Granting Guest or Partner users access to your on-premises apps

May 17, 2018 Leave a comment

In the past, in order to grant guest or partners users access to on-premises applications, would require a very complicated setup and would also incur on management overhead with Trusts, VPN and guest/partners accounts being created on the local Active Directory.

Fortunately, that’s past.

Nowadays, we can grant access to Guest or Partner users to applications hosted on-premises or in the cloud. How can that be done? Simple : using the Azure B2B feature:

  • For apps that use SAML-based authentication:
    • Integrate the SAML app by using the non-gallery application template, as described in Configuring single sign-on to applications that are not in the Azure Active Directory application gallery. Make sure to note what you use for the Sign-on URL value.
    • Use Azure AD Application Proxy to publish the on-premises app, with Azure Active Directory configured as the authentication source. The high level steps are:
      1. Install the Application Proxy Connector (go to Get started with Application Proxy and install the connector)

        2

      2. In the Azure Portal, select on Azure Active Directory -> Enterprise Applications -> Overview, then click on +New Application

        0

      3. Click on On-Premises Application
        0a
      4. Provide the following information application:
        0d

        Name: The name will show on the access panel and in the Azure portal.
        Internal URL: The URL that you use to access the application from inside your private network.
        External URL: The address your users will go to in order to access the app from outside your network.
        Pre Authentication: How Application Proxy verifies users before giving them access to your application: Azure Active Directory (default); Multi-Factor Authentication; Passthrough.
        Connector Group: Connectors process the remote access to your application, and connector groups help you organize connectors and apps by region, network, or purpose.
  • For apps that use Integrated Windows Authentication (IWA) with Kerberos constrained delegation (KCD): using Azure AD Proxy for authentication. However, for authorization to work, a user object is required in the on-premises Windows Server Active Directory. There are two methods you can use to create local user objects that represent your B2B guest users:
    • You can use Microsoft Identity Manager (MIM) 2016 SP1 and the MIM management agent for Microsoft Graph.
    • You can use a PowerShell script. (This solution does not require MIM.)

 

For more information on Publishing applications with Application Proxy see https://docs.microsoft.com/en-au/azure/active-directory/manage-apps/application-proxy-publish-azure-portal

 

 

 

Categories: Cloud

New Azure B2B Invite process.

May 16, 2018 Leave a comment


New Azure B2B Invite process: Redemption through a direct link

“Just in Time Redemption”.

In the past, in order for your guest/partner users to access a shared resources utilising Azure B2B Collaboration, they would have had to be invited by email to access resources/apps on your Azure Tenant. When receiving the email, your guest/partner clicks on the invitation link which will trigger its acceptance and consequent adding the guest/partner account as a guest user in your tenant and the providing access to the resources or apps you have configured.

 

Now, although that option still available, your guest/partner users can simply access the application you’ve invited them to. How? You can invite a guest/partner user by sending him/her a direct link to a shared app.

 

NEW Modernized Consent Experience. When a guest/partner user accesses your organization’s resources for the first time, they will interact with a brand new, simple, modernized consent experience.

 

Image source:https://cloudblogs.microsoft.com/enterprisemobility/2018/05/14/exciting-improvements-to-the-b2b-collaboration-experience/

 

After any guest user signs in to access resources in a partner organization for the first time, they see a Review permissions screen.

The guest/partner user must accept the use of their information in accordance to the inviting organization’s privacy policies to continue

 

Upon consent, the guest/partner users will be redirected to the application shared by you.

How it works:

      • You want your guest/partner user to access a specific application
      • You add them as a guest user to your organization (In the Azure Portal, go to Azure Active Directory -> Users -> New Guest User)
    • In the message invitation, type the link to the application you want them to have access to
    • Now, your guest/partner user will only have to click on the link to the application to immediately access it after giving consent.

 

It’s very simple isn’t it?

 

 

Tips to help you take appropriate action to catch illegal activity

April 26, 2018 Leave a comment

Below are some tips to help you take appropriate action to catch illegal activity:

Azure AD reporting API

Use the Azure Active Directory Reporting API’s, which provide programmatic access to the data through a set of REST-based APIs and the data of these reports is very useful to your applications, such as SIEM systems, audit, and business intelligence tools.

Azure AD reporting API can be used to extract data from Azure AD and Azure B2C

Note: You can call these APIs from a variety of programming languages and tools.

