As a part of the Azure Security Benchmark, Privileged Access Workstation is recommended for Administration tasks - https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-6-use-privileged-access-workstations.
However, I don't any relevant documentation on setting up the privileged access workstations in Azure?
Privileged access workstations is used to protect identity, this is a Microsoft dedicated workstation.
Non-privileged workstations or Identity: - These computers are our local computers or VM’s used by users without administrator roles or Privileged identity roles. For example- If user wants to create and manage database in Azure VM. The user won’t have any administrator privileges or any other roles apart from just accessing VM and its database, these users fall under non-privileged. Also, user might require connecting to public internet to access data thus this computer cannot be used for privileged tasks.
Privileged workstation or Identity: - Now, as the administrator will have access to entire Azure Ad tenant and resources and require to perform privileged tasks like creating, deleting and assigning roles to users and groups, managing devices etc. You can connect your on-prem Privileged access workstation of any OS type whether Windows, MacOS, IpadOs, IOS, Linux, Chrome or your azure VM acting as a privileged identity workstation to Azure AD privileged identity management (PIM) solution. This will minimize the number of people who have access to secure information or resources, because that reduces the chance of
a malicious actor getting access
an authorized user inadvertently impacting a sensitive resource
What is Privileged Identity workstation: - Privileged identity workstation is a highly secured workstation which is hardened at hardware and software level to reduce the attack surface, As it contains sensitive data that can be managed only by privileged users. Example: - If you have a Active directory tenant with important GPO’s connected to your application running in production. You need to protect the Active directory installed in the windows server, by making that Windows server a privileged Identity workstation with very minimum access and hardened security so attackers or any non-privileged users cannot access the data inside it.
In Azure you can make use of PIM, here, you can have one on-prem local computer configured as Privileged identity workstation for your sensitive data or tasks or resources. And you can connect that device to Microsoft endpoint manager, Intune etc.
The main goal of using PAW in Azure, is to harden the PAW machines security at software, hardware and access level so the attack surface is reduced, and the PAW becomes highly secure. Imagine PAW as a machine which has your internal app data running which is important and secure data of your company, and you need to implement the highest security strategy to reduce any attack surface in this machine. This Paw can be your on prem machine or device having your company’s Active Directory or any internal apps. That is according to your goals.
I’ll walk you through some basic steps to enable the features according to this document here: - https://learn.microsoft.com/en-us/security/compass/privileged-access-deployment
I have implemented Privileged access strategy for the
PAW.
Create Secure workstation users:- I have created 2 Users Secure workstation User and Secure Workstation Administrator and assigned them Intune Administrator role by visiting this link here :- https://go.microsoft.com/fwlink/?linkid=2109431 you can also create user and group directly from Azure Portal and assigned Intune administrator role to the Users.
create four groups: Secure Workstation Users, Secure Workstation Admins, Emergency Breakglass and Secure Workstation Devices. I will create these groups in Azure Portal.
And added
1) Created Secure Workstation Users group and added Secure Workstation User account, Secure Workstation user group and Secure Workstation Admin account to Secure Workstation Administrator group.
Next steps on Privileged Access strategy: -
Now we will do Azure AD device configuration and connect our Device to Azure AD, in this example, I have used windows 10 machine. You can connect your on prem Windows 10 machine acting as a PAW to Azure AD, by following the steps here: - https://support.microsoft.com/en-us/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973
For now, I have deployed one Windows 10 VM and enabled Azure AD login on the VM while creating. So that VM gets joined to Azure AD after deployment. This was done by Administrator account and no other user has the role to do it.
You can enroll your device on-prem Windows 10 machine by following the steps here: - https://learn.microsoft.com/en-us/mem/intune/enrollment/quickstart-enroll-windows-device
My VM acting as a PAW machine is connected to Azure AD, thus we can manage this machine in Azure AD and Microsoft Intune.
Specify who can join devices to Azure AD
Remove local admin rights and Require MFA for users to register or join device to Azure AD.
