Category Archives: Azure

Delegate resetting azure MFA for helpdesk through azure automation run book and Microsoft Flow

When a user with MFA enabled loses his mobile phone then he wouldn’t be able to login to new devices or in the old devices where the token life time have expired. 

Currently in this scenario the user have to report to help desk team. Unfortunately only the global admins can perform  the force reset of MFA account for the user to reset his Strongauthenticationmethods value to null to clear the  old lost device.  

There is a work around which can be used until we get a delegated RBAC role for performing this action. With Azure Automation account, creating a flow, integrating with flow and delegating this action to helpdesk admins will reduce the load on global admins performing this action. 

Prerequisites:

  1. Create New Automation Accounts from azure portal. Azure subscription required.They provide 500 minutes free every month.
  2. Create new Work Flow from global admin account.This action needs to be performed from global admin account.

Create Azure Automation Account –

Proceed to https://portal.azure.com – Create automation account.

Now add the msonline module-

Add Exchange Online Module – Access Azure Automation account and click Assets > Modules- Add MSOnline Module.

We can see the MSOnline modules are imported successfully.

Enter Global Admin Credentials in the Created Automation account –

Click on Automation accounts – Credentials – Enter Global Admin Credentials. Add scripts(below scripts)

This is the global admin credentials required which will execute the automation when we trigger the work flow from a delegated helpdesk admin account.

Now add the script which is required to execute this operation.

Param
     (
         [Parameter (Mandatory= $false)]

         [String] $UserEmail = ""
     )

     $creds = Get-AutomationPSCredential -Name 'TestDemo’
     Connect-MsolService -Credential $creds
#This command resets the MFA
Set-MSOLUser -UserPrincipalName $UserEmail -StrongAuthenticationMethods @()
#This Command Resets the password  with force login
#Set-MsolUserPassword -UserPrincipalName $UserEmail -NewPassword "S@c@r!ooii" -ForceChangePassword $true

After adding above Publish the scripts.

Now we need to create the flow from the global admin account to execute this action.

Head over to Flow (https://flow.microsoft.com ) and provision a new personal Flow. Click new flow – Click Create from Blank.

Choose – Flow Button for Mobile , Flow Button for Mobile – manually trigger a Flow , Select AA- Type useremail as input flow.

Navigate to triggers – Select Manually trigger a flow.

Type UserEmail as input flow-Click on New Step – Add an Action

Click on Choose an action – Select Azure Automation – Create a Job – Provide the required credentials and subscription details.

Provide the required credentials and subscription details.

Now we will see the flow is connected to Azure automation account

Now Navigate to My Flows- Select the new flow – Click on – Run Now

We can see the flow will be successfully started and execute the requested operation of resetting the MFA value to null for the user.

We can run them on automation accounts and see them for verification and they will be successful.

From the global admin Flow login – Delegate this flow to helpdesk admins as manage run only user permission.

The actual operation is executed by the global admin account however the helpdesk team will be triggering this action through the delegated run only permissions assigned to them in created Microsoft flow.

Thanks & Regards

Sathish Veerapandian

Configure access panel in Azure Active directory

We can enable and provide self service application access to end users.If an organization is using Office 365 applications and the user is licensed for them, then the Office 365 applications will appear on the user’s Access Panel.Microsoft and third-party applications configured with Federation-based SSO can be added into this access panel.

We can create multiple groups example like HR,Marketing and required apps both internal corporate apps and social media apps can be published.

In order to logon access panel we must be authenticated using organizational account in Azure AD.We can be authenticated to azure AD directly or federated authentication and consume this service.

For organizations that have deployed Office 365, applications assigned to users through Azure AD will also appear in the Office 365 portal 

The azure access panel is a web based portal which provides user with below features:

1)View and launch cloud apps.
2)Configure self service password reset.
3)Self manage groups.
4)See account details.
5)Modify MFA settings.

IT admin can be benefited and reduce first level calls by enabling below features:
1)Provide easy portal for users.
2)Launch cloud based, federated onprem apps.
3)Links to URLs.
4)Control access to corporate application.
5)Restrict access to Users by Groups ,device and location.

The portal can be accessed from https://myapps.microsoft.com Azure Admin Can configure the Access panel settings from the below url-

Login to Azure AD – https://portal.azure.com/

Navigate to URL – Azure AD – Enterprise Applications – All applications.

Select the application which we need to add – In below case LinkedIn – Click on Self-Service.

Below are the options we have at this moment:

Select the option allow users to request access to this application. – By enabling this option end users can view and request access to this application.


