Azure VM Log In Using Azure AAD

dingding 好物分享

Dec 12 2019, Microsoft announced that Azure AD authentication to Windows Virtual Machines (VMs) in Azure is now available in public preview—giving you the ability to manage and control who can access a VM.

Using Azure AD to authenticate to VMs provides the ability to centrally control and enforce policies using tools like Azure Role-Based Access Control (RBAC) and Azure AD Conditional Access to allow you to control who can access a VM.

 

There are many benefits of using Azure AD authentication to login to Windows VMs in Azure, including:

  • Utilizing the same federated or managed Azure AD credentials you normally use.
  • No longer having to manage local administrator accounts.
  • Using Azure RBAC to grant the appropriate access to VMs based on need and remove it when it is no longer needed.
  • Requiring AD Conditional Access to enforce additional requirements such as:
  • Multi-factor authentication (MFA)
  • Sign-in risk
  • Automating and scaling Azure AD join for Azure based Windows VMs.

Using Azure Portal create VM experience to enable Azure AD login

You can enable Azure AD login for Windows Server 2019 Datacenter or Windows 10 1809 and later VM images.

To create a Windows Server 2019 Datacenter VM in Azure with Azure AD login:

  1. Sign in to the Azure portal, with an account that has access to create VMs, and select + Create a resource.
  2. In Search the Marketplace search bar, type Windows Server.
    • Click Windows Server and from Select a software plan drop-down, select Windows Server 2019 Datacenter.
    • Click Create.
  3. On the Management tab, under the Azure Active Directory, toggle Login with AAD credentials (Preview) to On.
  4. Make sure System assigned managed identity under the Identity section is set to On. This action should happen automatically once you enable Login with Azure AD credentials.

Go through the rest of the experience of creating a VM. During this preview, you’ll have to create an administrator username and password for the VM.

Using Azure AD portal experience to configure role assignment for the VM

To use your Azure AD credentials for Windows VMs in Azure, you must belong to Virtual Machine Administrator Login or Virtual Machine User Login role.

 

To configure role assignments for your Azure AD enabled Windows Server 2019 Datacenter or Windows 10 1809 and later VM images:

  1. Navigate to the specific Virtual Machine overview page.
  2. Select Access control (IAM) from the menu options
  3. Select AddAdd role assignment to open the Add role assignment pane.
  4. In the Role drop-down list, select a role such as Virtual Machine Administrator Login or Virtual Machine User Login.
  5. In the Select field, select a usergroupservice principal, or managed identity. If you don't see the security principal in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.
  6. To assign the role, select Save.

After a few moments, the security principal is assigned the role at the selected scope.

 

thumbnail image 2 of blog post titled Azure AD authentication to Windows VMs in Azure now in public preview

Configure Azure VM for AAD Login

Check this doc for more information: Login to Windows virtual machine in Azure using Azure Active Directory authentication

Using the Azure Cloud Shell experience to enable Azure AD login:

PS /home/johnyan_ca> az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows --resource-group test-storage --vm-name vm4adds
{
 "autoUpgradeMinorVersion": true,
 "enableAutomaticUpgrade": null,
 "forceUpdateTag": null,
 "id": "/subscriptions/bcf33549-1d47-45e1-9751-548e2fe15db3/resourceGroups/test-storage/providers/Microsoft.Compute/virtualMachines/vm4adds/extensions/AADLoginForWindows",
 "instanceView": null,
 "location": "eastus",
 "name": "AADLoginForWindows",
 "protectedSettings": null,
 "provisioningState": "Succeeded",
 "publisher": "Microsoft.Azure.ActiveDirectory",
 "resourceGroup": "test-storage",
 "settings": {
 "mdmId": ""
 },
 "suppressFailures": null,
 "tags": null,
 "type": "Microsoft.Compute/virtualMachines/extensions",
 "typeHandlerVersion": "1.0",
 "typePropertiesType": "AADLoginForWindows"
}
PS /home/johnyan_ca>

Now if we look at the output from Azure VM, we can see that the SSO State for AzureADPrt is NO, and the Device State for AzureAdJoined is set to YES. 

C:/Users/netsec>dsregcmd /status

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

 AzureAdJoined : YES
 EnterpriseJoined : NO
 DomainJoined : NO

+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+

 DeviceId : 0fe1ce87-89e4-42ad-aabe-a0858d2e2421
 Thumbprint : 4FB026A152A2C3625DA981F17233703A77FE505D
 DeviceCertificateValidity : [ 2021-11-20 09:55:03.000 UTC -- 2031-11-20 10:25:03.000 UTC ]
 KeyContainerId : 7a61bedc-bb6f-4ed9-bd84-2381a5d7837f
 KeyProvider : Microsoft Software Key Storage Provider
 TpmProtected : NO

+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+

 TenantName :
 TenantId : 22dbd8e0-9e61-439a-8bd9-fdd502bff1dc
 Idp : login.windows.net
 AuthCodeUrl : https://login.microsoftonline.com/22dbd8e0-9e61-439a-8bd9-fdd502bff1dc/oauth2/authorize
 AccessTokenUrl : https://login.microsoftonline.com/22dbd8e0-9e61-439a-8bd9-fdd502bff1dc/oauth2/token
 MdmUrl :
 MdmTouUrl :
 MdmComplianceUrl :
 SettingsUrl :
 JoinSrvVersion : 1.0
 JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
 JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
 KeySrvVersion : 1.0
 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
 KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
 WebAuthNSrvVersion : 1.0
 WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/22dbd8e0-9e61-439a-8bd9-fdd502bff1dc/
 WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
 DeviceManagementSrvVer : 1.0
 DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/22dbd8e0-9e61-439a-8bd9-fdd502bff1dc/
 DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