This method requires that users of the VIP, DevOps, and Privileged workstations have no administrator rights on their machines. Remove Local admin rights for the PAW.
Configure mobile device management
From the Azure portal: Browse to Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune. Change the MDM user scope setting to All. Select Save.
These steps allow you to manage any device with Microsoft Endpoint Manager. So we can manage our PAW machine from MDM with MS Intune.
Azure AD Conditional Access and Emergency account. Conditional Access only allowing secured workstation ability to access Azure portal Organizations should block Privileged Users from being able to connect to cloud management interfaces, portals and PowerShell, from non-PAW devices. Its necessary to have 2 Privileged Administrator account so even if 1 account gets locked we can use another account to access PAW.
Policy 1: All users with the directory role of Global Administrator, accessing the Microsoft Azure Management cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant.
Exclude emergency break glass group
And then create your conditional access policy for device compliance.
Create one more conditional access policy in Azure Portal by following the same settings as previous policy, just add these settings in addition: -
SAW is Secured access workstation, which is your PAW machine, which can be on prem or on azure.
Microsoft Intune configuration. Set enrollment restrictions preventing BYOD
Create an Autopilot deployment profile
Select Next –
Select Next and Create
Enrollment Status Page
Click Next and Create enrolment Profile for your PAW.
Configure Windows Update
Click Next and Create> Update ring is created for your Windows 10 PAW device: -
Microsoft Defender for Endpoint Intune integration
You can get the Microsoft defender for endpoint Free trial for your account from here https://www.microsoft.com/en-in/security/business/endpoint-security/microsoft-defender-endpoint
And enable advanced connection for Microsoft Intune and connect your Windows PAW Machine.
Create the device configuration profile to onboard Windows devices
Click Create
To onboard the file > Refer the steps here –
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints-sccm?view=o365-worldwide
Add secure workstation user group in assignments and click Create.
All the steps above were done to harden the Software and secure your PAW’s from attack surface on software and access level. Now, To harden your PAW on Hardware level download the script from here and run it in your local PAW machine joined to Azure AD or PAW VM running on cloud –
To successfully complete the hardening of the solution, download and execute the appropriate script. Find the download links for your desired profile level:
Profile
Download location
Filename
Enterprise
https://aka.ms/securedworkstationgit
Enterprise-Workstation-Windows10-(20H2).ps1
Specialized
https://aka.ms/securedworkstationgit
Specialized - Windows10-(20H2).ps1
Privileged
https://aka.ms/securedworkstationgit
Privileged-Windows10-(20H2).ps1
This script will update and create policies for you, after this script runs successfully, Assign this policies to your secure workstation device group. You can also run the Intune data export script DeviceConfiguration_Export.ps1 from the DeviceConfiguration GitHub repository to export all current Intune profiles for comparison, and evaluation of the profiles.
Create Windows Firewall rules- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune
Click Create
Select the profile > In Basic tab add name and description as Windows Defender Firewall> Now, you can configure Microsoft Defender Firewall settings according to your goals of security –
I have blocked file transfer and tried to give exemption to ICMP protocol. You can add additional network rules as per your security goals for your PAW.
Assign this rule to Secure Workstation admin and emergency glass group.
You can also add URL proxy for your privileged access strategy set up.
Remove local applications from your PAW machine and only keep your critical business or internal apps for management of PAW and the sensitive data inside.
You can add Visual studio code in your machine to connect to apps or Azure apps, via GitHub or DevOps. If you require any app in your PAW, you can make use of Intune manage company portal to push apps in your PAW, refer here: - https://learn.microsoft.com/en-us/mem/intune/apps/store-apps-company-portal-app
In your Microsoft Defender security center, after taking Microsoft Security center Free Trial or purchasing license you can add these settings additionally.