For more information on how to use and samples see:

Enable Audit Recording for O365

sccauditlogsearch

Source: https://blogs.technet.microsoft.com/office365security/finding-illicit-activity-the-old-fashioned-way/

Even the best automated detection systems will fight to catch all illegal activity and they need your help to detect anomalies.

Some audit logging is automatically enabled for you in Office 365; however, mailbox audit logging is not turned on by default

So, if you are a serious about security, Office 365 offers a wide variety of security related reports and data that you can review to manually find illegal activities:

It only takes a few minutes to configure and it will dramatically improve your security posture: To turn it on, just click Start recording user and admin activity on the Audit log search page in the Security & Compliance Center.

Note: If you don’t see this link, auditing has already been turned on for your organization. You only have to do this once.

After you turn it on, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete.

For more information, follow the instructions here: https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US.

After you’ve enabled audit logging you can Search the audit log in the Office 365 Security & Compliance Center to find out who has logged into your user mailboxes, sent messages, and other activities performed by the mailbox owner, a delegated user, or an administrator.

You can Download all results as raw data from the Office 365 audit log to a CSV file.

The table below describe the activities that are audited in Office 365. You can search for these events by searching the audit log in the Security & Compliance Center. Click one of the following links to go to a specific table.

File and page activities Folder activities Sharing and access request activities
Synchronization activities Site administration activities Exchange mailbox activities
Sway activities User administration activities Azure AD group administration activities
Application administration activities Role administration activities Directory administration activities
eDiscovery activities Power BI activities Microsoft Teams activities
Yammer activities Exchange admin activities

 

 

 

 

 

Categories: Cloud Tags: , , , , , ,

Do you have questions on Containers? #AskBenArmstrong

April 19, 2018 Leave a comment

Fundamentally, Containers are an isolated, resource controlled, and portable runtime environment which runs on a host machine or virtual machine and allows you to run an application or process which is packaged with all the required dependencies and configuration files on its own.

When you containerize an application, only the components needed to run this application and of course the application itself are combined into an image, which are used to create the Containers.

How are you utilising containers? Do you have questions on Containers? On Tuesday, 24th April, Microsoft Program Manager Ben Armstrong, will be answering your questions on Containers. It is a rare opportunity. Don’t miss out.

  • Date and Time: Tuesday, Apr 24, 2018, 4pm CEST (7am PDT / 10am EDT) Duration: Approx. 1 hour
  • Date and Time: Tuesday, Apr 24, 2018, 10am PDT / 1pm EDT (7pm CEST) Duration: Approx. 1 hour

You can also ask questions through twitter until Tuesday by including #AskBenArmstrong.

Webminar

Serial Console access for both #Linux and #Windows #Azure VMs #COM1 #SerialConsole

March 27, 2018 Leave a comment

SerialConsole-PrivatePreviewWindows
Source:
 https://azure.microsoft.com/en-us/blog/virtual-machine-serial-console-access/

Now, you can debug fstab error on a Linux VM for example, with direct serial-based access and fix issues with the little effort. It’s like having a keyboard plugged into the server in Microsoft datacenter but in the comfort of your office.

Serial Console for Virtual Machines is available in all global regions! This serial connection is to COM1 serial port of the virtual machine and provides access to the virtual machine and are not related to virtual machine’s network / operating system state.

All data is sent back and forth is encrypted on the wire.All access to the serial console is currently logged in the boot diagnostics logs of the virtual machine. Access to these logs are owned and controlled by the Azure virtual machine administrator.

You can access it by going to the Azure portal and visiting the Support + Troubleshooting section.

Security Access Requirements

Serial Console access requires you to have VM Contributor or higher privileges to the virtual machine. This will ensure connection to the console is kept at the highest level of privileges to protect your system. Make sure you are using role-based access control to limit to only those administrators who should have access. All data sent back and forth is encrypted in transit.

Access to Serial console is limited to users who have VM Contributors or above access to the virtual machine. If your AAD tenant requires Multi-Factor Authentication then access to the serial console will also need MFA as its access is via Azure portal.

How to enable it:

For Linux VMs: this capability requires no changes to existing Linux VM’s and it will just start working.

For Windows VMs: it requires a few additional steps to enable it:

  1. Virtual machine MUST have boot diagnostics enabled
  2. The account using the serial console must have Contributor role for VM and the boot diagnostics storage account.
  3. Open the Azure portal
  4. In the left menu, select virtual machines.
  5. Click on the VM in the list. The overview page for the VM will open.
  6. Scroll down to the Support + Troubleshooting section and click on serial console (Preview) option. A new pane with the serial console will open and start the connection.

