My client wants 2FA when accessing VMs in Azure. Is this possible at all? I was thinking about Azure Directory Domain Services, but couldn't find anything related.
You can make use of Azure Application Proxy to surface RDP functionality of Azure VMs to the internet. Application proxy is protected by Azure Active Directory, and thus, you can use 2 factor authentication (if you have the premium SKU) to protect the initial login.
You can use a service such as Duo Security for Windows VMs.
For ssh 2FA to Linux VM, you can use Google Authenticator PAM module library
Related
Is there a way to restrict Azure Data Factory to be only accessible through Azure bastion host? To elaborate, I want anyone reaching the ADF URL to go through a Browser running in an azure bastion host?
As per the current Azure Security Baseline for data factory Documentation, it is suggested to Use privileged access workstations for Secured, isolated workstations are critical for the security of sensitive roles like administrators, developers, and critical service operators. Use highly secured user workstations and Azure Bastion for administrative tasks.
Use Azure AD, Microsoft Defender ATP, or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. You can centrally manage secured workstations to enforce a security configuration that includes:
Strong authentication
Software and hardware baselines
Restricted logical and network access
I recently created a Azure Bastion service and Azure VM in my organisation's Subscription. When I try to connect to the VM via the Bastion using local Admin ID it worked. However the same is failing when I try with my Azure AD ID. Is this a limitation?
There are two (2) authentication schemes:
Azure Active Directory (AAD) authentication: Azure Bastion does not currently support authentication using AAD-based (cloud) users. This request is known and prioritized as "high" by the product team. See this [link][1] for details in user voice. The advantage of this approach is to provide full cloud-based authentication, with no dependency on on-premises technology (in this case, Active Directory). One workaround for now is to expose a jumpoint on a vNet until availability of this feature.
Azure Directory (AD) authentication: Azure Bastion does currently support authentication using AD-based users (Windows AD User). Since this is a managed "Active Directory" provided by Microsoft, the use of Azure AD Connect is needed to sync this domain (and users) to Azure Active Directory (AAD). The drawback of this approach is to continue building using on-premises technology (Active Directory).
Public preview announced during Microsoft Ignite 2021 to include support for Azure AD login for Bastion enabled VMs. It is available using Azure CLI client on Windows and leveraging native client (openSSH to do Azure AD based SSH for Linux and mstsc to do Azure AD based RDP for Windows). Details can be found at https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows
we have configured azure active directory pass-through authentication . Need to access on premise resources from the azure deployed application. can we do this by configuring application proxy?. so that on premise application authenticated with azure AD. so the communication between azure application and on premise application be seamless. Is it possible?
I'm not entirely sure if I understand you correctly but what you want is probably possible by using Azure Hybrid Connections: https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
You install the Hybrid Connector on-prem, e.g. on a VM, and then for instance an Azure App Service can access certain resources on-prem.
Or for anything more advanced you might want to look at Azure VPN (or ExpressRoute in the long run).
Right now we have AD set up so access to our App Service is authenticated. But we need the website to have local access to some special applications. Since we can't install applications on an App Services, I THINK that means we need to run the website on a VM.
If that's the case, I'd like to not lose the ability for Azure AD to authenticate access to our VM. I'm sure we can use Azure AD to authenticate us while we RDP to the server, but can it also be used for when we expose our Web Application over HTTPS from the server?
Since we can't install applications on an App Services, I THINK that
means we need to run the website on a VM
Even though a VM is the simplest one, you do have other options to at least consider. Here is Microsoft's documentation comparing the various options along with scenario based recommendations.
Azure App Service, Virtual Machines, Service Fabric, and Cloud Services comparison
Quick Note:
Amongst the options discussed, avoid Cloud Services (classic) as far as possible, as they are legacy and on their way out. Also, if you still choose Virtual machine, do consider Virtual Machine Scale Sets for better scale and management options.
I'm sure we can use Azure AD to authenticate us while we RDP to the
server, but can it also be used for when we expose our Web Application
over HTTPS from the server?
Yes, it can be used even when you expose your web application over HTTPS from the server. Exposing over HTTPS would only involve opening up the port through NSG rules and SSL settings for your application in IIS. This will not impact you ability to RDP into the VM.
I want to host a web app in Azure. But that app need user to be authenticated by a AD/LDAP server which locate in our LAN.
How can I do that? Just open TCP/636 port to Azure? any standard operation procedure?
So you would generally have 3 options:
1. Synchronize directories between on-prem and Azure, use ADFS to authenticate people.
2. Create a site-to-site VPN, force traffic through that tunnel to talk to on-prem AD.
3. Just use public internet to talk to your AD (well, it is a bit crazy, but it's an option).