Cloud Levels

// Exploring IT one level at a time…

Tag: Microsoft Azure

  • Using Microsoft Entra ID authentication on an Azure Windows VM (Without AD DS)

    Using Microsoft Entra ID authentication on an Azure Windows VM (Without AD DS)

    If your environment does not have a directory service such as Active Directory Domain Services (ADDS). But you still require Microsoft Windows-based virtual machines (VMs) in Azure. Then you can integrate those VMs with Microsoft Entra ID for authentication purposes.

    This allows users to sign-in to Azure Windows Server VMs using their Entra ID credentials. Whilst removing the dependency on locally managed user accounts. From a security perspective, this provides several benefits, including centralised identity management and improved auditing.

    Prerequisites

    To ne able to enable Entra ID authentication on a Windows VM the AADLoginForWindows extension must be installed.

    This extension can be deployed in several ways:

    • Using Azure CLI or Azure PowerShell
    • During VM creation in the Azure portal
    • Retrospectively through the Azure portal

    Installing the extension during creation of an Azure VM:

    When creating a VM in the Azure portal, the extension can be installed automatically, by selecting the Login with Microsoft Entra ID checkbox during the deployment process.

    Installing the extension on a pre-existing Azure VM:

    If the VM already exists, the extension can be installed manually:

    1. Navigate to the VM in the Azure portal
    2. Select Extensions + applications
    3. Add the AADLoginForWindows extension

    Once installed successfully, the extension will appear in the Extensions & applications blade, with a status of Provisioning succeeded.

    Please note at the time of writing, this extension does not support automatic upgrades and requires manual updates when newer versions are released by Microsoft, this is shown in the example above by comparing the version and latest version columns.

    Granting Access via Azure RBAC

    Now the extension is installed, all you need to do for this to work is to grant your users the required Azure roles, however the role required depends on what permission levels your user requires.

    Two Azure roles exist for this purpose Virtual Machine User Login & Virtual Machine Administrator Login. As the names of the roles suggest, the first role provides users accounts with standard user permissions, and the second role provides the user with local administrator permissions.

    In a standard environment the above should be all you need to do to allow Entra ID authentication on an Azure VM. However in tenants with more complexity, you may find you need to complete some further troubleshooting and make some additional changes, especially if your tenant is leveraging Microsoft’s conditional access.

    Conditional Access & MFA considerations

    If you have a conditional access (CA) policy which enforces MFA, your users will need to authenticate with a strong modern authentication option, such as Windows Hello for Business.

    If a strong modern authentication option is not possible in your environment, you will need to ensure the conditional access policy which enforces MFA does not do so, this can be done by excluding the Microsoft Azure Windows Virtual Machine Sign-in application in the cloud apps exclusion list in the CA policy.

    I’ve also found the legacy per-user multifactor authentication settings (if enabled) also interfere with this authentication flow, to resolve this you need to disable this for each user in the Entra ID portal, the settings captured below are available by selecting the Per-User MFA option in the users blade available within the Entra ID portal:

    Additional caveats and common gotchas:

    • To be able to use modern authentication methods such as Windows Hello for Business, the Use a web account to sign in to the remote computer option, needs to be selected within the RDP client to work successfully:

    The above setting can of course be saved to an RDP file to ensure this setting does not need to be enabled each time. You can also download a pre-prepared RDP file by using the connect option from the VMs properties in the Azure portal.

    • The device the user is signing in from needs to be either an Entra ID Joined, Entra ID Hybrid Joined or Entra ID registered device. Otherwise, you’ll see sign-in errors at the RDP sign-in prompt, likely to be a generic error saying The logon attempt failed.
    • When authenticating from a device which is Entra ID registered, every time a user authenticates with the RDP client they will need to specify the “AzureAD\” prefix, for example “AzureAD\username”.
    • This authentication method is unsupported, if you are logging in from another Windows Server, and your tenant has a conditional access policy which enforces access only from compliant devices.
    • To allow Microsoft Entra authentication to work on a Virtual Machine in Azure, the following networking requirements apply:

    Hope this helps and thanks for reading!

  • Configuring Microsoft Entra ID tenants in a hybrid identity model with multiple AD DS forests

    Configuring Microsoft Entra ID tenants in a hybrid identity model with multiple AD DS forests

    Overview

    An interesting challenge came my way recently, for a global firm with locations in 15 different countries, who were going through an exciting period of growth and acquisition.

    This article is going to talk about the challenge I faced with regards to the businesses hybrid identity requirements.

    But first I’d like to provide a bit of background to the project.

    The first stage of the project was to merge two separate firms and all of their offices based in the UK from an IT infrastructure perspective. This included on-premises identity, on-premise servers, cloud resources & networking.

    Both firms had different specialities however once merged these two firms would become the global firms UK division.

    The second stage of the project was to bring the UK division into the global businesses Microsoft Azure infrastructure & Microsoft Entra ID tenant. This included converting every user into a hybrid identity so they could authenticate to on-premise and cloud resources with one identity. Provide a zero touch build process for every end-user compute (EUC) device by leveraging Intune (MDM) & Autopilot.

