Azure AD Domain Services can't be access - azure

So try to make it easy for you to understand my problem, I have a software that needs an AD to work. In the software installation I setup all the correct data for the AD and MS SQL Server so that this software can work.
Now I want to try to see if I can do this with Azure AD Domain Service. I don’t want to use a Virtual Machine in the Azure cloud, I want to use my own Virtual Machine in my own Datacenter.
The domain dns I got from Azure, xxxx.onmicrosoft.com I can't seem to be able to access. I try to ping it, I try to use the other address I can see below /home/all resources/public IP-address.
I also setup a secure LDAP. I created my own certificate via Powershell and I uploaded it so that now the secure LDAP is active. But still I can’t seem to get any access to the domain dns address. In the Azure AD I created several groups that I need for my software to work and also my own admin. If I use the address myapps.microsoft.com and use the admin I can access that, and I can see the groups that I created.
But still I don’t know how to get access to the AD, I would be very happy if anyone could try to steer me in the right direction.
Thanks

Related

Azure Conditional Access exclusively through Azure VPN client

I am working on my azure AD on which I create a azure vpn OPENSSL which it allow the connection through azure AD.
Everything works just fine at this point as I can connect to my vpn client.
At this stage, I really wanted to test this connection using azure AD Conditional access to force MFA during the login. I head to the vpn and if I connect, I am asked for the MFA. Which is great.
But there is something that I can't figure out on my own.
I would like to be able to connect to azure Portal exclusively if I am connected to the vpn.
So I went to Azure AD > Named location and I added the VPN IPs ranges and marked them as trusted.
In my azure VPN client when I connect I have those values.
VPN Routes:
192.xxx.xx.x/24
172.xx.x.x/24
So in my Named location IP, I set both those values.
I went to Azure AD > Security > Conditional access and configured as follow
Under Users and Groups I selected the test user that I want to include in this policy
In Cloud app I choose Microsoft Azure Management
And under Conditions > Locations I selected the Named Location I created with the IP ranges that I marked as trusted.
and in Grant I selected Require multi-factor authentication
After saving those configuration, I logged out and tried to login again without being connected to the vpn, but here, after approving the MFA I am allowed to access the azure portal.
What should I do if I want to block all the local access to azure portal if I am not connected to the azure vpn?
Thank you very much for any help that you can provide.
UPDATE:
I tried a different approach.
In Name Location I declared my IP range (myIP/32), and in Conditional Access > Location under Include > Any Location and in Exclude > Name Location(my ip)
Than in Grant I selected Block Access
Now I can access the portal from my IP, but if I create a VM and try to login to azure portal, I am getting an error for permission denied. Which is great.
But still I am not able to make it work with my azure vpn client.
Under Name Location I tried to add the azure VPN IP Routes, but I am still unable to connect to azure portal.
Please, any help or clarification about this?
Thank you so much
You can't use private IP addresses for the named location unfortunately.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#ip-address-ranges
I'm not sure if what you are trying to do is actually possible. In my opinion, it's not really necessary anyway as you really want to restrict access based on identity rather than location. I think the best you can do here is to continue to use conditional access to restrict access to particular users, enforce MFA and maybe enforce trusted/compliant devices if you want to.

Azure allow access to azure portal only through azure vpn

I have been playing around with azure vpn to have a better understanding of how it works.
I have implemented an azure vpn point to site. Everything works just fine.
But according to my understanding of azure documentation, the azure point to site can be used mainly to access private resource through their private ip or endpoint.
So I was wondering if someone can help me to understand the following point:
rather than accessing azure portal though the open internet, I would like to make the login to azure active directory, exclusively through azure vpn. So if I try to login to the azure portal through my normal wifi, I would like to be blocked, and be guaranteed access only if I am connected to azure vpn.
Is there any solution to this matter?
Thank you very much for your help and any explanation provided.
You can use a conditional access policy in Azure AD for this. You must define an IP Range and assign it to the policy, restricting access only from this IP
The app that you would restrict access to would be Microsoft Azure Management