To which group the users must be added:

Require approval before granting access to this application:

Who is allowed to approve access to this application:

To which role users should be assigned to this application:

We have these option to add an app:

  1. App that your developing- Register an app you’re working on to integrate it with Azure AD.
  2. On prem app (app proxy)- Configure Azure AD Application Proxy to enable secure remote access.
  3. Non gallery app- Integrate any other application that you don’t find in the gallery
  4. Add from the Gallery – There are close to 3000 apps in gallery which can be added.

Example below of when adding an application we have the following options:

In below case we are adding twitter from the gallery- Custom name can be provided for the application.

Single sign on mode-we have 2 options:

  1. Federated SSO – Allow users to access apps with their organizational accounts applicable mostly for on premise apps published here, application you are developing and any application which is integrated with on premise IDP. Only one time login is required.
    After signing in, the user can launch applications from the Office 365 portal or the Azure AD MyApps access panel. 
  2. Password based Sign-on- Users must remember application-specific passwords and sign in to each application. 

Hide application from end user:

This option can be used if we would like to hide application from end user.

We have below option to hide office 365 apps from the access panel. Doing this will allow end users to see office 365 apps only from office 365 portal.

Further more end user settings features for access panel can be managed:

For on premise applications we need to configure federated single sign on and add them on the access panel.

Navigate to Azure AD – Click Enterprise Applications – Click all Applications – Select the application that needs Single sign on configuration

We have the below options:
SAML – Use SAML whenever possible. SAML works when apps are configured to use one of the SAML protocols.For SAML we need to provide the signon url, user attributes , claims , signing certificate

And then we need to provide the azure url in the application to link with azure AD. Here we are creating an relying party trust between the application and Azure AD for the SAML configuration to work.


Linked – Can be used for cloud and on premise apps.we can use this when the application have single sign-on implemented using another service such as Active Directory Federation Services or any other IDP solution.

Disabled – Use this option If your application is not ready and integrated for SSO. Users will need to enter the user name and password every time the application is launched.

End User review from browser –

User can navigate to http://myapps.microsoft.com/

The defaults office 365 apps will be shown if its not hidden.

After Clicking on Add app users can explore the apps added by admin from the admin portal. In our case it shows only LinkedIn since we added only LinkedIn.

If there is any approval process required as per admin config it goes for approval and post approval the application will be available for requested user.

As per the recent update Microsoft recommends to use In-tune Managed Browser My-apps integration for mobile scenarios.
This integration supports lots of additional cool stuff like home screen bookmark integration, azure ad app proxy integration.

The access panel will definitely help end users to access all office and their corporate applications all in one place without any confusion and will reduce the burden on the front line first level end user access requests.

Thanks & Regards

Sathish Veerapandian

Enable Azure AD Password Protection for On Premise Windows server Active Directory

In this article we will have a look at enabling Azure AD password protection policy in On Premise Active Directory Server.

By Default this feature is enabled for cloud only users with a basic filter of Azure AD password protection with global banned password list.However if we still require Azure AD password protection with custom banned password list for Cloud only users then we would need to have at-least Azure AD Basic License the default value is below.

We have below options in password protection policies:

Lockout Threshold:
How many failed sign-ins are allowed on an account before its first lockout. If the first sign-in after a lockout also fails, the account locks out again.

Lockout Duration in Seconds:
The minimum length in seconds of each lockout. If an account locks repeatedly, this duration increases.

Enforce custom list:
When enabled, the words in the list below are used in the banned password system to prevent easy-to-guess passwords.

Custom banned password list:
A list of words, one per line, to prevent your users from using in their passwords. You should include words specific to your organization, such as your products, trademarks, industries, local cities and towns, and local sports teams. Your list can contain up to 1000 words. These are case insensitive, and common character substitutions (o for 0, etc) are automatically considered.

Enable Password protection on active directory:
If set to Yes, password protection is turned on for Active Directory domain controllers when the appropriate agent is installed. 

Mode:
If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged.

The Visual representation of how this process works is beautifully shown below from Microsoft technet Source 

Below are the prerequisites for enabling the password protection on Active Directory:

  1. For enabling this service on On Premise Active Directory it requires an Azure AD premium license.
  2. A proxy service agent needs to be installed on a member server running windows server 2012 R2 or later.
  3. Domain controllers where the Azure AD password protection DC agent service will be installed must be running Windows Server 2012 or later.  
  4. All servers running the azure AD components must be fully patched in-order to have Universal C runtime installed.
  5. Network connectivity must be present between the Azure AD proxy server and one domain controller running Azure agent Service.
  6. An Azure AD global administrator account is required to register and consume this service for On Premise AD in Azure AD.
  7. A local domain admin privilege account is required to register windows server AD with Azure AD.
  8. Domain running the DC agent service must use the DFSR replication type  for SysVol Replication.
  9. Azure AD password protection proxy service server must have access to the below Microsoft Protection Endpoints.

https://login.microsoftonline.com  –  For Handling the Authentication Requests.

https://enterpriseregistration.windows.net – Azure AD password protection functionality

       

Download the 2 agents from link – https://www.microsoft.com/en-us/download/details.aspx?id=57071

After download we will have 3 installers as below.

