Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

MFA

Step-by-Step Guide: Azure AD password-less sign-in using FIDO2 Security keys

Passwords are the most commonly used method to protect user identities in a system. This is applying to Active Directory as well. However, with growing data breaches, it is obvious that passwords are no longer strong. In Verizon Data Breach Investigations Report (2017), it says, 81% of hacking-related breaches used either stolen or weak passwords. So, if passwords are not safe, what else we can do to improve the security in the sign-in process?

Multi-factor authentication can add another layer of security into the authentication process. It can be SMS, phone call, OTP code, Phone App notification to further confirm the authenticity of the sign-in request. There are many different MFA products available in the market. Each required engineers’ involvement in service provision, deployment, licenses management, integration, end-user training, troubleshooting, and maintenance. It also adds complexity to the sing-in process. MFA doesn’t eliminate the requirement for passwords.

But now we have an option to replace traditional authentication with password-less authentication. This is basically to replace passwords with biometrics, PIN, certificates and security keys. Fast Identity Online (FIDO) is an open standard for passwordless authentication. This allows authenticating into systems using external security key built into a device.

Source : https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless

FIDO2 is the third standard that came out from FIDO Alliance. FIDO2 consists of Client to Authenticator Protocol (CTAP) and the W3C standard WebAuthn. When we use FIDO2 security keys for authentication,

1. User register with WebAuthn remote peer (FIDO2 server) and generate new key pair (public and private)
2. Private key is stored in the device and is only available for client-side.
3. Public key will be registered in the web service’s database.
4. After that in sign-in process, the system will verify the private key which is always need to be unlocked by a user action such as biomimetic or PIN.

Azure AD now supports password-less authentication using FIDO2 security keys. In this demo, I am going to demonstrate how we can use FIDO2 security keys to authenticate into Azure AD. To do this we need,

1. Azure AD Multi-factor authentication enabled
2. FIDO2 security keys

eWBM security keys
The good people at eWBM provided eWBM Goldengate security key G320 (USB-C) and eWBM Goldengate security key G310 (USB-A) for testing. I will be using eWBM Goldengate security key G320 (USB-C) in this demo with Surface Pro 7.

Enable Multi-factor authentication

Before we go ahead with the FIDO2 enrolment, we need to enable multi-factor authentication for the users. To do that,

1. Log in to Azure portal https://portal.azure.com/ as Global Administrator
2. Click on Azure Active Directory under Azure Services

3. Click on Users

4. In All Users window, click on Multi-Factor Authentication

5. Search for the user. In this demo, I am going to use user Megan Brown for testing. Then select the user and click on Enable.

6. Then click on enable multi-factor auth

[Read more…] about Step-by-Step Guide: Azure AD password-less sign-in using FIDO2 Security keys

Step-by-Step Guide: Enable Azure AD Authentication for Azure Point-to-Site (P2S) VPN

OpenVPN is an open-source VPN protocol that is trusted by many cloud service providers to provide site-to-site, point-to-site, and point-to-point connectivity to cloud resources. Now Azure AD authentication also works with OpenVPN protocol. This means we can use Azure AD features such as conditional access, user-based policies, Azure MFA with VPN authentication. In this Demo, I am going to demonstrate how to configure OpenVPN for Azure point-to-site VPN and then how to integrate Azure AD authentication with it. 

Prerequisites

1. To configure OpenVPN, first, we need to have a working point-to-site setup. The native Azure point-to-site VPN setup uses Azure certificate authentication. I wrote an article about it before and it can be accessed using https://www.rebeladmin.com/2018/07/step-step-guide-azure-point-site-vpn/

So, before we start, please go ahead and configure the VPN gateway with certificate authentication.  

2. Also, I am going to use Azure PowerShell for configuration. Please make sure you have the Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Configure OpenVPN for Azure P2S VPN

1. Launch PowerShell console and connect to Azure using Connect-AzAccount (Using Global Administrator Account)

2. Then I ran Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG to review my VPN gateway configuration. Here REBELVPNRG is the resource group it belongs to. 

