Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Azure Active Directory

Step-by-Step Guide to Windows Virtual Desktop (Spring 2020 Release)

I wrote my first article about Windows Virtual Desktop when it was in the preview stage. There were few releases after that and some of the content of that original post is no longer relevant. So, I thought it is time to release a new article to avoid conflicts.
Windows Virtual Desktop is a cloud-based desktop and app virtualization service. If you ever worked with on-premises VDI solutions such as Microsoft RDS or Citrix, you may already know how much planning, management involve with it. It is costly as performance & availability of the solution depend on so many things such as networking, hardware resources, skills, connection, etc. But now with Windows Virtual Desktop, we can simply set up VDI solution with few clicks. With COVID-19 global pandemic, businesses had to allow their employees to work from home. With the help of Windows virtual desktop service, a lot of businesses were able to expand VDI to address the demand pretty quickly compared to other traditional on-premises solutions.

What is new on Windows Virtual Desktop Spring 2020 update?

• Windows Virtual Desktop is now integrated with the Azure portal. So, we can set up everything using the Azure portal. No PowerShell required.
• With the previous version, we were only able to publish RemoteApps and Desktops to individual users. But now we can publish to Azure Active Directory groups.
• You’re no longer required to complete Azure Active Directory (Azure AD) consent to use Windows Virtual Desktop. In the Spring 2020 update, the Azure AD tenant on your Azure subscription authenticates your users and provides RBAC controls for your admins.
• The earlier version of the Windows Virtual Desktop had four built-in admin roles that you could assign to a tenant or host pool. These roles are now in Azure role-based access control. You can apply these roles to every Windows Virtual Desktop Azure Resource Manager object, which lets you have a full, rich delegation model.
• Host pool deployment is now fully integrated with the Azure Shared Image Gallery. Shared Image Gallery is a separate Azure service that stores virtual machine (VM) image definitions, including image versioning. You can also use global replication to copy and send your images to other Azure regions for local deployment.

Source: https://docs.microsoft.com/en-us/azure/virtual-desktop/whats-new

Windows Virtual Desktop Prerequisites

To use Windows virtual desktop service, we need the following

• Azure Active Directory
• A Windows Server Active Directory in sync with Azure Active Directory. It can be either via Azure AD Connect or Azure AD Domain Services
• An Azure subscription that contains a virtual network that either contains or is connected to the Windows Server Active Directory
• Azure virtual machines for Windows Virtual Desktop service must be Windows Desktop Machines which join the Azure AD using a stranded method or Hybrid AD-join method. It can’t be Azure AD-Join.
• Azure virtual machines for Windows Virtual Desktop service only can have following supported x64 operating systems.

 Windows 10 Enterprise multi-session, version 1809 or later
 Windows 10 Enterprise, version 1809 or later
 Windows 7 Enterprise
 Windows Server 2019
 Windows Server 2016
 Windows Server 2012 R2

In this demo, I am going to demonstrate how to publish Desktops using Windows virtual desktop service. Before we start let’s see how is my demo environment looks like and what I am trying to achieve.

azure infrastructure

• I have two Resource groups in place. EUSRG1 resource group is in Azure East US region and UKSRG1 resource group is in UK South Azure region.
• Resource in UKSRG1 resource group represents my on-premises infrastructure.
• I have a Windows AD server running in UKSRG1. It is syncing to Azure AD by using Azure AD Connect. I can confirm Azure AD connect sync status is healthy.

EUSVNet1 and UKSVnet1 are connected using Azure VNet-to-VNet VPN Gateway Connection (https://www.rebeladmin.com/2019/09/step-step-guide-setup-azure-vnet-vnet-vpn-gateway-connection-powershell-guide/). This way session hosts in EUSRG1 can be added to Windows AD using the standard method.
• I will setup windows virtual desktop session hosts and workspace in EUSRG1 resource group. Remote users will connect to windows virtual desktop workspace using public internet.

Modify EUSVnet1 DNS servers

We are going to start the configuration by modifying EUSVnet1’s DNS server settings. As per the above setup, EUSVnet1 virtual network can communicate with UKSVnet1 virtual network. But if we try to add a VM running in EUSVnet1 virtual network to Windows AD in UKSVnet1 virtual network, it will fail. This is because a VM in EUSVnet1 virtual network will not know how to find the domain as it is using Azure defined DNS servers. We can’t simply modify network adapter settings of the VM and point DNS to the Windows AD server. We have to do it in the virtual network level.

