Disk encryption is a basic data protection method for physical & virtual hard disks. It falls under physical data security and it prevents data breaches from stolen hard disks (physical & virtual). If it is a Windows machine, we can simply use BitLocker for disk encryption. Also, there are other third-party vendors such as Thales e-Security which provides disk encryption solutions for organizations. 

Similar to on-premises Windows servers and computers, we can use BitLocker to encrypt Windows VM running on Azure. For Linux VMs, we can use DM-Crypt to encrypt virtual disks. More details about BitLocker is available on https://docs.microsoft.com/en-gb/windows/security/information-protection/bitlocker/bitlocker-overview. Azure VM encryption uses the Azure Key Vault to store encryption keys and secrets. 

In this demo, I am going to demonstrate how to encrypt Azure VM using BitLocker. For the configuration process, I will be using PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0 

Setup Resource Group

The first step of the configuration is to create a new resource group. 

To do that, 

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create a new resource group using, 

New-AzResourceGroup -Name REBELRG1 -Location "East US"

 In the above, REBELRG1 is the resource group name and East US is the resource group location. 

Configure Azure Key Vault

Next, we need to create a new key vault and encryption key. 

1. As the first step, let's go ahead and enable Azure Key Vault provider within the subscription by using, 

Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault"

2. Then, we go ahead with Azure Vault setup,

New-AzKeyVault -Location "East US" -ResourceGroupName REBELRG1 -VaultName REBELVMKV1 -EnabledForDiskEncryption

In the above, REBELVMKV1 is the key vault name and it is created under REBELRG1 resource group which we created in the previous step. -EnabledForDiskEncryption is used to prepare the key vault to use with disk encryption. 

If we need to set up a connection between two independent networks (not between VLANs), we have to use a virtual private network (VPN) connections. In Azure, we use VNets to create private networks. If we need to communicate between two VNets, we have to use one of the following methods,

• VNet-to-VNet Connection – The communication happens between two VPN gateways. This is easy to set up, compare to the site-to-site VPN method.

• Site-to-Site VPN – This is similar to creating VPN connection to the on-premises network. It also uses VPN gateway, but it gives more control over the local network gateway. 

• VNet Peering – This method doesn't use VPN gateways and it routes the traffic via Microsoft backend infrastructure. More information about VNet peering is available on https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

In this demo, I am going to demonstrate how to create a VNet-to-VNet connection. These types of connections can establish between,

• Virtual Networks in the same region

• Virtual Networks in different regions

• Virtual Networks in different subscriptions

In this demo, I am going to create a VNet-to-VNet VPN connection between two virtual networks in two different regions. 

According to the above diagram, EUSVnet1 virtual network will be running on East US Azure region and UKSVnet1 virtual network will be running on UK South Azure region. Let's see how we can establish a VPN gateway connection between these two networks. Before start, please make sure you have the following in place. 

• Valid Azure Subscription – You can also use free azure subscription for testing purpose. https://azure.microsoft.com/en-gb/free/ 

• Azure PowerShell Module – In this demo I am going to use PowerShell. Please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Create Resource Groups

The first step of the configuration is to create new resource groups in different regions. 

To do that, 

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create EUSRG1 under East US Azure region by using,

New-AzResourceGroup -Name EUSRG1 -Location "East US" 

In the above command, -Name parameter specifies the resource group name and -Location parameter specify the Azure region. 

3. Next step is to create UKSRG1 resource group in UK South Azure region by using,

New-AzResourceGroup -Name UKSRG1 -Location "UK South"

In my previous blog post, I have explained how we can apply Microsoft security settings to corporate devices using Intune Security Baselines (http://www.rebeladmin.com/2019/08/step-step-guide-apply-security-baselines-windows-10-devices-using-microsoft-intune/). We can apply similar settings to on-premises devices via group policies. Apart from security settings, we use group policies to standardize device configurations in on-premises environments. As an example, we can block user access to control panel settings by using group policy.