3. Then let's go ahead and change the VPN client protocol to OpenVPN using,

$vpngw = Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG -name REBEL-VPN-GW

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $vpngw -VpnClientProtocol OpenVPN

In the above, REBEL-VPN-GW is the VPN gateway name. [Read more…] about Step-by-Step Guide: Enable Azure AD Authentication for Azure Point-to-Site (P2S) VPN

Azure AD Join with Windows 10 Devices

In previous articles I have explain how to integrate on-premises active directory with Azure AD. So users can have SSO experience with SaaS apps which is in the cloud. Also can use services such as self-service password reset.

With Windows 10 Microsoft align it with Azure AD to provide more “cloud” experience. Azure AD Join is new feature in windows 10 devices where you can directly link your devices to Azure AD.

Let’s look in to some of the major capabilities introduced by windows 10 to align with Azure AD.

1)    Out-of-Box Experience and easy integration with Azure AD – when you switch on your windows 10 device first time, during the initial setup you can easily connect with the Azure AD using Azure AD Join option. It is few simple steps and if you do have the azure AD user account details without support of IT department easily can join your device.
2)    Single-sign-on to your SaaS apps – With Azure AD join devices you can start using your cloud applications with SSO. It can be Office365 and other services already in cloud.
3)    Automatic enrollment with Mobile device management solutions – if the organization uses the MDM solution such as Microsoft Intune, windows 10 devices can automatically enroll as part of Azure AD join.
4)    Better control over fast changing accounts – your organization may have fast changing accounts such as sales department, interns etc. sometime these accounts cause issues with security as they may login from remote locations. But now with azure AD join devices you can control the identities for those accounts easily and the changes to the accounts apply to devices fast.

Now let’s see how to connect windows 10 device with Azure AD.

In my demo I do have Azure AD premium instance setup and it got a user account called user1.
I am going to connect a pc which run windows 10 enterprise to azure AD using Azure AD join.

1)    Log in to the windows 10 PC > Start > Settings

adjoin2

2)    Then Systems in the panel

adjoin3

3)    Then option “About”, there you can select the option “Join Azure AD

adjoin4

4)    In next window click on next to start the process

adjoin5

5)    Type your Azure AD user name and password and click sign on

adjoin6

6)    Since this is new account it ask to set a password. Continue with click in “Sign In

adjoin7

7)    System confirms about account and organization info. Click on Join to continue

adjoin8

8)    At the end system confirms as device now joined to Azure AD

adjoin9

9)    Now let try to log in with Azure AD account

adjoin10

10)    Boom!, I am in with Azure AD User Account
11)    If you have MFA enable, it will ask to setup MFA in first login

adjoin11

adjoin12

12)    In Azure portal I can see the device is registered under the user too

adjoin13

In this post I explain what azure AD join is and how it can use with windows 10 devices. If you have any questions feel free to contact me on rebeladm@live.com

Step-by-Step guide to configure self-service password reset in Azure AD

Password reset for AD users is a common call, ticket for the help desk. This is sometime negatively affecting company operations. Because users will not have access to systems and applications until the password reset by help desk engineers. What if we can allow end users to reset their passwords them self in a secure manner?

Yes Azure AD is now gives opportunity to enable self-service password reset for the end-users. Also the password resets can sync with on-premises AD.

This feature is disabled by default. In this demo I will explain how to enable this feature and configure.

On the demo setup I am using have Azure AD instance which is sync with on-premises windows server 2016 TP4 AD.

1)    Log in to the Azure Portal and load the Azure AD Instance
2)    Then in Dashboard, under configure services you can find option “Self Service Password Reset” By default it’s disabled. Click on “Configure” to proceed with configuration.

spw1

3)    Then in next page under User Password Reset Policy select option “Yes” next to “Users enabled for password reset

spw2

4)    Now it will give you options to configure the policy for the password reset. Let’s look in to  some of these options and understand what they do.

