Using Azure AD Join and Login with Microsoft Azure

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone in this video i want to talk about using machines that are azure adjoined and really how we interact with them now my focus is going to be on ones running in azure and even using the extension for azure ad login but i will cover no matter where it's running how we can use that azure aed join capability and then logging in using an azure ad account as always this is useful please go ahead and like subscribe comment and share then hit that bell icon to get notified of new content so many organizations today are thinking about hey we're leveraging azure ad we're using the cloud where possible i don't want to still have that reliance on active directory domain services that traditional ad so we can think about we have our azure ad tenant so this is specific for our particular organization for me it's saviletech.net and then what we can now do is we can actually join machines to azure ad now what i'm going to start with is thinking about well this machine could actually be anywhere so i have some machine that i'm actually going to do a join so an azure ad join is different from the azure ad registration where maybe it's actually not joined to anyone but i'm just making it a known quantity to azure ad so it can be managed by it there's also a hybrid where the machine is actually joined to an active directory and then through azure ad connect once again it gets registered to azure ad i'm talking about just the azure ad join capability so this now has an account in my azure ad and then as the client i want to log in to that machine using an azure ad account i can think about well there are accounts in that azure ad for example i have my user account here now firstly to be able to join a machine to azure id i need to be running windows 10 or windows 11. i cannot join server operating systems to azure ad today not even 2022 i cannot join older versions of windows client so i'm running windows 10 or above once again where this is running does not matter for this first scenario i have it as an azure vm but i'm not using any extensions i'm not using azure resource manager identity access management or any of that it's just an os so what we're going to do is we're going to join this to the azure id and then using that account well i'm going to r dp to it using that account so i'm actually going to rdp as that user now another requirement for this to actually work is the machine i am connecting from this machine also well this also has to be joined to the same azure 80 tenant now i say it has to be joined that's for windows 10 um 1607 so that's kind of windows 10 1607 plus it can also just be registered if i am windows 10 and i think it's 2004 and above but the point is the machine i want to rdp to that azure id machine it has to be a known quantity that the azure ad as well the other option it could be hybrid joint i.e it's joined to an active directory and then it has that registration into the azure ad so the first thing is we have to join this machine that we want to talk to to the azure ad now if i jump over i've got a bunch of different kind of scenarios set up my first one is this isn't using any special azure extension or anything else i'm just gonna actually use part of the guest operating system so if i jump over i've got a selection of vms i've connected to so in my first scenario this what i've done is just connected it we can kind of see here two savile text azure ad now this is a vm running in azure but it's not actually a subscription as part of saviletech.net i'm not using any kind of special extension this is completely separate from anything azure does and just to kind of show what i did i did record what it was so you go to the whole accounts access work or school you then do connect and the special thing we do here when we connect we don't just add the account the big deal of what we're actually doing right here is this part we are going to join this device to azure active directory that is what is actually going to then do that aad join for in this case this is a windows 11 machine this also would work on windows 10 so then you go and enter an azure id account authenticate and it becomes now joined to that azure ad so if we look at this machine for a second so i've already completed that and if we look at ds reg cmd status what we can see is hey yes we are azure adjoint we are not regular domain joined and if we keep kind of looking down we can see the tenant name is saviltech so i've joined it here to savor tech you can see all the details about the tenant id you can see i have a primary refresh token you can see the exist executing account name is my john sabletech.net and yes it's device joined is the user azure id and all these various different things now i am rdp to this computer so i'm kind of proving that point right now my local machine is also azure adjoined to the same tenant and to actually connect to that machine the only really important thing is if we look at the username it is azure ad slash and then the upn and then it is just the password now i'm using rdc man just for convenience but you absolutely don't need to do that i could just use the regular mstsc or anything else so in this first scenario hey yes we've joined this completely separate for anything azure does to my azure id and then i'm just rdping to it as the user but the key point is in that configuration and this is going to be consistent for all of this the account name is always azure aed slash the kind of upn that's the important part and that's what we saw as part of that configuration that i've pre-configured now the actual account that i'm currently logged on to this machine does not have to be an azure id account for example i'm actually logged on as a microsoft account it is not this azure id account so the requirement is the machine i'm connecting from yes has to be joined or registered or hybrid azure id join so i should write that in it could be hybrid as well so we have different options to the same tenant but the actual account i'm logged in as does not i'm using a microsoft account to actually log on to the machine so the account i'm logged on does not matter it's the account i'm passing as part of it and yes i'm passing an azure ad account if i want to add additional users to be able to actually connect well then this is now just standard stuff