    Due to the nature of the global business, my remit was only in relation to the UK division, divisions located outside of the UK are managed by their own respective IT teams. Therefore, the solution implemented had to only affect the UK division, whilst allowing other divisions to replicate this behaviour and functionality during their onboarding transformation projects in the future.

    The challenge

    How to use a hybrid identity model for a specific on-premises Active Directory Domain Services (AD DS) forest, with a Microsoft Entra ID tenant which in future will require other independent AD DS forests to also implement a hybrid identity model, all whilst not having any trusts or connectivity between these independent AD DS forests.

    Over the years the Entra ID Connect sync service, installed on a Windows Server, has generally been the go to option for hybrid identity sync between AD DS and Entra ID.

    However, Entra ID has a limitation whereby it cannot connect to and use multiple Entra ID Connect servers.

    Which meant this was not a suitable option in this scenario due to the lack of connectivity and trusts between AD DS forests across the globe.

    The solution

    Microsoft Entra ID Connect cloud sync.

    The primary difference between the Entra ID Connect Cloud Sync service and an on-premises Entra ID Connect server is the sync engine is offloaded to the cloud.

    This method suited this scenario perfectly as it supports multiple forests without the need for line of sight connectivity and trusts between the individual ADDS forests.

    To be able to sync to Entra ID with Entra ID Connect cloud sync, a light weight Entra ID Connect Cloud sync agent is required, this needs to be installed onto a domain member server within each forest.

    The Entra ID Connect Cloud sync service is more limited when compared to the traditional Entra ID Connect service.

    Although in my opinion the main features expected are all there and fully functional. For example the Entra ID Connect cloud sync service still allows you to have a two-way sync (AD to Entra ID and Entra ID to AD) which provides you with password writeback functionality. Entra ID Connect cloud sync also provides OU filtering allowing you to control which objects are synced from AD DS.

    For reference, if you require users to be able to change their AD DS passwords from the cloud, each user will require a Microsoft Entra ID P2 license so they are able to change their password via Microsoft’s self-service password reset solution.

    You can find the Entra ID Connect cloud sync agent installer within the Entra ID portal.

    Firstly, login to Entra ID portal (entra.microsoft.com).

    Secondly, open the ‘Entra Connect’ blade:

    Thirdly, open the ‘cloud sync’ blade:

    Fourth, select ‘New configuration’ under the Configurations blade, then select the ‘AD to Microsoft Entra ID sync’ sync direction:

    Finally, select ‘click here’ next to ‘For a list of active agents’, which will open a new menu where you can use the download option to get a copy of the agent installer:

    Further information on how to install an Entra ID Connect Cloud Sync agent is available here: https://learn.microsoft.com/en-us/entra/identity/hybrid/install

    Hope this helps and thanks for reading!

  • Microsoft Azure reservations (Reserved Instances) and how to use them

    Microsoft Azure reservations (Reserved Instances) and how to use them

    Azure Reservation overview

    Azure Reservations, commonly referred to as Reserved Instances or RIs, are a cost-saving mechanism providing discounted compute pricing for eligible Azure resources.

    Reservations work by allowing you to commit to an Azure resource, by purchasing a reservation for a term of one or three years, in exchange for a significant discount on the resources compute cost. When a reservation is purchased you have the option to either pay for the term up-front or to spread the cost of the reservation monthly. If the intention is to keep the resource long-term, my recommendation would be to cover each resource in its entirety with a RI, as this will reduce the cost of the resource for its entire life span.

    Microsoft offer reservations for a number of services including:

    • Virtual Machines (VMs)
    • SQL Databases
    • Azure Cosmos DB
    • App Service plans
    • Storage capacity

    Azure reservation cost saving example

    This example is going to specifically focus on reservations for an Azure Virtual Machine (VM).

    For example (pricing is correct at the time of writing), a standard D2 v3 VM SKU (2vCPUs and 8GB RAM) on a pay-as-you-go (PaYG) pricing model in the UK South region costs £61.30 per month. Versus the monthly compute cost of £26.37 per month if you purchase a three year reservation.

    But you of course have to purchase the reservation. So if we now include the cost of the required three year reservation in the equation, assuming we purchase this on a monthly basis at £26.36, this means this VM SKU example could save £8.57 per month with a three year commitment. When compared to the standard PaYG pricing model.

    Please note, Azure reservations only apply to the compute cost of a VM, additional costs such as Operating System (OS) licensing, disks and networking are still billed separately.

    Azure reservation flexibility groups

    Every reservation available to purchase is a part of a specific flexibility group. Each reservation SKU within the same flexibility group can be used interchangeably for all of the different VM SKUs in the same flexibility group.

    However, each reservation has a ratio, this is essentially a limit which determines how much of the VM compute can actually be discounted.

    It helps if you think about a reservations “ratio” as essentially a representation of the number of vCPUs, which the reservation can cover across all VM SKUs, within the same flexibility group.