Azure AD Password Protection Proxy Service – It acts as a proxy agent which will forward outgoing requests from domain controllers to Azure AD and incoming requests from Azure AD to the on premise domain controller.

DC Agent password filter dll – Will receive all the password validation requests and forward them to the main component running in onpremise Domain Controller which is Azure AD password protection DC agent.

Azure AD password protection DC agent- Receives the password validation request from the filter agent and processes them with the currently present local password policy and returns the validation response Pass/Fail. This core services queries the Azure AD password protection proxy service to check and download the new versions of password policy.

First step we need to install the proxy agent on a member server which in the same domain. 

Once installation is completed Import the Module –

Import-Module AzureADPasswordProtection

Register the Proxy Agent – 

$tenantAdminCreds = Get-Credential
Register-AzureADPasswordProtectionProxy -AzureCredential $tenantAdminCreds

Enter the Domain Admin Credentials

Later Enter the Azure Global Admin Credentials

Later Register  the  Active Directory Forest –

Register-AzureADPasswordProtectionForest 

On a successful registration we will be getting the below event log on the Azure AD password protection Proxy Server.

$tenantAdminCreds = Get-Credential
Register-AzureADPasswordProtectionForest -AzureCredential $tenantAdminCreds

Register the Proxy configuration on a static Port-

Below command can be run to make the proxy service communication and DC Agent Service to run on a static specific port. This option is preferred to keep a static single port communication from this proxy service server and the Domain Controller and not to have IP to IP communication between them.

Set-AzureADPasswordProtectionProxyConfiguration –StaticPort 135

Install the DC agent on the Domain Controller. After the installation is complete only a restart is required and no further configuration is required at this stage.

After this login to Azure AD and enabled the password protection on Windows server Active Directory. Always strictly recommended to start only in Audit mode to understand the current password security and user compliance from the logs.

Once enforced in audit mode we get the below confirmation message in Azure Password protection DC Agent Event logs.

We can verify the password protection agent settings by below commands

Get-AzureAdPasswordProtectionDCAgent | FL

Get-AzureADPasswordProtectionSummaryReport -DomainController DCHostName

Its always better to start this operation by only keeping them in Audit mode since it will create a major impact in the environment without proper end user awareness about enforcing this password policy change.

Also we can monitor the logs in event viewer in below location

A user resetting the password with the compliant characters will get a successful log as below 

If there was a non-complaint password reset by a help-desk operator it would be logged in the audit mode and mention it did not meet the compliant standards.

When the same password is provided to end user and when the end user resets them with non-compliant values then those entries also will be logged in the event viewer.

A Successful password policy update from Azure AD can be seen below from the Azure AD password protection proxy server.

We can also see that a separate Container is created in ADSI Edit and can see 2 certificates folder created with thumbprint name.

Important Notes:

  1. As a best practice its not recommended to  go with enforce mode initially since the end users will have tough time adopting the password policy immediately.
  2. Once the audit mode is enabled better to circulate email floaters about the upcoming password policy change which will create better awareness.
  3. The custom banned password policy is capable of having 1000 entries. We can gradually increase the value which will make this roll out  in  a smoother way.
  4. If we are updating the global banned password in the azure portal they are pushed down to the on premise agents in a polling interval of 1 hour time period.
  5. To Register-AzureADPasswordProtectionForest cmdlet to succeed at least one Windows Server 2012 or later domain controller must be available in the proxy server’s domain.

Storage Explorer in Azure portal and its options

The Storage explorer desktop tool is available now in the azure storage accounts section in azure portal.

blob1

From here we have options to manage,create Blob Containers, File shares and queues

New Blob Containers can be created deleted managed –

blob6

Further we can upload and delete blobs

blob9

we can further drill down and manage properties

10

These are the options variable in the properties

11

Same way the file-share can be created deleted and managed

Also we have an option to upload files, connect to VM and download from here.

blob7

The Storage Queues also can be created and managed

There is option to add message,de queue and clear the queue,.

blob8

Below is the small summary on azure storage accounts blobs, file shares, and queues.

What is Azure Blob Storage?

Azure blob storage is Microsoft objects storage solution.
This storage type is enhanced to store large amount of unstructured data like text or binary.
The items stored on blob storage can be accessed from anywhere in the world via http/https. This can be invoked through azure functions (cli,powershell,etc..,) and libraries are available for multiple languages.

