Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Archives for March 2019

Step-by-Step Guide: Azure AD Access Reviews for Applications

Last Updated on March 18, 2019 by Dishan M. Francis

Corporate applications may also hold critical operation data related to the company. By doing regular reviews, we can make sure only the relevant people have access to corporate applications. However, if we just use the native method, it will be mainly based on Enterprise app Sign-ins and audit log data. the only problem with this method is, it is so time-consuming. As it is all manual process, the result may not be that accurate either. But now with Azure AD Access reviews, we can do this by setting up a simple access review job. Here is why it is good rather than a typical audit. 

Automated – It is all automated. You do not need to go through logs and do anything manually. 

Actions – we can also attach predefined action to execute at the end of a successful access review job. If required, we also can manually decide what to do with the findings (approve or deny access)

Schedule – Access reviews jobs can be scheduled to run periodically. It helps to do it more frequently than the manual method.

Recommendation – Access review job itself provides recommendations based on findings. It helps reviewers to decide. 

Delegations – Access reviews job allows delegation. We can assign someone else in the team to decide what to do with the findings. It helps to get more accurate results. 

So, let's go ahead and see how it works. In my demo environment, I have linkedin application assigned to different groups and users. I like to know who has access to it and do permission changes if required.

 1. To start, log in to Azure portal as Global Administrator

2. Then make sure Access reviews onboarding process is completed. More info about this can be found in one of my previous blog posts https://www.rebeladmin.com/2019/02/step-step-guide-review-privileged-accounts-using-azure-pim/

3. To create a new access review job, go to Access Reviews | Controls

4. Then click on + New Access Review 

[Read more…] about Step-by-Step Guide: Azure AD Access Reviews for Applications

Step-by-Step Guide : Serial Console for Azure VM

Last Updated on March 13, 2019 by Dishan M. Francis

Azure VM now have serial console access via Azure portal. It is not depending on the virtual machine’s network or operating system state. This is ideal for recover machines/data, modify system configurations & troubleshooting. Azure serial console access is only available via Azure portal. It is using COM1 port of the virtual machine. This works for both Windows & Linux VMs. In my demo I am going to show how we can access windows VM via serial console. 

Prerequisite 

1. A VM created via New portal. This feature is not available for classic deployment model. 

2. A user with minimum of Virtual Machine Contributor role

3. Password based account for the VM

Once prerequisites are in place, we can start the configuration. In my demo setup, I am going to use a VM with Windows server 2019 datacenter version. 

1) Log in to the Azure portal as Global Administrator

2) Go to Virtual Machines and click on the selected VM. 

3) Then click on Boot diagnostics under Support + troubleshooting

4) In new window, Click on Settings and make sure Boot diagnostics are turned on[Read more…] about Step-by-Step Guide : Serial Console for Azure VM

Step-by-Step Guide : Azure AD B2B Email one-time passcode authentication (preview)

Last Updated on March 3, 2019 by Dishan M. Francis

Azure AD B2B allows organizations to share company applications and other services/resources with external users. Before, this external user should have one of following to initiate connection with the organization who sents the B2B inivitation. 

1) Azure AD Account

2) Microsoft Account

3) Google Federation ( More info : https://www.rebeladmin.com/2019/02/step-step-guide-setup-federation-google-azure-ad-b2b/ )

Email one-time passcode authentication (OTP) feature now allow B2B users to authenticate using one time passcode if they cant use one of the above methods. Once OTP is issued it is only valid for 30 minutes. If user didn’t use it with in 30 minutes, he/she need to request new OTP code for authentication. Once authenticated, session will be valid for 24 hours.  

This feature is still under public preview. OTP users must use the https://myapps.microsoft.com/?tenantid=<tenant id> , https://portal.azure.com/<tenant id> or https://myapps.microsoft.com/<verified domain>.onmicrosoft.com when they authenticate. In above <tenant id> should replaced with the organization’s tenant ID. <verified domain> should replace using the default domain details. 

You can find the tenant id using, 

Azure Portal | Azure Active Directory | Properties | Directory ID  

Let’s see how we can enable this new OTP feature. 

To do that,

1) Log in to Azure portal as Global Administrator

2) Go to Azure Active Directory | Organizational relationships 

3) Then go to Settings

[Read more…] about Step-by-Step Guide : Azure AD B2B Email one-time passcode authentication (preview)