Azure Active Directory

Step-by-Step Guide: How to configure Sign-in risk-based Azure conditional access policies ?

Some time ago I wrote an article about sign-in risk-based conditional access policies. But things have been changed over time and I thought it is time to update it with new content.

Let’s assume we have a web application that is published via the internet. To access the services, the user has to provide a user name and password. If one of the users’ accounts compromised, how the system can differentiate legitimate access and illegal access? From the system’s point of view, as long as someone provides a valid user name and password system will allow access. But if we can analyze user access behaviour and detect anomalies, potentially we will be able to detect illegal access attempts. As an example, let’s assume the user is always log in from Canada. The user logged in to the system at 10 am successful. By 11 am the system detects another authentication attempt from UK for the same user. As we can see this behaviour is suspicious and if the system can detect this automatically, we can prevent a possible illegal access attempt.

Sign-in risk-based Azure conditional access policies help organizations to review user sign-in behaviours and detect risks. Then, based on risk levels, organizations can either block the user or enforce actions such as multi-factor authentication to prove their identity.
Azure categorizes sign-in risks into four levels.

High
Medium
Low
No risk

We can use one or more sign-in risk levels with a conditional access policy.

Due to security reasons, Microsoft does not provide exact details about how the risk levels are calculated. However, Microsoft says the following events contribute on risk level calculation.

Risk Detection Type	Description	Detection Type
Anonymous IP address	This risk detection type indicates sign-ins from an anonymous IP address (for example, Tor browser or anonymous VPN)	Realtime
Atypical travel	This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behaviour.	Offline
Malware linked IP address	This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.	Offline
Unfamiliar sign-in properties	This risk detection type considers past sign-in history (IP, Latitude / Longitude and ASN) to look for anomalous sign-ins.	Realtime
Password spray	A password spray attack is where multiple usernames are attacked using common passwords in a unified brute force manner to gain unauthorized access. This risk detection is triggered when a password spray attack has been performed.	Offline
Admin confirmed user compromised	This detection indicates an admin has selected ‘Confirm user compromised’ in the Risky users UI or using risky Users API.	Offline
Malicious IP address	This detection indicates sign-in from a malicious IP address.	Offline
Suspicious inbox manipulation rules	This detection is discovered by Microsoft Cloud App Security (MCAS). This detection profiles your environment and triggers alerts when suspicious rules that delete or move messages or folders are set on a user’s inbox.	Offline
Impossible travel	This detection is discovered by Microsoft Cloud App Security (MCAS). This detection identifies two user activities (is a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second, indicating that a different user is using the same credentials.	Offline

Source : https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#user-risk

As we can see above, there are two detection types. Realtime detection will take 5-10 minutes to show the results. Offline detection can take up to 24 hours to show the results.
Let’s go ahead and see how we can create a conditional access policy.

Configure conditional access policy

1. Log in to Azure Portal (https://portal.azure.com/) as Global / Security / Conditional Access Administrator
2. Then go to Azure Active Directory

3. On the Azure Active Directory page click on Security

Step-by-Step Guide: How to setup Facebook federation with Azure AD?

Facebook federation with Azure AD allows external users to use their Facebook accounts to access corporate applications. In this demo, I am going to demonstrate how we can initiate federation with Facebook.

Before start configuration, make sure you have a valid Azure AD Subscription, an Application published through Azure AD, and a Facebook account.

Enable Self-service sign-up for guest users (preview)

Before we initiate federation with Facebook, we need to enable Self-service sign-up. To do this,

1. Log on to Azure Portal as Global Administrator
2. Click on Azure Active Directory

3. On the Azure AD properties page, click on User settings

4. Then under External Users, select Manage external collaboration settings

5. In the External collaboration settings page, Set the Enable guest self-service sign up via user flows (Preview) option to Yes. Then to apply settings click on Save.

How to setup Azure AD Connect cloud provisioning?

User names and passwords are the most common way of controlling access to applications. Nowadays we use more and more applications. These applications can be from on-premises or cloud. Unless there is a central identity management system, users will have to maintain different usernames, passwords to access these applications.
Azure Active Directory is a powerful, reliable cloud-based identity and access management service. It can use to manage identities and access for cloud applications as well as on-premises applications. If we already have a Windows Active Directory environment, using Azure AD connect we can sync on-premises identities to Azure AD. Azure AD Connect supports various Windows Active Directory topologies. More information about these supported topologies can be found here.
However, In Azure AD connect, synchronization and provisioning from AD are managed in the on-premises level. This can be a complex task especially if you have multiple AD forests. To simplify the hybrid identity synchronization process, Microsoft now has Azure AD Connect cloud provisioning. With this solution, Microsoft will manage provisioning from AD and synchronization as part of the service. In on-premises we only need to install light-weight agents which will act as a bridge between Azure AD and Windows AD.