Once created they have a service end point like below.This will be the connection string that can be used in our API’s to access the data in the azure storage account.

blob91.png

There are 3 types of blobs-

Block Blobs – Can be used to store data of types text and binary.It supports data to store up to 4.7 TB. They store data in blocks type and these data can be managed individually.

Append Blobs – They are similar like block blocks except they are enhanced for append operations. This is best suited for recurring tasks operations example like logging data from virtual machines.

Page Blobs – The data are stored and accessed randomly in page blocks and data can be stored up to 8 TB in size.

So the blobs are stored in below order

Storage Account – Containers – Blobs

A storage account can hold multiple containers and a containers in turn can hold unlimited blobs in them.

What is Azure File Storage?
This is a service from azure through which we can create a fileshare in the azure cloud using the standard Server message block (SMB) protocol. This option will be really useful for migrating local fileshares to azure fastly with very minimal cost.

Once the file storage is created we will have the connection string like below

We can use them to connect to either to windows or linux.

blob92.png

The connection string will have the username and password also.

blob93

Since its a SMB it uses port 445, so make sure the port 445 is opened in your local network firewall.We will not be able to connect if port 445 is not allowed from your local network.

What is Azure Storage Queue Service?

This is a service offered by azure where we can store large volumes of messages and they can be accessed from anywhere in the world via http/https. A single message can go up to 64 KB in size. Using this we can provide persistent messaging within and between services. Using this we can store unlimited messages even in same queue.

Once created we will get the end point like below.REST-based operation  can be initiated  for GET/PUT/PEEK operations.

blob94

 

Thanks & Regards
Sathish Veerapandian

Enable Azure DDOS Protection and its features

In Azure we can enable the DDOS protection easily in few clicks for our applications running and deployed in Azure Virtual networks.

Using this we can protect the resources in a virtual network and its published end points including public IP address. When it is integrated with application gateway web application firewall, DDOS protection standard can provide full layer 3 to 7 protection.

There are 2 types of service Tier:

Basic-

The basic protection is enabled by default.This provides protection against common network layer attacks through Always on traffic monitoring and real time mitigation.

Basic.png

Standard-

Standard protection is a paid premium service. This has a dedicated monitoring,machine learning and configures DDOS protection to this virtual network. So when enabled applications traffic patterns are enabled and by this it will be able to detect the malicious traffic in a smart way. We can switch between any one of these option in our virtual networks in few clicks.

DDOS9

And then we can click on the standard plan.

DDOS10

This also  provides attack telemetry views through Azure Monitor, enabling alerting when your application is under attack. Integrated Layer 7 application protection can be provided by Application Gateway WAF.

This also provides views of attack in Azure Monitor, Alerting can be enabled when application is under attack. Also Layer 7 application protection can be done by integrating with Azure Web Application Firewall (WAF).

This Standard feature is integrated with Virtual networks and will provide protection for Azure application service end points from DDOS attacks. IT also has alerting, telemetry features which is not present in the basic DDOS protection plan which comes at free of cost.

First we need to create a DDOS protection plan if we need to use the standard feature.

Navigate to Azure Portal – Click on Create DDOS protection Plan

DDOS2

Type Name – Choose Subscription – Select resource Group and choose the location.

DDOS3

Once it is done the deployment will be successful

DDOS5

We have automation option during this deployment

DDOS18

After its deployed when we go to the  DDOS resource we can see the below options in them.

Activity Log – 

This is more of like a Audit log which explains on modifying the resources in the subscription.
There are also few options which tells us about the status of the operation and other properties. But this logs will not have any get operations happening in the resources.

There is an option to filter per resource- resource type and operation.

DDOS19

we have an option to filter them via category , severity and initiated by

DDOS20

Access Control(IAM)-

we can view who has access to the resource and add  new access to the resource and also remove them.
DDOS21

Tags- 

This approach is helpful when we need to organize our resources for billing or management. Tags can be applied to resource groups or resources directly
This retrieves all the resources in our subscription with that tag name and value. Usually helpful in tracking for billing purposes.

Tags1

Tags support only resources deployed through resource manager and does not support resources deployed through classic model.

By default the resource group will not have tags assigned to them. We can assign to to them by running below command.

Tags

Locks – 

Management locks helps us prevent accidental deletion or modification of our Azure resources. we can manage these locks from within the Azure portal.

locks

As an administrator, we might need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.

There are 2 types of lock levels-

Delete(CanNotDelete) –
Authorized users would be able to read and modify a resource, but they will not be able to delete any resources.

ReadOnly-
Users can only read but they will not be able to modify and delete any resources.

locks1

Metrics – 

Allows us to monitor the health, performance, availability and usage of our services.

metrics

Thanks & Regards
Sathish Veerapandian

%d bloggers like this: