Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Azure Active Directory

Step-by-Step Guide to Azure AD Access Package

In an organization, we add users to roles, groups, and applications to allow them to do certain tasks. Some of these tasks may not be carried out frequently. Is there a better way to handle these types of access, how we can ensure a user only have the relevant permissions when they required?

Azure AD Access packages allow administrators to manage access permissions to groups, applications and SharePoint sites in a more efficient way. Internal and external users will have relevant permissions to do their tasks only when they required. It will reduce the manual review of the user account permissions. The relevant policies will ensure who can request access, how the access requests are handled and when the access permissions will be revoked.

Azure AD access packages can use to,

• Manage membership of Azure AD groups
• Manage membership of Office 365 groups
• Manage membership of SharePoint sites
• Mange membership of Azure AD applications

In this post, I am going to demonstrate how we can manage access permissions using Azure AD Access Package.

In my demo environment, I have a user called Debra Berger. She is going to work on a new recruiting campaign. As part of her job, she has to access LinkedIn application. At the moment only members of sg-Finance & sg-Sales and Marketing groups have access to it. Debra Berger is not a member of both groups. She only needs this app for the new campaign. So, let’s go ahead and create an access package for this.

To do this,

1. Log in to Azure Portal as Global Administrator https://portal.azure.com/

2. Go to Menu and click on Azure Active Directory

3. Then click on Identity Governance

4. Click on Access packages

5. Then click on New access package

6. It will open a new wizard to create access packages. Provide name, description, and catalog for the new access package. By default, the catalog is set to General, if required you can create your own. Once settings are in click on Next: Resource roles >

[Read more…] about Step-by-Step Guide to Azure AD Access Package

Step-by-Step Guide: Enable Azure AD Authentication for Azure Point-to-Site (P2S) VPN

OpenVPN is an open-source VPN protocol that is trusted by many cloud service providers to provide site-to-site, point-to-site, and point-to-point connectivity to cloud resources. Now Azure AD authentication also works with OpenVPN protocol. This means we can use Azure AD features such as conditional access, user-based policies, Azure MFA with VPN authentication. In this Demo, I am going to demonstrate how to configure OpenVPN for Azure point-to-site VPN and then how to integrate Azure AD authentication with it. 

Prerequisites

1. To configure OpenVPN, first, we need to have a working point-to-site setup. The native Azure point-to-site VPN setup uses Azure certificate authentication. I wrote an article about it before and it can be accessed using https://www.rebeladmin.com/2018/07/step-step-guide-azure-point-site-vpn/

So, before we start, please go ahead and configure the VPN gateway with certificate authentication.  

2. Also, I am going to use Azure PowerShell for configuration. Please make sure you have the Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Configure OpenVPN for Azure P2S VPN

1. Launch PowerShell console and connect to Azure using Connect-AzAccount (Using Global Administrator Account)

2. Then I ran Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG to review my VPN gateway configuration. Here REBELVPNRG is the resource group it belongs to. 

3. Then let's go ahead and change the VPN client protocol to OpenVPN using,

$vpngw = Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG -name REBEL-VPN-GW

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $vpngw -VpnClientProtocol OpenVPN

In the above, REBEL-VPN-GW is the VPN gateway name. [Read more…] about Step-by-Step Guide: Enable Azure AD Authentication for Azure Point-to-Site (P2S) VPN

Step-by-Step Guide: How to enable MFA for Azure admins (Preview)?

Multi-factor authentication is no longer a privilege. MFA is providing an additional layer of security for identities. MFA solutions are getting cheaper and cheaper. You even can enable MFA for free on certain online services. Microsoft outlook email is a good example of that. When it comes to cloud services this is more and more important.

Azure MFA is cloud-based multi-factor service which can use to provide two-step verification for Azure AD users. Azure MFA for Azure AD users comes as part of Office 365 or Azure AD P1, P2 subscriptions. When subscriptions are in place, we can enable MFA for users using different methods. 

Enable MFA for all users – This is the most secure method. We can enable this simply by using Office 365 or Azure Portal.  

Enable MFA for selected users – If the licenses are an issue, we also can enable MFA for selected users. This can be done using the same portals as above. 

Enable MFA based on conditional access policies – Let's assume sales users are accessing certain apps from various external networks. Using conditional access policies, I can force MFA authentication for any user who is accessing application A from an untrusted network. This way MFA will only be enabled for certain users.  [Read more…] about Step-by-Step Guide: How to enable MFA for Azure admins (Preview)?

Step-by-Step Guide: Bulk import/remove group members from Azure Active Directory (Public Preview)

So far in Azure Active Directory, if we need to add members to a group, we have to go through a few steps. 

To remove members from a group, we have to select members manually and then remove it. 

This process is still okay for small scale changes. But if it is large scale change, it will take time. Also, engineers can make mistakes by selecting the wrong users. Microsoft now allows us to add and remove users based on CSV files. This is still in the preview stage but it is not too early to test. In this demo, I am going to demonstrate how we can add/remove Azure AD group members using CSV files. 

Add Members 

To add members to Azure AD group using the new CSV method, 

1. Log in to Azure Portal (https://portal.azure.com) as Global Administrator or Group Owner.

2. Go to Azure Active Directory | Groups  

3. In this demo, I am going to add users to "Leadership" group. So, I went ahead and click on it.  [Read more…] about Step-by-Step Guide: Bulk import/remove group members from Azure Active Directory (Public Preview)

Step-by-Step Guide to enable BitLocker for cloud-managed Windows 10 Devices (Using Microsoft Intune)

Data encryption is one of the basic requirements when it comes to data protection. Using Windows BitLocker, we can easily encrypt virtual and physical disks. We normally use group policies and system center configuration manager (SCCM) to centrally manage/configure BitLocker. 

We also can use Microsoft Intune to manage BitLocker on Azure AD joined Windows 10 devices. This is done by using Microsoft Intune Device configuration Profiles. I previously wrote an article about configuration profiles and explained how we can use it to standardize device configurations on Azure AD join devices. I highly recommend you to go through it before we continue further with this blog post as it explains the basics about configuration profiles. This aforementioned blog post can access using https://www.rebeladmin.com/2019/09/step-step-guide-standardize-desktop-devices-using-microsoft-intune-device-configuration-profiles/

In this demo, I am going to demonstrate how to manage BitLocker using Microsoft Intune. Before we start, we need to have devices enrolled with Intune. You can find more info about device enrollment using my previous blog posts https://www.rebeladmin.com/2018/11/step-step-guide-enroll-windows-10-devices-microsoft-intune-using-autopilot/

In my demo environment, I have Azure AD joined & Intune enrolled windows 10 device called W2007.

Let's go ahead and setup the relevant device configuration profile. 

To do that, 

1. Log in to Azure Portal (https://portal.azure.com) as Global Administrator and go to All services | Intune or else log in to Intune device management portal directly via https://devicemanagement.microsoft.com  

2. Then click on Device configuration | Profiles

3. In the profiles page, click on + Create profile

[Read more…] about Step-by-Step Guide to enable BitLocker for cloud-managed Windows 10 Devices (Using Microsoft Intune)