Note: For all platform images starting in March, Microsoft have already taken the required steps to enable the Special Administration Console (SAC) which is exposed via the Serial Console.

 

 

Windows Server 2019 now available in preview

March 21, 2018 Leave a comment

 Capture5

On March 20th 2018, Microsoft announced that Windows Server 2019, which is built on the strong foundation of Windows Server 2016, are now released to Preview. You can get access to the preview build through Microsoft Insiders program.

Windows 2019 will be generally available (GA) in the second half of calendar year 2018.

 

Some tips:

  • The Windows Server vNext Semi-Annual Preview – Build 17623 is Server Core ONLY

 

Capture1.PNG

  • If you downloaded the VHDX version, as the file is compressed, make you sure you remove the compress check in the properties of the file as per below image as it will fail to start the VM if you don’t:

 

  • Capture3

 

  • Download the Windows Server vNext LTSC Preview – Build 17623, if you are looking for the Full GUI version.

Capture

Use the following keys provided by Microsoft (https://techcommunity.microsoft.com/t5/Windows-Server-Insiders/Announcing-Windows-Server-2019-Preview-Build-17623/m-p/173715#M268)

Windows Server 2019 Build 17623  is available in ISO format in 18 languages. This build and all future pre-release builds will require use of activation keys during setup. The following keys allow for unlimited activations:

Datacenter Edition

 6XBNX-4JQGW-QX6QG-74P76-72V67

Standard Edition

 MFY9F-XBN2F-TYFMP-CCV49-RMYVH

 

So, what features to look for in the new in Server 2019:

 

·        Cluster Sets, the new cloud scale-out technology, is a loosely-coupled grouping of multiple Failover Clusters: compute, storage or hyper-converged. Cluster Sets technology will enable virtual machine fluidity across member clusters within a Cluster Set and a unified storage namespace across the “set” in support of virtual machine fluidity.  

·        Failover Cluster without NTLM authentication, which allows failover clusters to be deployed in environments where NTLM has been disabled.

·        Shielded VM’s Offline mode, Alternate HGS and Shielded Linux support, which allows you to run HyperV shielded virtual machines on hosts that suffer intermittent connectivity to their Host Guardian Service (HGS).  The fallback HGS will allow you to configure a second set of URLs for Hyper-V to try if it can’t reach the primary HGS server.

·        Shielded VM’s Alternate HGS, which allows you to run HyperV shielded virtual machines on hosts that suffer intermittent connectivity to their Host Guardian Service (HGS).  The fallback HGS will allow you to configure a second set of URLs for Hyper-V to try if it can’t reach the primary HGS server. 

·        Shielded VM’s Offline mode, which takes the high availability promise for shielded VMs one step further and allows you to continue to start up a shielded VM even if the host’s primary and fallback HGSs can’t be reached.

·        Shielded VM’s Shielded Linux support, for customers that run mixed-OS environments, Microsoft now supports Ubuntu, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server Shielded virtual machines.

·        Encrypted Network in SDN, which provides simple to configure DTLS-based encryption using the Network Controller to manage the end-to-end encryption and protect data as it travels through the wires and network devices between the hosts., enabling the VM to VM traffic within the VM subnet to be automatically encrypted as it leaves the host and prevents snooping and manipulation of traffic on the wire.  This is done without requiring any configuration changes in the VMs themselves.

· Performance history for Storage Spaces Direct, which allow Administrators of Storage Spaces Direct get easy access to historical performance and capacity data from their cluster.

·        Windows Defender Advanced Threat Protection, ,which provides deep platform sensors and response actions, providing visibility to memory and kernel level attacker activities and abilities to take actions on compromised machines in response to incidents such as remote collection of additional forensic data, remediating malicious files, terminating malicious processes etc.

·        Windows Defender ATP Exploit Guard ,which is new set of host intrusion prevention capabilities, designed to lock down the device against a wide variety of attack vectors and block behaviours commonly used in malware attacks:

To DOWNLOAD, Join the program to ensure you have access to the bits.

For more details on this preview build, check out the Release Notes

Source : https://cloudblogs.microsoft.com/windowsserver/2018/03/20/introducing-windows-server-2019-now-available-in-preview/