Restrict access to password reset – Using this option password reset can only allow for a security group instead of allowing it for every user in the instance. Any member of allowed security group will get option to do a self-service password reset.

Authentication Methods Available to Users – its allow you to use following options to select with. We can allow to use any selected authentication methods for users. 

Number of Authentication Methods Required – In this option we can choose how many methods required for successful password reset

spw3

Require users to register when signing in? – When this option is enabled users can register their own authentication method when sign up.

Write back passwords to on-premises active directory – with this option if a user reset password using self-service portal it will write back to the on-premises AD too.

In order to get this write back option work, it need to be enabled in Azure AD connect in on-premises AD.

aad1

5)    In demo I am configuring “Security Questions” as authentication method. With that option you can define the different security questions, as well as the number of questions required to answer.

spw4

6)    Once options are configure click on save to apply the changes.

spw5

7)    Let’s see how it works in user end.  I am trying to log in to azure portal as standard user. In first login it’s ask additional information to setup for password reset. Click on setup to provide the additional info.

spw6

spw7

8)    Now all the additional info is saved. Let’s see how it works. I am going to log in with wrong password to simulate it. As soon as I done it, it ask if you need to reset the login.

spw8

9)    Clicked on “Forgot your password ?” option

10)    As first check it’s asking to enter the characters in picture. Click next to continue

spw9

11)    Then it ask which option to use for the password reset, according to the policy. Select the option you like to use.

spw10

12)    Then it’s ask for the second authentication. As per the policy.

spw11

13)    Once authentication success, it’s ask to submit the new password.

spw12
14)    Once its finish you can successfully login with new password.

spw13

If you have any questions about the post feel free to ask me on rebeladm@live.com

Step-by-Step guide to configure MFA (multi-factor authentication) for azure users

MFA, I am sure it’s not a new concept today for IT administrators. Its additional layer of security to confirm the user identity. It can be in form of PIN verify, phone call, smart cards, biometrics etc.

This feature is mainly used in infrastructure when its release, extending its services to “internet face”. There are lot of MFA service providers in market. You can either use it as on-premises service or cloud based service.

When it comes to azure the same security concerns applies. If you integrated it with on-premises active directory security is more concerned as it will extend the security boundaries of the infrastructure.

In this article I will demonstrate how “easily” you can enable multi-factor authentication for azure user.

In my demo I have a windows server 2016 TP4 on-premises AD configured to sync with azure ad. I am going to enable MFA for an azure user account which is sync from on-premises AD.

1)    Log in to your azure portal
2)    Then brows > Active Directory

mfa1

3)    Load your AD directory and go to users

mfa2

4)    For my demo I am using user account “user1”, this user account is sync from local active directory
5)    Select the user account and click on “manage multi-factor authentication

mfa3

6)    Then it will load a new page to manage MFA. As you can see currently for “user1” MFA disabled

mfa4

7)    To enable, click on tick box next to “user1” and click on option ”enable” in right hand panel

mfa5

8)    Then it will open a pop up window with help options. Click on “enable multi-factor auth

mfa6

9)    Now it’s enabled. Let’s try to log in azure portal as the use to see.

mfa7

10)    Then it saying MFA is enabled and it need to setup. Click on “setup now” to proceed

mfa8

mfa9

11)    Then in next page it gives option to select the authentication method.
12)    There is 3 ways to authenticate

Authentication phone – This will send SMS or also can setup to call back to the given number. Please note if you use this option SMS and call charges will be added.

Office Phone – This option is to request contact using office phone specified by admin

Mobile App – With this option you can install mobile application (Azure Authenticator) on your phone and it can set to send notification via app when try to login or to use verification code

mfa10

13)    Once select the option and its settings, click on setup

mfa11

14)    In my demo I used mobile app option. Once its completed the setup (you need to follow different options to setup based on your selection) let’s check the login page again

mfa12

15)     Now it’s asking for the PIN verification before login.

As we can see now MFA is enabled for the selected azure ad user.
In future post I will explain how we can change settings for MFA.

If you have any question feel free to contact me on rebeladm@live.com