Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Archives for March 2020

Step-by-Step Guide: Enable Windows 10 password-less authentication with FIDO2 security keys (Azure AD + Microsoft Intune)

Last Updated on March 27, 2020 by Dishan M. Francis

In my previous blog post, I explained how we can use FIDO2 security keys to perform password-less authentication with Azure AD. You can access it using Step-by-Step Guide: Azure AD password-less sign-in using FIDO2 Security keys
We also can use FIDO2 security keys to sign-in to Azure AD Joined or Hybrid Azure AD Joined Windows 10 devices. In this demo, I am going to demonstrate how we can enable FIDO2 security key sign-in using Azure AD and Microsoft Intune.
Before enabling password-less authentication with FIDO2 security keys, make sure you have,

1. Azure AD and Intune – Make sure you have valid Azure AD and Intune subscription in place.
2. Azure AD Join on Hybrid Azure AD joined Windows 10 Devices – If it is Azure AD Join device, it should run at least Windows 10 version 1903. If it is Hybrid Azure AD joined device at least it should be running Windows 10 Insider Build 18945
3. FIDO2 Security keys – The good people at eWBM provided eWBM Goldengate security key G320 (USB-C) and eWBM Goldengate security key G310 (USB-A) for testing. I will be using eWBM Goldengate security key G320 (USB-C) in this demo with Surface Pro 7.

4. Azure AD user account which completed the FIDO2 security key enrolment process – This explained in details via my previous post https://www.rebeladmin.com/2020/03/step-step-guide-azure-ad-password-less-sign-using-fido2-security-keys/

In this demo, I am going to use a user called Megan Bowen (meganb@M365x620957.onmicrosoft.com) for testing. I already have an Azure AD join device ready for her. It is showing as compliant in the Microsoft Intune portal.

Enable Windows Hello for Business with Intune

Before we create a device configuration profile, we need to enable Windows Hello for Business with FIDO2 security key support. To do that,

1. Log in to Azure Portal as Global Administrator ( https://portal.azure.com/ )
2. Search for Intune in the search box and click on it.


3. Then click on Device Enrolment

4. In the new window click on Windows enrollment | Windows Hello for Business

5. Select Enable for Configure Windows Hello for Business. Then keep the default settings.

6. Also, select Enable for Use security keys for sign-in

This will enable FIOD2 security key support.

7. At the end click on Save to apply the changes.

[Read more…] about Step-by-Step Guide: Enable Windows 10 password-less authentication with FIDO2 security keys (Azure AD + Microsoft Intune)

Step-by-Step Guide: Azure AD password-less sign-in using FIDO2 Security keys

Last Updated on March 21, 2020 by Dishan M. Francis

Passwords are the most commonly used method to protect user identities in a system. This is applying to Active Directory as well. However, with growing data breaches, it is obvious that passwords are no longer strong. In Verizon Data Breach Investigations Report (2017), it says, 81% of hacking-related breaches used either stolen or weak passwords. So, if passwords are not safe, what else we can do to improve the security in the sign-in process?

Multi-factor authentication can add another layer of security into the authentication process. It can be SMS, phone call, OTP code, Phone App notification to further confirm the authenticity of the sign-in request. There are many different MFA products available in the market. Each required engineers’ involvement in service provision, deployment, licenses management, integration, end-user training, troubleshooting, and maintenance. It also adds complexity to the sing-in process. MFA doesn’t eliminate the requirement for passwords.

But now we have an option to replace traditional authentication with password-less authentication. This is basically to replace passwords with biometrics, PIN, certificates and security keys. Fast Identity Online (FIDO) is an open standard for passwordless authentication. This allows authenticating into systems using external security key built into a device.

Source : https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless

FIDO2 is the third standard that came out from FIDO Alliance. FIDO2 consists of Client to Authenticator Protocol (CTAP) and the W3C standard WebAuthn. When we use FIDO2 security keys for authentication,

1. User register with WebAuthn remote peer (FIDO2 server) and generate new key pair (public and private)
2. Private key is stored in the device and is only available for client-side.
3. Public key will be registered in the web service’s database.
4. After that in sign-in process, the system will verify the private key which is always need to be unlocked by a user action such as biomimetic or PIN.

