providing the same resources to your users.
  
• Provide individual ownership through personal (persistent) desktops.
  

Source: https://docs.microsoft.com/en-gb/azure/virtual-desktop/overview 

Windows Virtual Desktop preview setup required following,

1. Azure Active Directory – Windows Desktop Machines must join to the Azure AD in the stranded method. It can't be Azure AD-Join
2. Virtual Desktop only should be Windows 10 Enterprise multi-session or Windows Server 2016/2019
3. OS should have one of the following licenses – Microsoft E3, E5, A3, A5, Business Windows E3, E5, A3, A5 
4. VM should be using subnet which has a connection to the same virtual network as Azure AD. 
5. Azure AD & VM should be in the same region. 

As same as any other VDI solution, user experience has a huge impact from "connectivity". Therefore Microsoft says,

• Round-trip (RTT) latency from the client's network to the Azure region where host pools have been deployed should be less than 150 ms.
• Network traffic may flow outside country borders when VMs that host desktops and apps connect to the management service.
• To optimize network performance, we recommend that the session host's VMs are collocated in the same Azure region as the management service.

There are few new terms related to the Windows Virtual Desktop setup, let's see what are they.

In this blog post, I am going to demonstrate how to set up a desktop application group. before start let's see how is the environment looks like.  

In my demo setup, I have Azure AD Domain Service enabled for tenant rebeladmlive.onmicrosoft.com

This is set up under resource group called AAD and it is using subnet called AAD-vnet 

I also set up a subnet called AAD-VM for session hosts. 

Corporate applications may also hold critical operation data related to the company. By doing regular reviews, we can make sure only the relevant people have access to corporate applications. However, if we just use the native method, it will be mainly based on Enterprise app Sign-ins and audit log data. the only problem with this method is, it is so time-consuming. As it is all manual process, the result may not be that accurate either. But now with Azure AD Access reviews, we can do this by setting up a simple access review job. Here is why it is good rather than a typical audit. 

Automated – It is all automated. You do not need to go through logs and do anything manually. 

Actions – we can also attach predefined action to execute at the end of a successful access review job. If required, we also can manually decide what to do with the findings (approve or deny access)

Schedule – Access reviews jobs can be scheduled to run periodically. It helps to do it more frequently than the manual method.

Recommendation – Access review job itself provides recommendations based on findings. It helps reviewers to decide. 

Delegations – Access reviews job allows delegation. We can assign someone else in the team to decide what to do with the findings. It helps to get more accurate results. 

So, let's go ahead and see how it works. In my demo environment, I have linkedin application assigned to different groups and users. I like to know who has access to it and do permission changes if required.

 1. To start, log in to Azure portal as Global Administrator

2. Then make sure Access reviews onboarding process is completed. More info about this can be found in one of my previous blog posts http://www.rebeladmin.com/2019/02/step-step-guide-review-privileged-accounts-using-azure-pim/

3. To create a new access review job, go to Access Reviews | Controls

4. Then click on + New Access Review 

Azure VM now have serial console access via Azure portal. It is not depending on the virtual machine’s network or operating system state. This is ideal for recover machines/data, modify system configurations & troubleshooting. Azure serial console access is only available via Azure portal. It is using COM1 port of the virtual machine. This works for both Windows & Linux VMs. In my demo I am going to show how we can access windows VM via serial console. 

Prerequisite 

1. A VM created via New portal. This feature is not available for classic deployment model. 

2. A user with minimum of Virtual Machine Contributor role

3. Password based account for the VM

Once prerequisites are in place, we can start the configuration. In my demo setup, I am going to use a VM with Windows server 2019 datacenter version. 

1) Log in to the Azure portal as Global Administrator

2) Go to Virtual Machines and click on the selected VM. 

3) Then click on Boot diagnostics under Support + troubleshooting

4) In new window, Click on Settings and make sure Boot diagnostics are turned on. 

Azure AD B2B allows organizations to share company applications and other services/resources with external users. Before, this external user should have one of following to initiate connection with the organization who sents the B2B inivitation. 

1) Azure AD Account

2) Microsoft Account

3) Google Federation ( More info : http://www.rebeladmin.com/2019/02/step-step-guide-setup-federation-google-azure-ad-b2b/ )

Email one-time passcode authentication (OTP) feature now allow B2B users to authenticate using one time passcode if they cant use one of the above methods. Once OTP is issued it is only valid for 30 minutes. If user didn’t use it with in 30 minutes, he/she need to request new OTP code for authentication. Once authenticated, session will be valid for 24 hours.  

This feature is still under public preview. OTP users must use the https://myapps.microsoft.com/?tenantid=<tenant id> , https://portal.azure.com/<tenant id> or https://myapps.microsoft.com/<verified domain>.onmicrosoft.com when they authenticate. In above <tenant id> should replaced with the organization’s tenant ID. <verified domain> should replace using the default domain details. 

You can find the tenant id using, 

Azure Portal | Azure Active Directory | Properties | Directory ID  

Let’s see how we can enable this new OTP feature. 

To do that,

1) Log in to Azure portal as Global Administrator

2) Go to Azure Active Directory | Organizational relationships 

3) Then go to Settings

Microsoft recently released the new combined registration experience for MFA and SSPR. This steamlined the registration experience and users can sign up by following up step-by-step process. This new portal also improve experience of managing user profile data. 

 To enable this new experience, 

1) Log in to Azure portal as Global Administrator

2) Then go to Azure Active Direcotry | User Settings

3) Then click on Manage settings for access panel preview features under Access panel

4) Click on All under Users can use preview features for registering and managing security info – refresh to enable preview features for all users. If needed we can apply this to selected group of users by using Selected option. 

Azure AD SSPR ( self-service password reset ) allow users to reset their own passwords according to policy define by their administrator. Before it was only allowed to use Email, Mobile phone, Office phone or security questions options to reset the passwords. If it was Azure AD admin they wasn’t able to use security questions option either. But now SSPR supports use of Microsoft Authenticator app notifications or a code from any mobile authenticator app or hardware token. This is applying for all the users including Azure AD administrators. In order to use mobile app or hardware token option, users need to sign up for at least 2 other methods ( Email, Mobile phone, Office phone or security questions).

To enable mobile app option, 

1) Log in to Azure portal as Global Administrator

2) Go to Azure Active Directory | Password Reset 

3) Go to Properties and make sure you have SSPR enabled