Enable Defender for Cloud Apps and connect to Defender ATP to block access the risky URLs:
In Microsoft Defender Security Center > Settings > Advanced features, set Microsoft Defender for Cloud Apps integration > ON
In Microsoft Defender Security Center > Settings > Advanced features, set Custom network indicators > ON
In Microsoft Defender for Cloud Apps portal > Settings > Microsoft Defender ATP integration > Select Block unsanctioned apps
13)Follow these steps inside your PAW to install custom applications and assign settings. By installing VS code inside the PAW :- https://learn.microsoft.com/en-us/security/compass/privileged-access-deployment#deploy-applications-using-intune
https://learn.microsoft.com/en-us/security/compass/privileged-access-deployment#upload-vs-code-to-microsoft-endpoint-manager
At-last use PowerShell and run this script in your PAW machine- https://learn.microsoft.com/en-us/security/compass/privileged-access-deployment#use-powershell-to-create-custom-apps-and-settings
After this step validate and test your device by initiating the PowerShell script, Refer here :- https://learn.microsoft.com/en-us/security/compass/privileged-access-deployment#validate-and-test-your-deployment-with-your-first-device
Use the same csv generated in the above step to import devices into Autopilot :- https://learn.microsoft.com/en-us/security/compass/privileged-access-deployment#import-devices-into-autopilot
Assign this device to your Secure workstation administrator groups.
You can make use of MS defender endpoint to monitor the health and security of your PAW and use Application insights and query to get additional insights.
Related
Good afternoon, I am fairly new to Azure AD in general; I know my way around but I am stumped on something for a client of ours.
We have a client who has devices joined to Azure AD. They wish to create local administrator accounts on specific computers that only specific people can access and only that administrative account can be used on that workstation for administrative rights (just like a regular device local admin account)
For example:
CON-01 (PC name) should have a local admin account that's in Azure AD named JohnDoe_adm#contoso.com that can do elevated admin privileges' but this JohnDoe_adm#contoso.com account should not be allowed to have local administrative rights on CON-02. And vice versa. JaneDoe_adm#contoso.com should only have local administrative rights to CON-02 but her login can't be used on CON-01 for elevated permissions.
Devices will not be connected to the local AD frequently for policy updates (and we want to avoid VPN connection to the local AD DC). Client strictly wants these devices joined via Azure AD Joined but to have administrative accounts managed through Azure AD.
The clients accounts are synchronized in Azure with their local AD.
I saw that with a premium license for Azure you can add local administrators group on Azure AD joined devices but doing so will allow that user to have local administrative access on all devices that are joined and we are trying to prevent that.
Would it be possible to create a group called CONOTSO/CON-01 Local Administrators in Azure AD; and add JohnDoe_adm#contoso.com to this group and go onto CON-01 and manually apply CONOTSO/CON-01 Local Administrators group under Administrators in lusrmgr.msc on the workstation CON-01 ?
Or any suggestions to make this process easier to achieve what I am looking for?
Any advice is appreciated! Thanks!
You can do that, just not in the GUI. :-)
On an individual computer you can use "Net Group Administrators /Add AzureAD\JohnDoe_adm" to give that account admin rights to the machine.
You'll have to do that for each machine.
• Yes, you can create an Azure AD user, for example in this scenario, johndoe_adm#contoso.com as a member of the local administrators’ group on Azure AD joined devices. For that purpose, you will have to create a policy under ‘Endpoint Protection’ in Intune management portal for ‘local user/group membership’ for managing local admins of Windows 10/11 client devices. Please follow the below snapshots for more information: -
As shown in the above policy, you can create a policy for ‘local user group membership’. In it, you can create a profile for Windows 10/11 by selecting the appropriate option and selecting the correct local users’ group to be managed through it as shown below: -
Once the above options have been selected, then you can have the option of selecting Azure AD users or groups in the respective selected local administrators group so that the Azure AD users can be a member of local administrators’ group on client system as below: -
Thus, in this way, you can add an Azure AD user/group as a member of local administrators’ group on the Azure AD joined and Intune MDM managed and complaint system by assigning this policy on the said device groups.