To update DNS server settings for the virtual network,

1. Log in to Azure Portal as Global Administrator
2. Search for Virtual networks in the search box.

virtual network properties

3. From the list of virtual networks, click on EUSVnet1

virtual network properties 2

4. In the virtual network properties page, click on DNS servers

virtual network dns settings

5. Then select Custom to define our DNS server list. In there add the private ip address of the Windows AD server. In my demo setup, it is 10.75.0.4. I also added google DNS 8.8.8.8 as a backup.
Once settings are in place, click on Save to apply the changes.

save virtual network dns settings [Read more…] about Step-by-Step Guide to Windows Virtual Desktop (Spring 2020 Release)

Step-by-Step Guide: Azure Active Directory Password-less authentication using SM

As we know, passwords are no longer strong. In Verizon Data Breach Investigations Report (2017), it says, 81% of hacking-related breaches used either stolen or weak passwords. Multi-factor authentication can provide an extra layer of security to the sign-in process but it doesn’t eliminate the requirement for passwords. In one of my previous blog posts, I explain how we can enable Azure Active Directory Password-less authentication by using FIDO2 Security keys. This required additional hardware components. Apart from that method now we also can use SMS to authenticate into Azure Active Directory. The beauty of this method is that you not even need to know your user name to log in. Your phone number will be your user name. This not only reduces the security risk; it also simplifies the complexity in the login process. This feature is still in public preview but it is not too early to test.

Prerequisites

To enable Azure Active Directory Password-less authentication with SMS , we must have the following,

1. Valid Azure Subscription
2. Azure AD Tenant
3. One of the following licenses assign to Azure AD user who going to use this feature,
• Azure AD Premium P1/P2
• Microsoft 365 (M365) F1/F3 or Office 365 F1/F3
• Enterprise Mobility + Security (EMS) E3/E5 or Microsoft 365 (M365) E3/E5
4. Global Administrator Account

Limitation

• SMS based authentication has the following limitations.
• This cant be used with native office applications (except teams)
• SMS based authentication is not compatible with Azure multi-factor authentication
• Can’t’ use with federation. Users only can authenticate in the cloud.

In this post I am going to demonstrate how we can enable SMS based authentication for Azure AD. In my demo setup, I have a user called Debra Berger (DebraB@M365x620957.OnMicrosoft.com). She is using Enterprise Mobility + Security E5 Licences. I am going to enable SMS-based authentication for her account.

Let’s go ahead and enable the SMS based authentication first.

1. Log in to Azure Portal (https://portal.azure.com/) as a Global Administrator
2. Click on Azure Active Directory tile.

azure active directory tile

3. Then in the new window click on Security

azure active directory security settings

4. In the Security page, click on Authentication methods

azure active directory authentication methods

5. Then click on the Authentication method policy (Preview) | Text messages

Authentication method policy text message settings

6. In the new window, click on Yes under ENABLE. Then click on Select users under TARGET. After, click on Add users and groups and select Debra Berger from the list. Leave all other settings in default and click on Save to apply the settings.

enable sms-based authentication [Read more…] about Step-by-Step Guide: Azure Active Directory Password-less authentication using SM

Step-by-Step Guide: Enable Windows 10 password-less authentication with FIDO2 security keys (Azure AD + Microsoft Intune)

In my previous blog post, I explained how we can use FIDO2 security keys to perform password-less authentication with Azure AD. You can access it using Step-by-Step Guide: Azure AD password-less sign-in using FIDO2 Security keys
We also can use FIDO2 security keys to sign-in to Azure AD Joined or Hybrid Azure AD Joined Windows 10 devices. In this demo, I am going to demonstrate how we can enable FIDO2 security key sign-in using Azure AD and Microsoft Intune.
Before enabling password-less authentication with FIDO2 security keys, make sure you have,

1. Azure AD and Intune – Make sure you have valid Azure AD and Intune subscription in place.
2. Azure AD Join on Hybrid Azure AD joined Windows 10 Devices – If it is Azure AD Join device, it should run at least Windows 10 version 1903. If it is Hybrid Azure AD joined device at least it should be running Windows 10 Insider Build 18945
3. FIDO2 Security keys – The good people at eWBM provided eWBM Goldengate security key G320 (USB-C) and eWBM Goldengate security key G310 (USB-A) for testing. I will be using eWBM Goldengate security key G320 (USB-C) in this demo with Surface Pro 7.