Apart from the simplicity, Azure AD Connect cloud provisioning gives the following benefits,

• Allow Azure AD synchronization from multiple disconnected on-premises AD forests.
• Multiple agents will provide high availability for password hash synchronization.

What are the differences between Azure AD Connect and Azure AD Connect cloud provisioning?

Feature	Azure AD Connect	Azure AD Connect cloud provisioning
Synchronize multiple disconnected on-premises AD forests	NO	YES
Synchronize single on-premises AD forest	YES	YES
Synchronize multiple on-premises AD forests	YES	YES
Synchronization Based on Agents	NO	YES
Multiple Agents for High Availability	NO	YES
Synchronize with LDAP	YES	NO
Synchronize Users, Groups, Contacts	YES	YES
Synchronize device objects	YES	NO
Synchronize Exchange online attributes	YES	YES
Synchronize extension attributes 1-15	YES	YES
Synchronize customer defined AD attributes	YES	NO
Support for federation	YES	YES
Seamless Single Sign-on	YES	YES
Support for Pass-Through Authentication	YES	NO
Support for Password Hash Sync	YES	YES
Support for writeback (passwords, devices, groups)	YES	NO
Azure AD Domain Services support	YES	NO
Exchange hybrid writeback	YES	NO

Azure AD Connect cloud provisioning Setup

In this blog post, I am going to demonstrate how to set up Azure AD Connect cloud provisioning with Windows AD. In my demo environment, I already have Windows AD configured with domain M365x620957.onmicrosoft.com

Let’s go ahead and start the configuration process by installing the Azure AD Connect provisioning agent. [Read more…] about How to setup Azure AD Connect cloud provisioning?

Step-by-Step Guide: How to publish Applications using Windows Virtual Desktop (Spring 2020 Release)

In my previous blog post, I have explained how we can set up Windows Virtual Desktop (Spring 2020 Release) and publish desktops. If you didn’t read it yet, please go ahead and read it before we continue with this article as I am going to use the same system setup. You can access previous blog post using this link.
In this blog post, I am going to demonstrate how to publish applications using Windows Virtual Desktop (Spring 2020 Release).

Before we start, let’s go ahead and check how is my demo environment looks like and what I am trying to achieve.

• I have two Resource groups in place. EUSRG1 resource group is in Azure East US region and UKSRG1 resource group is in UK South Azure region.
• Resource in UKSRG1 resource group represents my on-premises infrastructure.
• I have a Windows AD server running in UKSRG1. It is syncing to Azure AD by using Azure AD Connect.
• EUSVNet1 and UKSVnet1 are connected using Azure VNet-to-VNet VPN Gateway Connection (https://www.rebeladmin.com/2019/09/step-step-guide-setup-azure-vnet-vnet-vpn-gateway-connection-powershell-guide/). This way session hosts in EUSRG1 can be added to Windows AD using the standard method.
• I have set up two windows virtual desktop session hosts (REBELSH-0 & REBELSH-1) and a workspace (REBELWP01) in EUSRG1 resource group.
Both session hosts are joined to Windows AD using the standard domain join method.

I am going to create a new application group and publish Microsoft Word and Microsoft Excel Applications.

Create Windows Virtual Desktop Application Group

Let’s go ahead and create the application group for remote apps.

1. Log in to Azure portal as Global Administrator
2. Search for Windows Virtual Desktop and click on it.

3. Then click on Application groups

4. In Application group page click on + Add

Step-by-Step Guide to Windows Virtual Desktop (Spring 2020 Release)

I wrote my first article about Windows Virtual Desktop when it was in the preview stage. There were few releases after that and some of the content of that original post is no longer relevant. So, I thought it is time to release a new article to avoid conflicts.
Windows Virtual Desktop is a cloud-based desktop and app virtualization service. If you ever worked with on-premises VDI solutions such as Microsoft RDS or Citrix, you may already know how much planning, management involve with it. It is costly as performance & availability of the solution depend on so many things such as networking, hardware resources, skills, connection, etc. But now with Windows Virtual Desktop, we can simply set up VDI solution with few clicks. With COVID-19 global pandemic, businesses had to allow their employees to work from home. With the help of Windows virtual desktop service, a lot of businesses were able to expand VDI to address the demand pretty quickly compared to other traditional on-premises solutions.

What is new on Windows Virtual Desktop Spring 2020 update?