Microsoft Intune Device configuration Profiles allow us to push similar desktop settings to cloud-managed (Azure AD + Intune) devices. This allows organizations to maintain granular control over device settings. In this demo, I am going to demonstrate how to set up and apply Microsoft Intune Device configuration Profile. 

• Device configuration Profiles can use to standardize Android, iOS, macOS, Windows Phone 8.1, Windows 8.1, Windows 10 devices. 

• You need to have your devices enrolled with Intune to use this feature. You can find more info about device enrollment using my previous blog posts http://www.rebeladmin.com/2018/11/step-step-guide-enroll-windows-10-devices-microsoft-intune-using-autopilot/ 

In my demo environment, I have Azure AD joined & Intune enrolled windows 10 device called W2003.

Using device configuration profiles, I am going to,

• Disable user access to Control Panel Settings

• Push corporate proxy server settings to IE (server IP 10.10.10.10 with port 8080)

To do that, 

1. Log in to Azure Portal (https://portal.azure.com) as Global Administrator and go to All services | Intune or else log in to Intune device management portal directly via https://devicemanagement.microsoft.com 

2. Then click on Device configuration | Profiles 

3. In the profiles page, click on + Create profile

Microsoft is releasing security baselines for on-premises Active Directory connected devices using group policies. These are used by many organizations around the globe for decades. Using these security settings, administrators can control the state of the corporate devices and maintain the standards. When we are moving device management to the cloud, we can't use group policy settings as group policies are not working in the same way with Azure AD. But now, by using Microsoft Intune security baseline, we can apply Microsoft recommended pre-defined windows security settings to Intune managed Azure AD joined windows 10 devices. 

• This is only applicable for devices with Windows 10 version 1809 and later
• You need to have your devices enrolled with Intune with relevant licenses to use this feature. You can find more info about device enrollment using my previous blog posts http://www.rebeladmin.com/2018/11/step-step-guide-enroll-windows-10-devices-microsoft-intune-using-autopilot/ 
• Microsoft recommended settings are coming with the "Baseline versions". At the moment there is only one baseline version available (MDM Security Baseline for May 2019). But as new windows versions come, there will be new baseline versions. 
• When a new baseline version is available, we can migrate already existing security profiles to the new baseline version. 

In this blog post, I am going to demonstrate how we can use security baseline policies to enforce security settings. 

In my demo setup, I have Azure AD joined Windows 10 device called W5001.

When I log in to this device, I noticed the user has turned off the Windows defender antivirus protection.

Also, Windows defender firewall is turned off. 

As an administrator, I prefer both these services to stay on in all corporate devices. So let's see how we can do this using Intune security baseline policy. 

"Azure Files" is a managed, cloud-based file share that can access via SMB protocol. Once you create Azure File share it can be accessed from any ware using Windows, Linux or macOS. It can also map as a shared drive to a system. This can be used as a unified, reliable, simple solution to replace traditional file servers. 

In the on-premises Active Directory environment, we use NTFS permissions to control access to folders and file shares. If we are replacing traditional file shares with Azure Files, we need a way to manage access permissions to it in a similar manner. This is applicable if these folders are accessed via "Windows Virtual Desktop" or "Domain-Joined Azure VM". Azure File now supports Azure Active Directory Domain Services (Azure AD DS) authentication. Now we can create NTFS access control lists (ACLs) for Azure File Shares to control access permissions in a granular level. In this demo, we are going to look into this new feature in detail. 

To test this, we need following,

• Valid Azure AD Subscription
  
• Azure AD Domain Services on the Azure AD tenant – We need Azure AD Domain Services enabled for the Azure AD tenant. 
• Domain-Joined Azure VM – This need to be added to the Azure AD Domain Services

In my demo setup, I already have a managed domain called rebeladmlive.onmicrosoft.com

I also have a domain-joined VM called SRV01 which I will be using for the testing. 