 NgcSet : NO
 WorkplaceJoined : NO
 WamDefaultSet : NO

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

 AzureAdPrt : NO
 AzureAdPrtAuthority :
 EnterprisePrt : NO
 EnterprisePrtAuthority :

+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+

 AadRecoveryNeeded : NO
 KeySignTest : PASSED

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

 IsDeviceJoined : YES
 IsUserAzureAD : NO
 PolicyEnabled : NO
 PostLogonEnabled : YES
 DeviceEligible : YES
 SessionIsNotRemote : NO
 CertEnrollment : none
 PreReqResult : WillNotProvision


C:/Users/netsec>

In this case, if you would need to remote log into this Azure VM using AAD login, you will need to verify that the Windows 10 PC you are using to initiate the remote desktop connection is one that is either Azure AD joined, or hybrid Azure AD joined to the same Azure AD directory where your VM is joined to.

Join Windows 10 Machine into AAD

Check this post for this step: Setup Hybrid Azure Active Directory Login For Your Client Machines

Here are some basic steps:

  • Open Settings, go to Accounts and Access work or school and press Connect.
  • Press Join this device to Azure Active Directory.
  • Enter your mail address and press Next, on next screen you have to enter your password.
  • Once you are done with the wizard you should restart your computer. It should now work to logon with your company credentials.

Download RDP file from Azure VM's Connect button and RDP in

In following screenshot example, I am RDP from a on-prem Win10 (AAD joined) machine to an Azure VM (AAD joined)

Set Up Share Permission and NTFS on Azure VM's Share Folder

Here are the key differences between NTFS and share permissions that you need to know:

  • Share permissions are easy to apply and manage, but NTFS permissions enable more granular control of a shared folder and its contents.
  • When share and NTFS permissions are used simultaneously, the most restrictive permission always wins. For example, when the shared folder permission is set to “Everyone Read Allow” and the NTFS permission is set to “Everyone Modify Allow”, the share permission applies because it is most restrictive; the user is not allowed to change the files on the shared drive.
  • Share permissions can be used when sharing folders in FAT and FAT32 file systems; NTFS permissions can’t.
  • NTFS permissions apply to users who are logged on to the server locally; share permissions don’t.
  • Unlike NTFS permissions, share permissions allow you to restrict the number of concurrent connections to a shared folder.
  • Share permissions are configured in the “Advanced Sharing” properties in the “Permissions” settings. NTFS permissions are configured on the Security tab in the file or folder properties.

Some Key Points to assign AAD user(s) to Azure VM's share folder(s):

1. AAD's group will not be able to added in, only user(s)

2. To add AAD user into share folder's permission, the user has to be added into either "Virtual Machine Administrator Login" or "Virtual Machine User Login"

3. Advanced Sharing is not able to add ADD users or groups. Only local VM's users and groups can be added

Azure AD DS and Azure AD

More comparing can access this post at https://www.apps4rent.com/blog/active-directory-domain-services-vs-azure-active-directory/

Azure AD lets you manage the identity of devices used by the organization and control access to corporate resources from those devices. Users can also register their personal device (a bring-your-own (BYO) model) with Azure AD, which provides the device with an identity. Azure AD then authenticates the device when a user signs in to Azure AD and uses the device to access secured resources. The device can be managed using Mobile Device Management (MDM) software like Microsoft Intune. This management ability lets you restrict access to sensitive resources to managed and policy-compliant devices.

Traditional computers and laptops can also join to Azure AD. This mechanism offers the same benefits of registering a personal device with Azure AD, such as to allow users to sign in to the device using their corporate credentials. Azure AD joined devices give you the following benefits:

  • Single-sign-on (SSO) to applications secured by Azure AD.
  • Enterprise policy-compliant roaming of user settings across devices.
  • Access to the Windows Store for Business using corporate credentials.
  • Windows Hello for Business.
  • Restricted access to apps and resources from devices compliant with corporate policy.

The problem with Azure AD is that it treats organizations like “tenants” who access Azure AD through the Azure portal to manage their employees, passwords and permissions. Azure AD allows users to access various services once they have authenticated themselves, but you have no way of configuring access rights in details, as Azure AD does not meet the necessary structural conditions for this.

Microsoft’s solution to this problem is Azure AD Domain Services (AAD DS). AAD DS is an Azure product that provides an Active Directory domain (managed by Microsoft) on two domain controllers. The domain controllers support LDAP, domain joining and authentication via Kerberos and NTLM. This version of Azure Active Directory also supports the use of organizational units and group policies.

On an Azure AD-joined or registered device, user authentication happens using modern OAuth / OpenID Connect based protocols. These protocols are designed to work over the internet, so are great for mobile scenarios where users access corporate resources from anywhere.

With Azure AD DS-joined devices, applications can use the Kerberos and NTLM protocols for authentication, so can support legacy applications migrated to run on Azure VMs as part of a lift-and-shift strategy

Aspect Azure AD-joined Azure AD DS-joined
Device controlled by Azure AD Azure AD DS managed domain
Representation in the directory Device objects in the Azure AD directory Computer objects in the Azure AD DS managed domain
Authentication OAuth / OpenID Connect based protocols Kerberos and NTLM protocols
Management Mobile Device Management (MDM) software like Intune Group Policy
Networking Works over the internet Must be connected to, or peered with, the virtual network where the managed domain is deployed
Great for… End-user mobile or desktop devices Server VMs deployed in Azure

References

https://blog.51sec.org

版权声明:
作者:dingding
链接:https://www.techfm.club/p/6357.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>