• Also, please note that as you are saying that a particular Azure AD user, i.e., ABC should be a member of a local administrators’ group on an Azure AD joined device, viz., XYZ which is readily possible as per stated above but you also want that this user ABC should not be a member of another Azure AD joined device’s local administrators’ group, then for this purpose, you will have to create a separate Azure AD user for every Azure AD joined device and create one profile likewise for every Azure AD user/group as well as for every device that is going to be a part of the local administrators’ group on the client system which can be very hectic and time consuming given the options available in Intune MDM.
Thus, I would suggest you create a single Azure AD user for the purpose of adding it in the local administrators’ group on every Azure AD joined and Intune MDM managed Windows 10/11 device and further create a profile as shown above and deploy it on all the Windows 10/11 devices to be managed through Intune and required accordingly. Also, do keep the credentials of that Azure AD user with yourself only to maintain a level of confidentiality.
For more detailed information on the above, kindly refer the below link: -
https://www.anoopcnair.com/manage-local-admins-using-intune-group-mgmt/#:~:text=The%20local%20user%20group%20management,or%20Windows%2011%20local%20group.
I have an azure active directory setup in my company
what i want to do is to run exe or PowerShell file when any user login using his azure ad account on his computer
because there is an application we must use at work and it should be run at every device on the company
i did search on this issue but i didn't find any useful solution
so is this is possible
Your condition can be addressed with MS Intune provided you should have license for it.
MS Intune integrates with Azure AD to manage devices and user based on your custom organization policy. You must enroll your devices in MS Intune MDM for the Startup/logon PowerShell Script to be run on those devices. Devices must run Windows 10 version 1709 or later. The Devices should be Azure AD joined and enrolled with auto enrolment or manual enrolled policy.
The Microsoft Intune Management Extension is a service that runs on
the device, just like any other service listed in the Services app
(services.msc). After a device reboots, this service may also restart,
and check for any assigned PowerShell scripts with the Intune service.
If the Microsoft Intune Management Extension service is set to Manual,
then the service may not restart after the device reboots
Would suggest you follow this MS document to get to know what would be the
Prerequisites and create a script policy and assign it devices.
https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
What am I missing here? I'm thinking of moving my data center to Azure. I've created a corporate virtual network that has my ADs, my certificates, basically the family jewels of the company that I'm trying to build in the cloud. I've plugged up every obvious security hole that I can think of except one: the login to the Azure Portal is just a simple user id/password. If someone picked off my Microsoft Live user id, all they need is a password cracker. And a disgruntled or dismissed employee could easily cause havoc. Is there some way to lock down the portal? Does anyone in the security business think these Azure web sites are secure?
You can use Azure AD to properly secure the portal authentication. Azure AD is designed to securely authenticate applications in the cloud and it is supported by the majority of Microsoft solutions like Azure Portal. It will provide features like MFA, access control, self-service password reset, etc.
Although Microsoft Accounts also support some of these features, you can't force your users to specific policies, that's why Azure AD is important for enterprise level security.
Once you create a directory for your company through Azure Portal and synchronize your AD objects with Azure AD using the AAD Connect tool you will be able to login to Azure Portal using your corporate credentials and force users to use Multi-factor authentication or even apply other policies.
Azure Active Directory features and capabilities
Azure Active Directory Hybrid Identity Design Considerations
Integrating your on-premises identities with Azure Active Directory
Is it possible to enable multi-factor authentication for getting access to the Azure portal, https://portal.azure.com?
I know there is an MFA server resource in Azure itself, but my understanding is that this is for Azure hosted applications/resources. I initially want to enable MFA for getting access to the portal itself, before setting it up for the different resources themselves in Azure.
Yes, you can.
