I'm deploying my first VM in azure but I can only connect from Azure Joined devices, and I have some external users without company laptops that need to connect,
To increase the security, I'm deploying access control with MFA for this machine.
Thanks.
Related
So that. Here is the environment:
A bunch of windows servers in ec2 instances in aws (1, 2, 3, x,...)
A DC ec2 instance in aws also that we will call DC01.
DC01 has azure connect and works fine and appears in the Azure portal as "Hybrid Azure AD joined".
Servers joined to the domain in DC01 appears also in the Azure portal as "Hybrid Azure AD joined".
My local machine is also joined to the same AAD in the same tenant.
I can RDP to the servers and log in with credentials from the local domain.
I cannot RDP and log in with credentials from azure.
There is mention of an extension in Azure for VM in Azure. But what about ec2 in aws?
I tried:
Modifying the RDP file with:
address:s:IPADDRESS:3389
prompt for credentials:i:0
authentication level:i:2
enablecredsspsupport:i:0
username:s:USERNAME#DOMAIN.onmicrosoft.com | USERNAME#DOMAIN.com
domain:s:AzureAD
Modifying the log in user:
azuread\username
azuread\username#domain.com
username#domain.com
username
Deactivating the Network level authentication. But still cant log in as it says user or password are incorrect.
So the only thing left would be to import the users from Azure AD to the ADDS in DC01. But this would be so wack.
Recommendations and guides will be appreciated.
I have follow the documentation from Microsoft but this is not explained.
So i assume is not possible? Or just not intuitive?
The users in Azure AD need an object of type user in the on-premise AD? If so can it be something not pair or that do not write to azure?
Scenario: We have an Azure cloud environment that contains three (Prod,Test,Dev) PaaS database servers (PostgreSQL Flexible Servers). Each server exists in its own VNet. The SQL data tables found in each server contain sensitive information. Let's say we require an external user (eg. a contractor, consultant) to access the data tables in a secure way, with MFA enabled. What would be a secure & simple way of enabling this?
Some options I can think of:
Share database server credentials with external user (high risk of credentials being misplaced. No MFA option?):
Whitelist user IP address against Azure firewalls
Send PaaS server credentials to external user via email or SMS.
They connect using an SQL client on their machine.
External user to use VM via Bastion:
Add external user to Azure AD
Turn on MFA for user in AD
Create VM in Azure, with SQL client software installed (ie. pgAdmin for PostgreSQL)
Configure access to the 3 PaaS servers (Prod, test, dev) from the VM
Set up Bastion server with access to VM
Enable user to access VM via Bastion server
Second option incurrs extaa costs for the VM and Bastion of course. Are there any other methods I should consider?
I'm trying to access on-prem resources (file share on a file server) via Azure, but I'm stuck and don't know how to continue.
On Prem: 1 Domain Controller and 1 File Server (Server 2019 Std). Both are joined to a local domain. The DC runs Azure AD Connect for sync.
Client: Laptop running Windows 10, joined to the Azure AD. Is in a different network.
Goal: Laptop should access the file share.
For sure I just could use a VPN or smth, but I'm trying to learn a bit Azure.
I'm referring to the following Microsoft Website: https://learn.microsoft.com/en-us/microsoft-365/business/access-resources
"You can also allow access to on-premises resources like line of business (LOB) apps, file shares, and printers. To allow access, use Azure AD Connect to synchronize your on-premises Active Directory with Azure Active Directory."
I dont think those are related at all. Network path must exist between your laptop and the file share. And the Azure AD Connect can help you with authentication\authorization, not with establishing the network connection. You should use VPN to establish network connectivity and you can use Azure AD Connect to sync identities to be able to use the same identity to access resources in the cloud\on-premises
Given the recent updates to Windows Azure I am wondering if it is possible to create a domain controller and file server on Azure, then connect 10 to 20 remote workers using Azure Connect to this "virtual office".
My primary interest is whether or not a domain controller can exist in the cloud and service desktops with Active Directory as they roam. This would eliminate the need for an onprem server for a small business. Active Directory would be used for desktop logins and group policies, and potentially to authenticate a hosted file server, sharepoint instance, etc.
I see a lot of posts about domain controllers servicing offices over a VPN, and replicated azure domain controllers to onprem domain controllers, but nothing about whether a domain controller can run in the cloud and service roaming desktops (presumably with azure connect).
I am excited and ready for someone to tell me it's not possible. LOL
Yes this is possible, there are 2 tutorials that can help you with this:
The first one will help you setup a virtual network: Create a Virtual Network for Cross-Premises Connectivity
The second one will help you to install a new AD Forest in Windows Azure: Install a new Active Directory forest in Windows Azure
My application is hosted in Windows Azure.
I have partnered with enterprise to offer service to their customers.
However , they require VPN connection between us (in the cloud) and their enterprise application.
What is the best way to do this?
Installing software on their machine is not an option.
Windows Azure now has a Virtual Network, announced as part of the Spring 2012 release. It lets you connect your on-premises network to Windows Azure via IPSEC, and takes advantage of your on-prem hardware VPN device.
Summary information here, and tutorials here.
As Azure roles accepts only http/https ant tcp connections "classic" IPSec or PPTP is not an option.
Az Azure roles are Windows Server 2008/R2 you can configure SSTP connection to Azure with startup script or cutom VM Role.
Azure roles has random internal IPs so you'll have to deal with IP resolving too.
Windows Azure Connect allows you to setup an IPSec tunnel between your Azure application and a local network. See:
https://azure.microsoft.com/en-us/services/virtual-machines/
and
http://azure.microsoft.com/documentation/articles/vpn-gateway-point-to-site-create/