Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Archives for January 2021

Manage Privileged access groups with Azure AD Privileged Identity Management (Azure AD PIM)

Last Updated on January 18, 2021 by Dishan M. Francis

Azure AD Privileged Identity Management allows organizations to manage, monitor, audit access to sensitive Azure resources. One of the main features of PIM is the ability to provide just-in-time (JIT) access to Azure AD and Azure resources. As an example, a user can request to be a Global Administrator for 1 hour. Once a user requests it through the portal, Approver will receive a notification. Then approver can review the request and approve/deny the request based on justifications. Once the request is approved, the user will have Global administrator privileges for one hour. After one hour, the privileges will remove from the user automatically. Instead of individual users, we also can make cloud groups eligible for the Azure AD role assignment. More info about this configuration is available under one of the previous blog post. So far, we had to manage members or owners of these privilege cloud groups using Azure AD, but now we can provide JIT membership to privilege group using Azure AD PIM.

Note : To use Azure AD PIM, you need to have Azure AD Premium P2 licenses. So, make sure you have the relevant license in place before we go ahead with this config.

In my demo environment, I am going to create a new group called “Temp Administrators“. Then I am going to make it active for Global Administrator role for 3 months. After that configuration, if a user needs to get Global Admin rights, they need to be part of “Temp Administrators” group. I plan to show you how we can manage members of this group using Azure AD PIM.

Create a role-assignable group

As the first step of the configuration, I need to create a cloud group. This group must have the “Azure AD roles can be assigned to the group” option turned on. Otherwise, we can’t assign roles to it.
To do this,

1. Log in to Azure Portal as Global Administrator
2. Search for Azure Active Directory and click on it
3. Go to Groups and click on + New group

Add new Azure AD Group

4. In the new form, set Group type to Security. Then provide a name and description for the group. Next, set Azure AD roles can be assigned to the group (Preview) option to Yes. After, click on create to complete the group setup process

New Azure AD Group Settings

Enable privileged access for a group

The next step of the configuration is to enable privileged access for the newly created group. To do that,

1. Go to Azure Active Directory home page
2. Then go to Groups and click on the group we created in the previous section. On the group properties page, click on Privileged access (preview). Next, click on Enable privileged access button.

Enable privileged access for a group
[Read more…] about Manage Privileged access groups with Azure AD Privileged Identity Management (Azure AD PIM)

Encrypt existing Azure Managed Disks using Server-Side Encryption (SSE) and Customer Managed Keys (CMK)

Last Updated on January 6, 2021 by Dishan M. Francis

In my previous blog post, I have explained what is Server-Side Encryption (SSE) for Azure Managed Disks. If you didn’t read it yet, please go ahead and read it using this link. In there I have created a new virtual machine with encrypted managed disks. But sometimes we may have to do the same for the existing Azure Managed Disks. In this blog post, I am going to demonstrate how we can encrypt an existing data disk (Azure Managed Disk) using SSE and CMK.

Prerequisite

Before we go ahead with configuration, we need to make sure the following prerequisites are in place.

Azure Key Vault with DisKEncryptionSet – I have covered the configuration steps for this in my previous blog post https://www.rebeladmin.com/2021/01/encrypt-azure-managed-disks-using-server-side-encryption-sse-and-customer-managed-keys-cmk/. Please go ahead and configure the Azure Key Vault before we proceed further.

Azure PowerShell – For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Verify Existing Windows VM Configuration

For the demo, I have created a new Windows VM called REBEL01 in East US Azure region. It is running windows server 2019 data center edition. It is using Standard_DS1_v2 VM size. This VM has two disks. REBEL01_OSDisk is OS disk and REBEL01DataDisk1 is Data Disk.

Virtual Machine Disk Encryption with Platform managed keys

As we can see above, the data disk is encrypted using platform managed keys. This is the default setup for Azure managed disks. My plan is to encrypt this disk with Customer Managed Key (CMK). We can’t encrypt the existing OS disk using the same method.

Detach Managed Disk

We can’t change the encryption of a disk that is attached to a running VM. So, we need to detach the disk first. To do that we can use the following commands,

$VM = Get-AzVM -ResourceGroupName “REBELRG1” -Name “REBEL01”
Remove-AzVMDataDisk -VM $VM -Name “REBEL01DataDisk1”

Detach Azure Managed Disk

Then we need to update the VM config using

Update-AzVM -ResourceGroupName “REBELRG1” -VM $VM

Update Azure Virtual Machine Configuration [Read more…] about Encrypt existing Azure Managed Disks using Server-Side Encryption (SSE) and Customer Managed Keys (CMK)

Encrypt Azure Managed Disks using Server-Side Encryption (SSE) and Customer Managed Keys (CMK)

Last Updated on January 1, 2021 by Dishan M. Francis

Disk encryption is a basic data protection method for physical & virtual hard disks. It falls under physical data security and it prevents data breaches from stolen hard disks (physical & virtual). By using Azure Disk Encryption, we can encrypt disks within the guest VM. If the guest VM is running Windows OS, Azure Disk Encryption will use BitLocker. If the guest VM is running Linux, it will be depending on DM-Crypt to encrypt virtual disks. But with Server-Side Encryption (SSE) we can encrypt any OS disk/data disk at the storage service level.