As most of you were aware, I published my book "Mastering Active Directory" back in, 2017. When I released it, I had my doubts! It was my first book even though I was writing to blogs for many years. But over the last 2 years, I had many positive feedbacks. Thousands of people all around the global read this book. Lots of them requested another book. So Yes! I heard it loud and clear. 

I glad to announce the public release of my second book, "Mastering Active Directory, Second Edition" today. It is available for purchase worldwide now.

I also take this opportunity to thanks all my readers who believed in me. It is you who encouraged me to release another edition this soon. 

What Is new in the second edition? 

The new content for this edition is covering,

• Tips to Design your Hybrid AD environment by evaluating business and technology requirements 

• Deep dive into different authentication methods which can use in Hybrid AD environment

• How to protect sensitive data in a hybrid environment using Azure Information Protection

• Learn about protecting identities in Hybrid AD environment 

• Integrate with Azure Active Directory and Manage identities in Hybrid Environment using Azure Active Directory PowerShell for Graph module

Book Name: Mastering Active Directory, Second Edition

ISBN: 978-1789800203

Number of Pages: 786

Publisher: Packt Publishing

Book is available in paperback and kindle format.

https://www.amazon.com/dp/178980020X/ref=olp_product_details?_encoding=UTF8&me=

It also can access via subscriptions, 

https://www.packtpub.com/cloud-networking/mastering-active-directory-second-edition

When it comes to hybrid AD setup, we have to work with whole different types of issues than on-premises AD environments. Azure AD is a managed service by Microsoft, so there is nothing we can do to manage its health. Therefore, most of the hybrid AD issues are related to connectivity, Directory sync or authentication methods (password hash, pass-through authentication, federated). The main component which connects on-premises Active Directory environment with Azure AD is Azure AD Connect. So most of the issues in hybrid environment can also related to Azure AD Connect. In this blog post, we are going to look in to some of the most common Azure AD connect issues and learn how we can recover from those. 

Connectivity

Azure AD Connect requires connectivity to Azure AD to do the directory synchronization. Azure AD connect server also need to be able to communicate with on-premises Active Directory Domain Controller. When there is directory synchronization issues, we will see following symptoms. 

• New user accounts added in on-premises Active Directory, does not appears in Azure AD or taking long time to appear (more than 30 minutes ).

• After on-premise user change their password, he/she cant authenticate to Azure AD. 

• If password-writeback feature is been used, password reset in Azure AD does not work for on-premise users. 

• We can see synchronization errors under Azure AD Connect health. 

• When there are directory sync issues, Azure AD will also send email notification to directory administrators. 

The Protected Users security group was introduced with Windows Server 2012 R2 and continued in Windows Server 2019. This group was developed to provide better protection for high privileged accounts from credential theft attacks. Members of this group have non-configurable protection applied. In order to use the Protected Users group, PDC should be running with a minimum of Windows Server 2012 R2 and the client computers should be running with a minimum of Windows 8.1 or Windows 2012 R2.

If a member of this group logs into Windows 8.1, Windows Server 2012 R2, Windows 10, Windows Server 2016 or Windows server 2019, we can expect the following:

• Members of this group cannot use NTLM, digest authentication, or CredSSP for authentication. Plain text passwords are not cached. So, any of the devices using these protocols will fail to authenticate to the domain.

• Kerberos long-term keys not cached. For accounts in this group, the Kerberos protocol verifies authentication at each request (the TGT acquired at log on).

• Sign-in is offline. A cached verifier is not created at sign-in.

For the Protected Users group feature, it is not a must to have a domain or forest functional level run on Windows Server 2012 R2 or higher (Windows Server 2008 is the minimum as Kerberos needs to use AES). The only requirement is to run the PDC emulator FSMO role in the Windows Server 2012 R2 domain controller.