    I’m going to use the “FSv2 Series” flexibility group as an example. The details of each reservation have been outlined in the below table:

    Flexibility GroupVM SKURatio
    FSv2 SeriesStandard_F2s_v22
    FSv2 SeriesStandard_F4s_v24
    FSv2 SeriesStandard_F8s_v28
    FSv2 SeriesStandard_F16s_v216
    FSv2 SeriesStandard_F32s_v232
    FSv2 SeriesStandard_F48s_v248
    FSv2 SeriesStandard_F64s_v264
    FSv2 SeriesStandard_F72fs_v272
    FSv2 SeriesStandard_F72s_v272

    All of the Azure ratio information is available from Microsoft in the CSV file here: https://aka.ms/isf

    In most scenarios a reservation SKU matches the VM’s SKU exactly, this means the VMs cores and the reservations ratio matches exactly, meaning the RI will be utilised fully by the respective VM.

    However, there are various scenarios where you may want to utilise a different RI type compared to the VM SKU. Example, there may not be a RI that matches the VM’s SKU, or you may want to upgrade your VM and continue to use the RIs you have already purchased.

    If you are in this situation then you can purchase multiple reservations that total up to the total ratio required to cover the respective VM.

    For example if you have a standard F16s v2 VM with 16 cores, but you want to use an F4s v2 reservation with a ratio of 4, you would need four of these reservations to cover the 16 cores provided by the F16s v2 VM SKU.

    As a reservation ratio essentially translates to cores you can also work this out the opposite way. Let us assume you have ten F8s v2 reservations, each reservation has a ratio of 8, and you have 10 reservations in total. This means you can deploy a combination of VMs with different SKUs (as long as they are in the same flexibility group), for example you can deploy either ten F8s v2 VMs, 20 F4s v2 VMs or five F8s v2 and ten F4s v2 VMs. And the entire compute cost will be discounted up to a maximum of 80 cores.

    Please note if you have a mixture of VMs and reservation SKUs which are all a part of the same flexibility group, you may notice the VMs utilise different or even multiple reservations, this is perfectly normal as Azure automatically applies the compute discount to a matching resource.

    Azure reservations and different Azure regions

    Reservations are also regional and cannot be used by a resource located in a different region. For example, if you have a F8s v2 VM located in the UK South, this resource cannot use a reservation purchased for the West Europe region. However, reservations can be shared across resources in the same region, they can also be shared across subscriptions if configured.

    Hope this helps and thanks for reading!

  • How to delete a Microsoft Entra ID tenant & caveats

    How to delete a Microsoft Entra ID tenant & caveats

    Article overview

    Hello and thank you for reading my first post!

    I have put this post together to outline some additional steps that I had to recently complete to successfully delete an Azure / Entra ID tenant. This situation arose following an acquisition which meant the tenant in question was redundant after the existing resources were migrated.

    I personally found that the additional steps required, were not mentioned in Microsoft Learn articles at the time, which under normal circumstances would successfully guide you through the deletion process successfully.

    For reference, one of the resources I am referring to can be found here: https://learn.microsoft.com/en-us/entra/identity/users/directory-delete-howto.

    Microsoft Entra ID tenant deletion prerequisites

    Before being able to proceed to delete an Entra tenant, you will need to complete (as outlined in the above guide) all of the pre-requisites, once complete they should all have a green status as shown in the below screenshot:

    This status page is available in the Entra Admin Centre (entra.microsoft.com).

    To note, for the License-based subscriptions status to pass, it took around 120 days, this was due to the licenses in my tenant being provided by a third-party reseller. Please note, licenses provided by a reseller take longer to move through each stage of decommissioning, before being removed from the tenant. This lengthy license decommissioning process essentially acts as a back stop, allowing plenty of time before any data is purged for the licenses to be re-added if needed, and in turn recovering the licensed features and data in an event of any licenses being removed by mistake.

    The blocker: Legacy Microsoft Partnerships

    However, although the pre-requisites passed as shown above, I still could not delete the tenant in question. I kept receiving the below error suggesting it was due to left-over Enterprise Applications:

    There were no Enterprise Applications left-over, the only ones I could find via Microsoft Graph were ‘Microsoft Internal’ Enterprise Applications, but due to the error message I still ended up spending a chunk of time trying to remove these as per the guidance found here: https://learn.microsoft.com/en-gb/entra/identity/users/directory-delete-howto#remove-enterprise-apps-that-you-cant-delete. However, this did not achieve anything as it turns out deleting ‘Microsoft Internal’ Enterprise Applications has been blocked by Microsoft (naturally).

    In the end I conceded and ended up raising a ticket with Microsoft Azure support.

    To my surprise I was advised that the problem stopping me from deleting the tenant, was simply due to some legacy Microsoft partnership relationships still being registered to the tenant, despite licenses being fully deleted at this stage and the error message above suggesting otherwise.

    So I got in touch with the three Microsoft partners and distributors in question and requested they removed the partner relationship. Once they had been successfully removed, a few days later the Entra tenant was able to be deleted successfully.

    Summary

    So if you’re ever in a similar situation and can’t delete an Entra tenant, I would certainly recommend you check to see if there are any legacy relationships left over, you can check these here: Microsoft 365 Admin Centre -> Settings -> Partner Relationships (https://admin.microsoft.com/#/partners).

    Hope this helps and thanks for reading!