By default, Azure Managed disks are encrypted using 256-bit AES encryption. It is FIPS 140-2 compliant. For this, the system uses platform-managed encryption keys. But for compliance requirements, the organization may want to manage its own encryption keys. These keys are called Customer Managed Keys (CMK). In here, instead of the platform, it is the customer’s responsibility to create, import, delete encryption keys. We can use CMK to encrypt managed disk using Azure Disk Encryption or Server-Side Encryption (SSE). In both methods, we have to use the Azure Key Vault to store the encryption keys. A Key vault admin can either import their own RSA keys or generate new RSA keys in the key vault to use with encryption.

When we using Customer Managed Keys (CMK) we need to consider the following,

1. If the CMK feature is enabled for a disk, it can’t be disabled. If you need you can copy data to a new disk without CMK.
2. Only supported Software and HSM RSA keys with 2048 bit, 3072 bit, and 4096-bit sizes.
3. Managed disk created from custom image or snapshot which is encrypted using SSE & CMK must use same CMK to encrypt.
4. All resources related to CMK such as Azure key vault, DisKEncryptionSet, VMs, Managed Disks must use the same subscription and region.
5. Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using CMK.

Source: https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption#customer-managed-keys

Before we go ahead with configurations let’s see how Server-Side Encryption (SSE) works with Customer Managed Keys (CMK).

1. Admin creates DisKEncryptionSet resource with Azure Key Vault ID and a key URL. This will also create a system-assigned managed identity in Azure Active Directory.
2. Then Azure Key Vault Admin grant permission to this managed identity to perform activities in the relevant key vault.
3. As the next step, VM user can create or associate existing managed disks with DisKEncryptionSet and enable Server-Side Encryption (SSE)
4. Managed disks use system-assigned managed identity in Azure Active Directory to access Key vault
5. Managed disks send a request to Key vault to encrypt or decrypt Data Encryption Key (DEK) to use it with data encryption or decryption.

Let’s go ahead and see how we can use SSE and CMK for managed disk encryption.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Setup Azure Resource Group

The first step of the configuration is to create a new resource group.

To do that,

Launch PowerShell console and connect to Azure using Connect-AzAccount

Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location “East US”

Create New Azure Resource Group

In the above, REBELRG1 is the resource group name and East US is the resource group location.

Setup Azure Key Vault

Next, we need to create a new key vault and encryption key.

As the first step, let’s go ahead and enable Azure Key Vault provider within the subscription by using,

Register-AzResourceProvider -ProviderNamespace “Microsoft.KeyVault”

Enable Azure Key Vault Provider

Then, let’s go ahead with Azure Vault setup,

$rkv = New-AzKeyVault -VaultName REBELVMKV1 -Location “East US” -ResourceGroupName REBELRG1 -EnablePurgeProtection

In the above, REBELVMKV1 is the key vault name and it is created under REBELRG1 resource group. –EnablePurgeProtection parameter is used to ensure a deleted key from the vault cannot be permanently deleted until it passes the retention period. This option adds extra protection to keys used inside the vault. This must be enabled otherwise the encryption will fail.

As the next step, we need to create an access policy so currently logged-in user can create encryption keys.

Set-AzKeyVaultAccessPolicy -VaultName REBELVMKV1 -ObjectId xxxxxxxxxxxxxxxx -PermissionsToKeys create,import,delete,list -PermissionsToSecrets set,delete -PassThru

Setup Access Policy

In the above -Objectid value should replace with the actual objectid value of the currently logged in the global admin account. Here -PermissionsToKeys define the permissions allocated for keys and -PermissionsToSecrets defines the permissions allocated for secrets.

Next, we need a new encryption key to use with disk encryption.

$vk1 = Add-AzKeyVaultKey -VaultName REBELVMKV1 -Name “REBELVMKey” -Destination “Software”

Create Encryption Key

In the above, REBELVMKey is the key name. -Destination is defined as Software as we creating the standard encryption key. If required it can be set to Hardware Security Model (HSM) but it comes with additional cost. [Read more…] about Encrypt Azure Managed Disks using Server-Side Encryption (SSE) and Customer Managed Keys (CMK)