• Windows Virtual Desktop is now integrated with the Azure portal. So, we can set up everything using the Azure portal. No PowerShell required.
• With the previous version, we were only able to publish RemoteApps and Desktops to individual users. But now we can publish to Azure Active Directory groups.
• You’re no longer required to complete Azure Active Directory (Azure AD) consent to use Windows Virtual Desktop. In the Spring 2020 update, the Azure AD tenant on your Azure subscription authenticates your users and provides RBAC controls for your admins.
• The earlier version of the Windows Virtual Desktop had four built-in admin roles that you could assign to a tenant or host pool. These roles are now in Azure role-based access control. You can apply these roles to every Windows Virtual Desktop Azure Resource Manager object, which lets you have a full, rich delegation model.
• Host pool deployment is now fully integrated with the Azure Shared Image Gallery. Shared Image Gallery is a separate Azure service that stores virtual machine (VM) image definitions, including image versioning. You can also use global replication to copy and send your images to other Azure regions for local deployment.

Source: https://docs.microsoft.com/en-us/azure/virtual-desktop/whats-new

Windows Virtual Desktop Prerequisites

To use Windows virtual desktop service, we need the following

• Azure Active Directory
• A Windows Server Active Directory in sync with Azure Active Directory. It can be either via Azure AD Connect or Azure AD Domain Services
• An Azure subscription that contains a virtual network that either contains or is connected to the Windows Server Active Directory
• Azure virtual machines for Windows Virtual Desktop service must be Windows Desktop Machines which join the Azure AD using a stranded method or Hybrid AD-join method. It can’t be Azure AD-Join.
• Azure virtual machines for Windows Virtual Desktop service only can have following supported x64 operating systems.

 Windows 10 Enterprise multi-session, version 1809 or later
 Windows 10 Enterprise, version 1809 or later
 Windows 7 Enterprise
 Windows Server 2019
 Windows Server 2016
 Windows Server 2012 R2

In this demo, I am going to demonstrate how to publish Desktops using Windows virtual desktop service. Before we start let’s see how is my demo environment looks like and what I am trying to achieve.

• EUSVNet1 and UKSVnet1 are connected using Azure VNet-to-VNet VPN Gateway Connection (https://www.rebeladmin.com/2019/09/step-step-guide-setup-azure-vnet-vnet-vpn-gateway-connection-powershell-guide/). This way session hosts in EUSRG1 can be added to Windows AD using the standard method.
• I will setup windows virtual desktop session hosts and workspace in EUSRG1 resource group. Remote users will connect to windows virtual desktop workspace using public internet.

Modify EUSVnet1 DNS servers

We are going to start the configuration by modifying EUSVnet1’s DNS server settings. As per the above setup, EUSVnet1 virtual network can communicate with UKSVnet1 virtual network. But if we try to add a VM running in EUSVnet1 virtual network to Windows AD in UKSVnet1 virtual network, it will fail. This is because a VM in EUSVnet1 virtual network will not know how to find the domain as it is using Azure defined DNS servers. We can’t simply modify network adapter settings of the VM and point DNS to the Windows AD server. We have to do it in the virtual network level.

To update DNS server settings for the virtual network,

1. Log in to Azure Portal as Global Administrator
2. Search for Virtual networks in the search box.

3. From the list of virtual networks, click on EUSVnet1

4. In the virtual network properties page, click on DNS servers

5. Then select Custom to define our DNS server list. In there add the private ip address of the Windows AD server. In my demo setup, it is 10.75.0.4. I also added google DNS 8.8.8.8 as a backup.
Once settings are in place, click on Save to apply the changes.

Azure Active Directory

Step-by-Step Guide: How to setup Facebook federation with Azure AD?

Enable Self-service sign-up for guest users (preview)

How to setup Azure AD Connect cloud provisioning?

What are the differences between Azure AD Connect and Azure AD Connect cloud provisioning?

Azure AD Connect cloud provisioning Setup

Step-by-Step Guide: How to publish Applications using Windows Virtual Desktop (Spring 2020 Release)

Create Windows Virtual Desktop Application Group

Step-by-Step Guide to Windows Virtual Desktop (Spring 2020 Release)

Windows Virtual Desktop Prerequisites

Modify EUSVnet1 DNS servers

Recent Posts

About Rebeladmin.com

Azure Active Directory

Configure conditional access policy

Enable Self-service sign-up for guest users (preview)

What are the differences between Azure AD Connect and Azure AD Connect cloud provisioning?

Azure AD Connect cloud provisioning Setup

Create Windows Virtual Desktop Application Group

Windows Virtual Desktop Prerequisites

Modify EUSVnet1 DNS servers

Footer

Recent Posts

About Rebeladmin.com

Social Media

Tags