restrict access to azure web app without ip filtering

I have a "public" website deployed on azure. I want to get access only from a limited number of authorized tester persons.
I cannot use ip restriction because all of us have dynamic ip and we are dislocated all over the world.
Here the solution I have adopted, but I am not confindet is the correct.
I have enabled authentication.
I have also created users in active directory and added to my application:
Everything works. Now, before access to the website, people must login.
But... what I do not like is that people can access to portal azure with the email I have authorized on active directory. They do not see anything, but they can access into that directory. is there a way to avoid this?
Does exists a better solution to restrict access to my website?
Thank you
You can restrict access to Azure Portal with Azure AD conditional access
https://learn.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management
https://learn.microsoft.com/en-us/answers/questions/112173/can-we-restrict-azure-portal-httpsportalazurecom-a.html#:~:text=Yes%2C%20we%20can%20restrict%20access,Azure%20AD%20Premium%20P1%20License.&text=as%20shown%20below%3A-,Navigate%20to%20Azure%20Portal%20%3E%20Azure%20Active%20Directory%20%3E%20Security%20%3E%20Conditional,and%20Groups%20%3A%20Select%20required%20users.

Restrict Azure web app access to Security Group/Distribution group

I have a web app that I am hosting on Azure and would like to know how I can make that site accessable by only a security group/distribution list within Azure.
Now, the url is accessable by anyone even outside of my tenant which I am trying to avoid - What route would I go down to restrict it down to groups? I can't do it by users because there are 1,000+ users.
It appears like you can only restrict an Azure Web App access via IP addresses or virtual networks. Below is a quick summary. However, I have attached a link to the MS Docs that explains in more detail how to implement adding these restrictions.
Go to your service in the Azure Portal > Networking > IP Restrictions
Add Rule
Input IP/subnet mask
Note: After you add a rule, it will create an implicit deny by default for anything requests not matching the rules.
This link also may be helpful if you want to edit the web.config instead of using the Azure Portal.

Secure Azure Infrastructure

I work in a small startup that is only hosted in Azure and I was wondering the best way to secure everything.
I use the below services
Web Apps (public facing)
Virtual machines - Running apps and services
Sql Sever
Service Bus
Storage Account.
The web apps and the Vms need to communicate with the other three services.
Below is what we are currently doing. Is this correct and if not can you provide any resources to work from?
Service bus - This is currently accessed using the connection string and is stored in the app settings of the web app and VM.
Storage Account - This is currently accessed using the connection string and is stored in the app settings of the web app and VM.
Sql server - This is currently using the firewall to Allow access to Azure Services plus restricting it to client machines that need to access the DB's through SSMS
VM - this is restricted using Network Security Groups to only allow client machines to RDP on.
I would appreciate any help that can be provided.
Edit
Things that i am worried about are:
Sql Server allow access to azure. I can turn this off but then the website will need to be added to the firewall and as i understand it the ip address is not static. Is it a security concern to leave this on?
Storage accounts, the connection string allows unlimited access to the account. You can lock this down with SAS to ip addresses but it has the same issues as the sqlsvr when connecting from the website. Also the SAS is time based how is it renewed?
Sql Server allow access to azure. I can turn this off but then the website will need to be added to the firewall and as i understand it the ip address is not static. Is it a security concern to leave this on?
By default, “Allow access to Azure services” is turned on, enabling this feature would allow any traffic from resources/services hosted in Azure to access the database.
Storage accounts, the connection string allows unlimited access to the account. You can lock this down with SAS to ip addresses but it has the same issues as the sqlsvr when connecting from the website. Also the SAS is time based how is it renewed?
A shared access signature can take one of two forms: Ad hoc SAS and SAS with stored access policy. We could re-specify the start time, expiry time, and permissions to get a new ad hoc SAS. When we associate a SAS with a stored access policy, the SAS inherits the constraints - the start time, expiry time, and permissions - defined for the stored access policy, we could modify the stored access policy to revoke the SAS or get a new SAS based on new stored access policy.
For more information about Shared Access Signatures (SAS), you could read this article.
Regarding access to the SQL server from your web apps:
They are using up to four outbound IP addresses when connecting to external services. You could limit the SQL server access to those.
Read this article to find them.
That won't completely close down foreign access to the SQL server, other people's web apps are using the same four outbound IP addresses.

Resources