as part of an operating system so in this case if i wanted to add another user i'm using the powershell add local group member and i'm adding it to the group remote desktop users and i'm adding in an azure ad slash clock at severaltech.net i'm enabling another user so that's all we do obviously i have to have enabled remote desktop in the guest operating system paul 3389 has to be lit up and hey that's it i'm now connected in do remember if i'm using azure ad there is no group policy we use things like intune or microsoft endpoint manager which combines intune and config manager and some other things that's how i would do the management of kind of the os instance but that's it i mean that's how i can just do an azure ad the only real thing is hey this machine is ready joined that lets me then authenticate with accounts from the azure id i have to make sure they have the remote desktop users right and then the machine i'm connecting from either has to be joined to the azure id or just registered for newer versions of windows 10 or hybrid joined and i use the azure id the upn format and i'm connected in that's really not that hard to do now let's extend that scenario for a second and all of these things still apply nothing is changing about any of this the only thing i'm going to change now is the machine i'm connecting to well now it's an azure i as vm because one of the challenges we face is for windows 10 and windows 11 yes i can do an azure ad join i cannot do that for the windows server operating systems windows server 2019 windows server 2022 i can't do that so this is where the extension comes in and it does apply to windows 10 and 11 to actually simplify things so what now we can do is added onto this there is this extension for this azure ad login and that gives us a number of things now what that extension actually does is when i apply that extension the tenant that my subscription trusts guess what it's going to do it's going to join it to that azure 80 tenant but now when we think about before i had to grant users that remote desktop users now i'm actually using the azure arm identity and access management there are actually roles i can configure either to be a user or to be an admin so now i'm actually controlling the access through azure resource manager i don't have to go and do things inside the guest os and the nice thing now about this is yes it works for kind of the windows 10 windows 11 and it works for the windows server 2019 and 2022 and normally windows server cannot do an azure ad join this extension is that one ex exception time that it does actually join windows server to azure id and we'll actually see that going through so what i'll do is i'll actually now walk through this scenario so what we'll actually first do is let's look at the configuration so firstly that first virtual machine i was showing you is this one over here so notice it's completely different subscription it's not tied to my savile tech tenant and if i look at the extensions it has extensions but none of those extensions are kind of the azure 80 login i'm just using the guest configuration and if i look at my role assignments once again i kind of see it there but there's nothing there about actually enabling any particular user because it is not using that it's completely separate now let's look at these virtual machines now these are in a subscription that trusts my tenant and i can start with the basic idea of a client operating system now this time i have lit up the aad login for windows now once i do that once i've enabled that the next step is i have to grant role assignments now there were two roles that actually apply to this we can see let me just make this a little bit bigger we can see there's a virtual machine user login role so just a regular user and there's a virtual machine administrator login so i would give one of these to the users i want to be able to log in i rdp to this virtual machine and we can kind of look at these and what's special about these roles they do have data planes so they have data actions to actually log in log in as an admin and these do apply to arc as well so we can see it's actually doing the hybrid compute so it applies to just regular compute resource provider and the hybrid compute so i grant these roles and as we can see i've granted that login as administrator to my account so i've granted it on what is a client operating system then i also have a server operating system i've lit up that same hey aad login and i've given it the same role assignment to say hey yeah you can actually log in with this now if you forget to give it this role you just won't be able to log in it will error it will say your account is not configured to be allowed to connect to this so you have to do this so let's start with the simple demo vm now i'm showing this connecting through a public ip but obviously if i have like a site site vpn or point-to-site vpn or express throughout private hearing i could connect through the private ips of this but i'm showing it kind of the worst case scenario and i want to talk a little bit more about this in a second so now if i jump over to my demo vm once again my login is exactly the same i'm not changing anything azure id slash john saddletech.net but i didn't manually join this in any way it was done for me again if i do that ds reg cmd status we'll see pretty much exactly the same thing so is it device joined again yes my user yes it's all going to look the same i can see hey yes i'm azure adjoined i'm not domain joined and this is once just a client os so it's not really done anything that different from what i could do directly with the azure adjoin it just went and did it for me but now i'm actually using those data plane i'm using the roles of arm to actually go and get my connectivity but now i have a server os so this is windows server so if we look at this for a second you can see now i'm actually running windows server 2022 and even this normally i cannot join to an azure id but remember i added that extension and this is this one exception to the normal rule because if i look at this os instance well you can see it is azure it's not hybrid there's no domain joined it is azure adjoined which is how once again if we look at how have i connected nothing special i've connected to azure ad john net so it is lit up that capability so that i can now actually connect now once again if i'm using