Azure SFTP server with multiple user accounts which could be managed - azure

I need an SFTP server hosted on Azure. The important thing is that it should support multiple user accounts and their management at runtime ( via an interface or API), i.e. password reset, account blocking/unblocking (preferably user groups also).
I have found some guides on how to set up an SFTP server on Azure:
https://learn.microsoft.com/en-us/samples/azure-samples/sftp-creation-template/sftp-on-azure/
https://charbelnemnom.com/how-to-deploy-sftp-service-on-microsoft-azure/
Their major drawback is that every change ( addition of a new user, password update etc.) requires a new deployment which is not acceptable.
Also, there is an SFTP functionality for the Azure Blob Storage:
https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support
This functionality is still in preview and allows only to add local users in the Azure portal. Unfortunately, other - more advanced features like account blocking etc - are missing. It is also not possible to manage the user accounts from the code.
There exist some products on Azure marketplace provided by external companies, like Azure SFTP Gateway which supports all functionalities listed above. I am not sure about the further maintenance of these products and I couldn't find any information about SLA or similar things for these products.
I would like to ask if there is a reliable resource or a way to set up a resource that could serve as an SFTP server and meet the requirements listed above? If there is no explicit solution, maybe there is a way to integrate an SFTP server with a database or do something else?

Presently, we only support the SFTP for Azure Blob Storage.
SFTP for Azure Blob Storage supports multiple local user accounts and container-level permissions. You can use the Portal, ARM, PowerShell or CLI to manage users, permissions and passwords/keys. You can also disable individual users by disabling ssh key and password authentication.
Connect to Azure Blob Storage using SFTP (preview) | Microsoft Docs
az storage account local-user | Microsoft Docs

Related

Configure connection to Azure Storage Account to upload file - SAS URI

Assuming I already have a Storage Account SAS URI configured. How can I connect from outside the network to that Storage Account and which file sharing client should I use? What values do I need to configure it and where are they in the Storage Account - Azure AD? How do I give different permissions to different users? By Roles?
I tried to create a Storage Account SAS URI and a Shared Access Key. I tried connecting from WinSCP using those endpoints. I can't find the username and password. Do you know a method similar to this, but that works?
Many Thanks
If you enable SFTP for Azure Blob Storage, you will have an endpoint that you can access via WinSCP and the ability to create users with differing permissions to control access.

Authorize on-premises user against Azure Active Directory (AD)

I have an on-premises Windows server 2022, which is running AD DS, NPS and DHCP. I also have Azure AD subscription, where my users are located. I would like to keep my users database (AD) in the cloud, since currently, I do not have any backup solutions and it is easier for me to manage. I want to have ieee 801.x on premises, as well as VPN service. Is it possible to force the NPS to authenticate against the Azure AD, where all my users are located? If yes, how can this be done?
I know that Azure AD Connect provides hybrid integration, but from what I read, it is only one way, i.e from on-premises AD to cloud synchronization, but not the other way around.
Yes, you are correct that the synchronization is only one-way and the workarounds currently are to use use PowerShell export/import or use a third-party tool. In the NPS article you linked, the on-premises users ultimately authenticate against Azure MFA. The NPS extension acts as an adapter between RADIUS and cloud-based Azure AD Multi-Factor Authentication to provide MFA for the federated or synced users. Your cloud users would just use regular Azure MFA without needing that adapter.
The most common workaround for the user writeback scenario is to create a PowerShell script that scans Azure AD regularly, finds the users in Azure, and then creates an on-premises user with the attributes in Azure AD.
The regular user writeback feature is on the roadmap and actively being worked on though. I've asked for an update from the PG and will edit this post once it is available.
For cloud VPN options, see: Azure AD Authentication - Open VPN.

Programmatically create a service SAS token for Storage Account in Azure

From the Azure portal I would like to programmatically and periodically create a service SAS token. Once a token has been created it should expire in one week and a new token also valid for one week will be created and so on. I was reading this article https://learn.microsoft.com/it-it/azure/storage/blobs/sas-service-create?tabs=dotnet but I am not very sure about where that code should run, in a Azure VM? I can't give internet access to the VM
The code from the article can be run from any compute service.
If that is the sole purpose of the compute resource, I would pick Logic Apps to have everything managed for you; it may have a connector to do it or you can embed some JavaScript.
Should that not be sufficient, I would use an Azure Function.
You can also use a VM if that is more suitable and restrict/block its internet access.
If you need to restrict internet access, you must be sure your blob storage is reachable, your options are:
Open whichever firewall/NSG to that storage account
Using service endpoints, service endpoint policies
Project a Private Link endpoint into the VNET from the storage

Is there any instace profile available in Azure like in AWS

An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
A mechanism very similar to AWS instance profiles is Managed Service Identity (MSI) for Azure, which was announced in September 2017, though at the time of this writing, it is still in preview. I didn't try it out yet, but it does work the same way as instance profiles on AWS do, by automatically authenticating the VM to a meta-data service and allowing you to query for additional credentials without having to hardcode it into your code or image.
Azure also supports IAM.
Microsoft Azure identity and access management solutions help IT protect access to applications and
resources across the corporate data center and into the cloud. This enables additional levels of validation,
such as multifactor authentication and conditional access policies. Monitoring suspicious activity through
advanced security reporting, auditing and alerting helps mitigate potential security issues.
More detailed information please refer to this link.
Update:
You do have the ability to create Signed Access Signatures for all three Windows Azure Storage services (BLOBs, Queues and Tables) as well as for Windows Azure Service Bus Brokered Messages (Queues, Topics & Subscriptions). I have a similar question with you, maybe you could check.
I found Azure is not support instance profile like aws.
If bind a role to instance on aws, aws system will generate a temporary api access token and write to metadata server.
Aws sdk will auto fetch access token from metadata server, so a service that uses aws sdk does not need to configure sdk's access token.
But Azure's IAM and SAS(shared access signature) and metadata server, is not support mechanism like above.

How can I allow other users to deploy to my Azure cloud services?

I created an empty Azure cloud service and I want to allow other developers to deploy to it. So far the only route I can see is adding the developers as Azure subscription administrators. I would rather give them more specific access to the cloud services only.
No such functionality exist today which will allow you to grant/revoke permissions at the cloud service level. Once a developer is provided access to the subscription, they would have access to all the resources under that subscription.
There's a REST API behind cloud service deployments and all the tools (including Windows Azure Portal and Visual Studio) consume this API for creating deployments. One possible solution would be to build your own solution consuming this API. In this solution you will implement access control based on your requirements so that when your user use this service, they will only see the cloud service they're assigned to and can only manage that cloud service. There's a managed library for consuming this API. You can find more information here: http://www.bradygaster.com/post/getting-started-with-the-windows-azure-management-libraries.
It seems that if the original developer downloads the publish profile from Azure (it's an xml file that with a .PublishSettings extension), you can copy the userPWD from that file, give it to another developer and they can paste it into the password field in the Connection section of the Publish dialog.
The userPWD is a string that looks something like this:
EFFCLfDqDKHlXcA2YDZPvX4BZXWFaobxaLN0aPJd4HCfa8WxlqEkt2yywBsx

Resources