If the AD environment uses Windows Server 2012 R2 or Windows Server 2016 domain functional levels, it provides additional protections with Protected User groups, as:

• No NTLM authentication

• No DES or RC4 encryption in Kerberos pre-authentication

• No delegation using the unconstrained or constrained method

• No Kerberos TGT valid more than 4 hours

To start with, we can review the Protected Users security group using the following command:

Get-ADGroup -Identity "Protected Users"

The following screenshot shows the output for the preceding command:

We can add users to the Protected Users group using ADAC, ADUC MMC, and PowerShell. This group is located in the default Users container in AD.

In here, we are going to add the user account Adam in to the Protected Users group using the following command:

Get-ADGroup -Identity "Protected Users" | Add-ADGroupMember –Members "CN=Adam,CN=Users,DC=rebeladmin,DC=com"

The first part of the command will retrieve the group and the second part will add the user Adam to it.

There are 3 different methods which we can use to integrate on-premises Active Directory with Azure AD. 

• Pass Password hash synchronization

• Federation using Microsoft AD FS or PingFederate

• Pass-through Authentication 

All above methods allow on-premises users to use their existing domain user names and passwords in order to authenticate in to Azure AD integrated services. However, even users can use same user name and passwords, when they access Azure AD integrated services from corporate device (Domain member), they still have to authenticate via sign in page. Azure AD Seamless SSO allow users to access Azure AD integrated services via corporate devices without re-authentication. Azure AD Seamless SSO can use with password hash synchronization and pass-through authentication method. It is not supported to use with federated authentication method (AD FS already capable of provide SSO).

• Azure AD Seamless SSO feature can enable via Azure AD connect. So, it is not required any additional component in environment. 

• This is a free feature. We do not need to pay anything for it.

• Azure AD Seamless SSO works only in domain-joined devices (no need to be Azure AD join)

• If SSO process is fail for any reason, user can still authenticate using user name and password.

• It is supported to work with browser-based web applications and Office 365 clients with app versions 16.0.8730 and above.

• Azure AD Seamless SSO accepts user names as value associated with userPrincipalName attribute or Azure AD connect Alternate ID attribute. 

• Azure AD Seamless SSO uses the securityIdentifier claim in the Kerberos ticket to find the relevant user object in Azure AD.

• Once Azure AD Seamless SSO is enabled, if an application can forward domain_hint (OpenID Connect) or whr (SAML) parameter to identify tenant and login_hint (OpenID Connect) parameter to identify user, we can log in to Azure AD without typing user names. It is also possible if the application uses unique URL and pass the domain info or tenant info. 

• Once user is logged in via SSO, if required user can still sign out and log in as a different user at any time. 

In my previous blog post, I explained how we can manage Azure AD users by using Azure Active Directory PowerShell for Graph module. In there I also shared many examples. You can access it via http://www.rebeladmin.com/2019/05/step-step-guide-manager-users-using-azure-active-directory-powershell-graph-module/

In this blog post I am going to show how we can manage Groups, using same method. 

Azure AD Groups also works similar to on-premises AD groups. It can use to manage permissions in affective manner. In Hybrid environment there will be cloud-only groups as well as synced groups from on-premises AD environment. In this section we are going to look in to group management using Azure Active Directory PowerShell for Graph module. 

Let’s start with listing groups.

We can search for a group using,

Get-AzureADGroup -SearchString "sg"

In above command, SearchString is used to define the search criteria. Above example will list down any group containing “sg” in Display name field. 

In search result, we can see the objectId for the group. Once we know the ObjectId, we can see the details of the group using,

Get-AzureADGroup -ObjectId 93291438-be19-472e-a1d6-9b178b7ac619 | fl

In hybrid environment, there will be security groups which is synced from on-premises Active Directory. We can filter this groups using,

Get-AzureADGroup -Filter 'DirSyncEnabled eq true' | select ObjectId,DisplayName,LastDirSyncTime

In above example, LastDirSyncTime column display the last successful sync time of the group. 

We can filter cloud-only groups using,

Get-AzureADGroup -All $true | where-Object {$_.OnPremisesSecurityIdentifier -eq $null}

In preceding command, we are using attribute OnPremisesSecurityIdentifier to filter the groups. This attribute only has value if it is synced from on-premises AD.  