the extension i have to add that role or i'm going to get the hey your account is configured to prevent you from using this device error and if you do grant that role it is not instant give it a minute and then you can kind of try again hopefully you'll be able to connect now do and that's really it there's nothing else special about it i am now connecting using an azure 80 account again the same this always applies this is the format i'm using as part of that authentication now obviously if it's running in azure there are other factors that may come into play remember it has a private ip so if i have that site site vpn or expressway private ping i can connect through that remember this kind of lives inside an ns v-net and so there are network security groups that you need to make sure is allowing the traffic to actually go through i need that rdp to be able to get to that target if you are using a public ip do not just open up certain straight you know into the internet that's a good way to get hacked really really quickly ideally you would do something like azure bastion which is a managed um basically jump box to get to that or i could use the azure just in time when i want to connect i say hey i want to connect and it will open up and add a rule just for my public-facing ip to be able to get to it or you could manually in your nsg's add exceptions for your public-facing ips again so if you do have to connect your public ip ideally we're not we should use the private ips but if you have to make sure you're locking it down and i can use azure bastion for this so it's actually kind of cool so azure bastion recently added a feature instead of having to go through the portal you can actually now natively use the regular mstsc client and the way you do that is is actually through the azcli and you have this new option it's actually a z network bastion rdp there's also an ssh option and you just tell it the bastion you take the resource group of the bastion you tell it the target resource so i'm going to try and connect to my windows 11 azure 80 join box and here you can see it's kind of warning me hey this is under development but it is prompting me for credentials and it is my azure id account type that wrong and it's connecting over here and notice he's kind of doing this with local host because it's going via bastion it's actually going to jump via my bastion service and what it did is it loaded it on this screen over here but now i've connected so i've actually now used azure bastion via an azure ad account to actually go and connect to it so i can absolutely use that as well if i was using for example um azure firewall i could have those connections i'd be going for azure firewall i mean the key point is don't just open this up to the internet never rdp or ssh or remote management i don't want those on a public ip just open if you have to use the public ip ideally it's just in time or i'm using bastion or i'm really locking down their nsg to just my public-facing ips do not just leave that open now there are some caveats things like multi-factor authentication i cannot get prompted for mfa as part of that authentication so if i want strong authentication i have to have used something like hello for business of my initial authentication to that machine so that stronghold is part of my token i cannot pop up her hey do the mfa as part of that rdp if i have mfa required for my user account is not going to work i can lock down the actual connection i can use conditional access so when i am using this extension it actually is an application a cloud app i can use in conditional access so once again if we jumped over for a second if i just go and look at my azure id and we go and look at our security and we look at conditional access and i'll just create a new policy really quickly what we can see is when we look at our cloud apps if i do a select there's actually now a azure windows vm signing so i can actually create a specific policy now maybe i need to use this to exclude something but i could maybe use this to require that client device to be a certain health maybe i'm looking into identity protection to check for a certain thing but i can absolutely through this extension hook into conditional access to do some really pretty nice things over there and that's really all we have to do so that there's the key rule is i can use these things it's just my machine either has to be joined or for newer windows 10 it can just be registered or hybrid joined and i use that azure ad slash they're really the key rules around it and it does work for my windows server 2019 2022 if i don't want to domain join them for example i can actually now do that hey azure ad join only through that extension so there's something special i have seen articles about there where you do things like enable cred ssp support set to zero which means i don't have to provide credentials on the initial connection i've seen things like set an authentication level to two which if the server authentication fails what i'm connecting to give me a warning and let me continue i i didn't need to do any of that i think that's where you don't meet these rules then you can kind of do some strange things to try and get past it but once again it just requires this machine to be joined or registered the account i am locally logged on as does not have to be an account again i'm actually using a microsoft account so the account i'm sitting at my box is not an azure id account at all i can still log on to an azure ad join machine as a different account so that's it uh i hope that's useful it's a really nice capability if i don't have kind of an active directory and i want to use that to authenticate i just want to have this nice simple manner to authenticate and once again doesn't have to use the extension if it's a client i can just azure ad join it and these same rules apply to that but now also i can do it with server operating systems as well this does also work with linux it obviously uses some different mechanisms and i think i'll save that for another video but until next time take care you
Info
Channel: John Savill's Technical Training
Views: 36,587
Rating: undefined out of 5
Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, azure ad, rdp, login
Id: 9xpf3jZBzhQ
Channel Id: undefined
Length: 24min 59sec (1499 seconds)
Published: Thu Dec 23 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.