MS Azure AD Connect: Download on a Mac for VM? - azure

I am using Azure AD to test SSO for a customer, and it appears that I have to download AD Connect. I am on a Mac, but intend to test in a Windows 10, MS AD VM in Azure. How do I incorporate AD Connect into my VM when my Mac won't open the download file?

AD Connect is required in order to sync directory information between on-prem AD and AAD. You can (but might violate security best practices) run AD Connect on the Domain Controller itself. Once setup, users will sync between your on-prem environment and AAD. You can then test SSO.
I'm not sure where you got the requirement that AD Connect needs to be installed on your mac. It doesn't, it just needs to be installed on a windows server with access to the domain as well as internet access to sync with AAD.

Related

Does Azure Bastion with AAD Credentials

I recently created a Azure Bastion service and Azure VM in my organisation's Subscription. When I try to connect to the VM via the Bastion using local Admin ID it worked. However the same is failing when I try with my Azure AD ID. Is this a limitation?
There are two (2) authentication schemes:
Azure Active Directory (AAD) authentication: Azure Bastion does not currently support authentication using AAD-based (cloud) users. This request is known and prioritized as "high" by the product team. See this [link][1] for details in user voice. The advantage of this approach is to provide full cloud-based authentication, with no dependency on on-premises technology (in this case, Active Directory). One workaround for now is to expose a jumpoint on a vNet until availability of this feature.
Azure Directory (AD) authentication: Azure Bastion does currently support authentication using AD-based users (Windows AD User). Since this is a managed "Active Directory" provided by Microsoft, the use of Azure AD Connect is needed to sync this domain (and users) to Azure Active Directory (AAD). The drawback of this approach is to continue building using on-premises technology (Active Directory).
Public preview announced during Microsoft Ignite 2021 to include support for Azure AD login for Bastion enabled VMs. It is available using Azure CLI client on Windows and leveraging native client (openSSH to do Azure AD based SSH for Linux and mstsc to do Azure AD based RDP for Windows). Details can be found at https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows

Access on-prem resources via Azure

I'm trying to access on-prem resources (file share on a file server) via Azure, but I'm stuck and don't know how to continue.
On Prem: 1 Domain Controller and 1 File Server (Server 2019 Std). Both are joined to a local domain. The DC runs Azure AD Connect for sync.
Client: Laptop running Windows 10, joined to the Azure AD. Is in a different network.
Goal: Laptop should access the file share.
For sure I just could use a VPN or smth, but I'm trying to learn a bit Azure.
I'm referring to the following Microsoft Website: https://learn.microsoft.com/en-us/microsoft-365/business/access-resources
"You can also allow access to on-premises resources like line of business (LOB) apps, file shares, and printers. To allow access, use Azure AD Connect to synchronize your on-premises Active Directory with Azure Active Directory."
I dont think those are related at all. Network path must exist between your laptop and the file share. And the Azure AD Connect can help you with authentication\authorization, not with establishing the network connection. You should use VPN to establish network connectivity and you can use Azure AD Connect to sync identities to be able to use the same identity to access resources in the cloud\on-premises

Windows Virtual Desktop why I need an AD sync to Azure AD

why I need a sync from onpremise AD to Azure AD for azure windows virtual desktop? It stands in the requierments but I do not understand the details why.
Regards
Stefan
Windows Virtual desktop is at time not compatible to run in a cloud only environment with Azure Active Directory only.
There are two options supported.
• Local AD synced with AAD connect to Azure AD
If you already are using a local active directory synced with Azure Ad Connect to Azure AD. This is probably your first choice of setup. You will need to add an Azure VPN to connect your LAN to an Azure Network. The WVD hosts need access to a Domain controller. For the best performance and functions, I also recommend setup of a Virtual domain controller in Azure.
• Azure Domain Services
If you have gone cloud only and deprecated your local AD, Azure offer Azure Domain Services. This is an Azure managed domain that is synced from Azure AD to Azure DS
http://www.tbone.se/2019/08/08/windows-virtual-desktop-part-2-requirements-and-infrastructure-setup/

IIS Windows Authentication using Federated Identities in Azure AD

I am trying to make Windows Authentication (with Kerberos/NTLM) work in a Web App hosted in IIS using Azure AD Federated users but seems it does not work. Below are the whole infrastructure details:
I have an Azure AD (e.g. skj.onmicrosoft.com) with Azure AD Domain Services Configured
I have an on premises Windows AD (e.g. skjtest.com) which is federated with the Azure AD. The on-prem users are available in AAD, SSO works but the password hash is not synced with AAD.
A VM is created in Azure and joined to the AAD Domain skj.onmicrosoft.com
I created a Web App which uses Windows Authentication and hosted in IIS present in the above Azure VM
When I try to login using an AAD user (e.g. aaduser1#skj.onmicrosoft.com) to the web app, it works all fine using both Kerberos and NTLM
However when I try to login using a federated identity (e.g. feduser1#skjtest.com), it fails showing a 401 Unauthorized Status code.
Here my question is, is this at all possible to make the Windows Auth (with Kerberos or NTLM) work with the Federated identities? If yes, please let me know the ways I can achieve this.

Remote workers login via Azure Active Directory

I have a very small office with 2 Windows 8 machines, and people work remotely. Because we use Office 365 and Azure we're already setup with Azure Active Directory (AD). When users VPN in to the office they can use with AD account. However, I wonder if it is possible to allow the on premise Win-8 machines to log in using their AD account? We have no on premise servers (excluding NAS).
No - Windows Azure AD currently does not support domain joined machines and machine/user authentication. It is different in this way than Windows Server Active Directory.
Windows Azure AD currently is centered around user authentication for web based applications.

Resources