For example here they say
Add protection for Azure administrator accounts
Multi-Factor Authentication adds a layer of security to your Azure administrator account at no additional cost. When turned on, you need to confirm your identity to spin up a virtual machine, manage storage, or use other Azure services.
Here is one of step-by-step guides.
UPD Feb 2019
Azure is constantly evolving, so many answers and related articles quickly become outdated.
As it is now, MFA is not a free option. I would start reading this Microsoft page for details, in particular:
Multi-Factor Authentication comes as part of the following offerings:
Azure Active Directory Premium licenses
Azure MFA Service (Cloud)
Azure MFA Server
Multi-Factor Authentication for Office 365
Azure Active Directory Global Administrators
EDIT:
The feature I originally mentioned has been replaced by Security Defaults, which includes requiring that all users register for MFA (but non-admin users don't necessarily have to use it), and requires admin users to use MFA.
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
Old response:
There is currently a feature in preview offering a baseline policy to apply MFA to the Azure Portal (and PowerShell and CLI).
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-baseline-protection#require-mfa-for-service-management-preview
This is applicable even at the free level of AAD.
Azure Active Directory is "as a service" offering from Azure. I have seen documentations and content from Microsoft stating that can be used for SSO and other Web application for unified auth.
Will it be possible to make use of Azure Active Directory as replacement of Windows Server AD in Azure virtual machines in Virtual Networks? I see that the Windows Server Active Directory Installation on Azure VM involves execution from powershell and stuff?
NO! Windows Azure Active Directory is NOT a Domain Controller. You can NOT join computers to Windows Azure AD. You can use it to sync on-premises AD with Windows Azure AD to easily enable Web SSO (Single Sign On). You can use to build enterprise grade web applications.
You can read more about Windows Azure Active Directory here.
Up until recently the answer was a flat no, but that has changed with Windows 10.
Windows 10 devices can join Azure Active Directory (AD) domains. But it is more about identify management than traditional Active Directory (AD) services. But you can use a combination of Azure AD and MDM (Mobile Device Management) to provide some of the services that used to be reserved for AD.
One thing to keep in mind is that Azure Active Directory (AD) is completely different than the similarly named Active Directory provided by a Windows Domain Controller. Azure AD is not a Domain Controller, but as of Windows 10 Azure AD, MDM and Intune can do some of the things that you previously could only be provided by AD. With Windows 10, Microsoft has greatly extended MDM and has made it possible to manage regular Windows 10 desktop and laptops with MDM.
The Active Directory Team Blog has more information. The post Azure Active Directory and Windows 10: Bringing the cloud to enterprise desktops! list some of the benefits that it brings including:
Self-provisioning of corporate owned devices.
Use existing organizational accounts.
Automatic MDM enrollment.
Single Sign-On to company resources in the cloud.
Single Sign-on on-premises
Enterprise-ready Windows store.
Support for modern form factors. Azure AD Join will work on devices that don't have the traditional domain join capabilities.
OS State Roaming.
This doesn't cover the traditional features provided by AD. Per the post Azure AD Join on Windows 10 devices Azure AD it targeted at the following three scenarios: Your apps and resources are largely in the cloud, Seasonal workers and Students, and Choose your own device for on-premises users. As you can see Azure AD is targeted more towards enabling BYOD (Bring Your Own Device). Azure AD enables management of devices, like tablets or non-Pro version of Windows, that don't have the capability to join a Domain.
From the same post:
Domain join gets you the best on-premises experiences on devices
capable of domain joining, while Azure AD join is optimized for users
that primarily access cloud resources. Azure AD Join is also great if
you want to manage devices from the cloud with a MDM instead of with
Group Policy and SCCM.
Azure now offers traditional Active Directory service called Azure Active Directory Domain Services. This offers domain join, NTLM and Kerboeros authentication. You can even manage machines using Group Policy.
This is possible using Azure Active Directory Domain Service (notice the difference from regular Azure Active Directory which does not have domain support)
https://azure.microsoft.com/en-us/services/active-directory-ds/