4. Azure AD user account which completed the FIDO2 security key enrolment process – This explained in details via my previous post https://www.rebeladmin.com/2020/03/step-step-guide-azure-ad-password-less-sign-using-fido2-security-keys/

In this demo, I am going to use a user called Megan Bowen (meganb@M365x620957.onmicrosoft.com) for testing. I already have an Azure AD join device ready for her. It is showing as compliant in the Microsoft Intune portal.

Enable Windows Hello for Business with Intune

Before we create a device configuration profile, we need to enable Windows Hello for Business with FIDO2 security key support. To do that,

1. Log in to Azure Portal as Global Administrator ( https://portal.azure.com/ )
2. Search for Intune in the search box and click on it.


3. Then click on Device Enrolment

4. In the new window click on Windows enrollment | Windows Hello for Business

5. Select Enable for Configure Windows Hello for Business. Then keep the default settings.

6. Also, select Enable for Use security keys for sign-in

This will enable FIOD2 security key support.

7. At the end click on Save to apply the changes.

[Read more…] about Step-by-Step Guide: Enable Windows 10 password-less authentication with FIDO2 security keys (Azure AD + Microsoft Intune)

Step-by-Step Guide to Azure AD Access Package

In an organization, we add users to roles, groups, and applications to allow them to do certain tasks. Some of these tasks may not be carried out frequently. Is there a better way to handle these types of access, how we can ensure a user only have the relevant permissions when they required?

Azure AD Access packages allow administrators to manage access permissions to groups, applications and SharePoint sites in a more efficient way. Internal and external users will have relevant permissions to do their tasks only when they required. It will reduce the manual review of the user account permissions. The relevant policies will ensure who can request access, how the access requests are handled and when the access permissions will be revoked.

Azure AD access packages can use to,

• Manage membership of Azure AD groups
• Manage membership of Office 365 groups
• Manage membership of SharePoint sites
• Mange membership of Azure AD applications

In this post, I am going to demonstrate how we can manage access permissions using Azure AD Access Package.

In my demo environment, I have a user called Debra Berger. She is going to work on a new recruiting campaign. As part of her job, she has to access LinkedIn application. At the moment only members of sg-Finance & sg-Sales and Marketing groups have access to it. Debra Berger is not a member of both groups. She only needs this app for the new campaign. So, let’s go ahead and create an access package for this.

To do this,

1. Log in to Azure Portal as Global Administrator https://portal.azure.com/

2. Go to Menu and click on Azure Active Directory

3. Then click on Identity Governance

4. Click on Access packages

5. Then click on New access package

6. It will open a new wizard to create access packages. Provide name, description, and catalog for the new access package. By default, the catalog is set to General, if required you can create your own. Once settings are in click on Next: Resource roles >

[Read more…] about Step-by-Step Guide to Azure AD Access Package

Step-by-Step Guide: Enable Azure AD Authentication for Azure Point-to-Site (P2S) VPN

OpenVPN is an open-source VPN protocol that is trusted by many cloud service providers to provide site-to-site, point-to-site, and point-to-point connectivity to cloud resources. Now Azure AD authentication also works with OpenVPN protocol. This means we can use Azure AD features such as conditional access, user-based policies, Azure MFA with VPN authentication. In this Demo, I am going to demonstrate how to configure OpenVPN for Azure point-to-site VPN and then how to integrate Azure AD authentication with it. 

Prerequisites

1. To configure OpenVPN, first, we need to have a working point-to-site setup. The native Azure point-to-site VPN setup uses Azure certificate authentication. I wrote an article about it before and it can be accessed using https://www.rebeladmin.com/2018/07/step-step-guide-azure-point-site-vpn/

So, before we start, please go ahead and configure the VPN gateway with certificate authentication.  

2. Also, I am going to use Azure PowerShell for configuration. Please make sure you have the Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Configure OpenVPN for Azure P2S VPN

1. Launch PowerShell console and connect to Azure using Connect-AzAccount (Using Global Administrator Account)

2. Then I ran Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG to review my VPN gateway configuration. Here REBELVPNRG is the resource group it belongs to. 

3. Then let's go ahead and change the VPN client protocol to OpenVPN using,

$vpngw = Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG -name REBEL-VPN-GW

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $vpngw -VpnClientProtocol OpenVPN

In the above, REBEL-VPN-GW is the VPN gateway name. [Read more…] about Step-by-Step Guide: Enable Azure AD Authentication for Azure Point-to-Site (P2S) VPN