We can view group memberships by using,

Get-AzureADGroupMember -ObjectId 2a11d5ee-8383-44d1-9fbd-85cb4dcc2d5a

In above command, we are using ObjectId to uniquely identify the group. 

We can add members to group using Add-AzureADGroupMember cmdlet. 

Add-AzureADGroupMember -ObjectId 2a11d5ee-8383-44d1-9fbd-85cb4dcc2d5a -RefObjectId a6aeced9-909e-4684-8712-d0f242451338

In preceding command, ObjectId value represent the group and RefObjectId value represent the user. 

We can remove a member from group by using,

Remove-AzureADGroupMember -ObjectId 2a11d5ee-8383-44d1-9fbd-85cb4dcc2d5a -MemberId a6aeced9-909e-4684-8712-d0f242451338

In preceding command, ObjectId value represent the group and MemberId value represent the user’s Object Id.

We also can combine Add-AzureADGroupMember cmdlet with Get-AzureADUser cmdlet to add bulk users to a group. 

In below script, I used Get-AzureADUser cmdlet to search users in Marketing Department. Then used Add-AzureADGroupMember to add those users to Sales group as members. 

#######Script to Add Multiple users to Security Group#############

Import-Module AzureAD

Connect-AzureAD

##### Search for users in Marketing Department ##########

Get-AzureADUser -All $true -Filter "Department eq 'Marketing'" | select ObjectId | Out-File -FilePath C:\salesusers.txt

#####Add Users to Sales Group#########

(Get-Content "C:\salesusers.txt" | select-object -skip 3) | ForEach { Add-AzureADGroupMember -ObjectId f9f51d29-e093-4e57-ad79-2fc5ae3517db -RefObjectId $_ }

 In hybrid environment, the security groups are mainly synced from on-premises AD. But there can be requirements for cloud-only groups as well. We can create cloud-only group by using, 

New-AzureADGroup -DisplayName "REBELADMIN Sales Team" -MailEnabled $false -MailNickName "salesteam" -SecurityEnabled $true

Preceding command creates a security group called "REBELADMIN Sales Team". This group is not a mail enabled group. 

We can remove Azure AD group using,

Remove-AzureADGroup -ObjectId 7592b555-343d-4f73-a6f1-2270d7cf014f

In above, Object ID value defines the group. 

Apart from security groups, Azure AD also have predefined administrative roles which can use to assign access permissions to Azure AD and other cloud services. There are more than 35 predefined administrative roles. Each of role have their own set of permissions. More details about this roles can find in https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles 

We can list down all the administrative roles using,

Get-AzureADDirectoryRoleTemplate

By default, only few administrative roles are enabled. We can list these roles using,

Get-AzureADDirectoryRole

We can enable Administrative role using,

Enable-AzureADDirectoryRole -RoleTemplateId e6d1a23a-da11-4be4-9570-befc86d067a7

In above command, RoleTemplateId value represent the Administrative Role.

We can assign administrative role to a user by using,

Add-AzureADDirectoryRoleMember -ObjectId b63c1671-625a-4a80-8bae-6487423909ca -RefObjectId 581c7265-c8cc-493b-9686-771b2f10a77e

In preceding command, ObjectId value represent the Administrative Role. RefObjectId is the object id value of the user. 

We can list down members of Administrative role using,

Get-AzureADDirectoryRoleMember -ObjectId 36b9ac02-9dfc-402a-8d44-ba2d8995dc06

In above command, ObjectId represent the Administrative role. 

We can remove a member from the role using,

Remove-AzureADDirectoryRoleMember -ObjectId 36b9ac02-9dfc-402a-8d44-ba2d8995dc06 -MemberId 165ebcb7-f07d-42d2-a52e-90f44e71e4a1

In preceding command, MemberId is equal to user’s object id value. 

This marks the end of this post. I hope this was useful and If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.