Azure AD now supports password-less authentication using FIDO2 security keys. In this demo, I am going to demonstrate how we can use FIDO2 security keys to authenticate into Azure AD. To do this we need,

1. Azure AD Multi-factor authentication enabled
2. FIDO2 security keys

eWBM security keys
The good people at eWBM provided eWBM Goldengate security key G320 (USB-C) and eWBM Goldengate security key G310 (USB-A) for testing. I will be using eWBM Goldengate security key G320 (USB-C) in this demo with Surface Pro 7.

Enable Multi-factor authentication

Before we go ahead with the FIDO2 enrolment, we need to enable multi-factor authentication for the users. To do that,

1. Log in to Azure portal https://portal.azure.com/ as Global Administrator
2. Click on Azure Active Directory under Azure Services

3. Click on Users

4. In All Users window, click on Multi-Factor Authentication

5. Search for the user. In this demo, I am going to use user Megan Brown for testing. Then select the user and click on Enable.

6. Then click on enable multi-factor auth

[Read more…] about Step-by-Step Guide: Azure AD password-less sign-in using FIDO2 Security keys

Step-by-Step Guide: Application layer (OSI layer 7) load balancing with Azure Application Gateway (PowerShell Guide)

Last Updated on March 14, 2020 by Dishan M. Francis

In my previous blog posts, I explained about two types of Azure solution to load balance web traffic.

Azure Traffic Manager – If you are looking for DNS level load balancing which can distribute traffic to global endpoints, Azure traffic manager will be the product to look at. More info about deployment can be found on https://www.rebeladmin.com/2020/02/step-by-step-guide-dns-based-traffic-load-balancing-with-azure-traffic-manager/

Azure Load Balancer – Azure load balancer works in layer 4 (transport layer) and can distribute network traffic to endpoints in the same Azure region. It can use to distribute internet traffic as well as internal traffic. More info about deployment can be found on https://www.rebeladmin.com/2020/01/step-step-guide-setup-azure-load-balancer-powershell-guide/

However, if you looking for Layer 7 (Application Layer) load balancing solution, Azure Application Gateway is the answer. Azure Application Gateway has the following features,

• Secure Sockets Layer (SSL/TLS) termination
• Autoscaling
• Zone redundancy
• Static VIP
• Web Application Firewall
• Ingress Controller for AKS
• URL-based routing
• Multiple-site hosting
• Redirection
• Session affinity
• Websocket and HTTP/2 traffic
• Connection draining
• Custom error pages
• Rewrite HTTP headers
• Sizing

More info about these features are available on https://docs.microsoft.com/en-us/azure/application-gateway/features

In this demo, I am going to show how we can setup URL-based routing using Azure Application Gateway.

To do that I will need to do the following tasks,

1. Setup new resource group
2. Create Virtual Networks
3. AG IP and frontend port configuration
4. Create Backend pool
5. Create listener and AG routing rule
6. Create Azure Application Gateway
7. Add Backend pools for videos and images
8. Add frontend port for the pool
9. Create Backend Listener
10. Create URL path map
11. Create routing rule
12. Create virtual machines
13. Add Web Content
14. Testing

For the configuration process, I will be using Azure PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Setup new resource group

Launch PowerShell console and connect to Azure using Connect-AzAccount

Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location “East US”

In the above, REBELRG1 is the resource group name and East US is the resource group location.

Create Virtual Networks

In this demo, I am going to use two back end servers. Before VM setup, let’s go ahead and create a new virtual network in REBELRG1 resource group.

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24”
$agsubnet = New-AzVirtualNetworkSubnetConfig -Name agsubnet -AddressPrefix “10.0.3.0/24”
New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet, $agsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines and 10.0.3.0/24 subnet (agsubnet) for the application gateway.

Create new public IP address

We require public ip address for Azure Application gateway. This will be the external contact point for the gateway. To create that,

New-AzPublicIpAddress -ResourceGroupName REBELRG1 -Location “East US” -Name REBELPublicIP01 -AllocationMethod Static -Sku Standard

In the above, we are creating a public IP address called REBELPublicIP01 with standard SKU. [Read more…] about Step-by-Step Guide: Application layer (OSI layer 7) load balancing with Azure Application Gateway (PowerShell Guide)