Remote Desktop connection to an Entra ID-joined Windows Server with Entra ID credentials… quick and dirty

Connecting via Remote Desktop to an Entra ID-joined Windows machine, by using the Entra ID credentials, should be easy, right? It usually is… if you have covered all the prerequisites.

Multiple such guides are around, but none has listed all the steps needed (or I just haven’t found the right one) – I chose to follow this one, from my MVP colleague Tom Wechsler, available here.

Some points before we start:

In my case, all the required steps that allowed me to finally access my Entra ID-joined Windows (Server) machine in Azure via (publicly accessible) Remote Desktop (FOR DEMO PURPOSES), are the following:

Create an Entra ID-joined Windows virtual machine in Azure:

  • first, you will need to select a supported operating system (Windows 10/11, Windows Server Datacenter 2019/2022):
    • worked for me with both Windows Server 2019 Datacenter and Windows Server 2022 Datacenter

  • another thing needed during the creation of the machine itself is to select Login with Microsoft Entra ID under Management settings so that your machine would be automatically joined to the Entra ID and have the extension installed (note that this option automatically creates the system-assigned managed identity as well, and if not selected at the time of creation, it can also be added later, under virtual machine’s Extensions):

Create a user that will connect to the virtual machine:

  • the easiest thing would be to create a fresh, new Entra ID user, that will be used for connecting to this virtual machine (you can also use an existing user, but make sure it is not using MFA, which will prevent you from connecting) – my user will be called vmuser
  • try to sign in with this new user into the Azure portal if you need to change its password, or just to skip the MFA setup:

  • as the machine is Entra ID-joined, under the Access Control (IAM) settings of the virtual machine (in my case, temp-1), assign this user (vmuser) either the Virtual Machine User Login or the Virtual Machine Administrator Login role:

Connect to the virtual machine with a local admin account (created with the machine):

  • if you run dsregcmd /status command, the following should be configured already:
    • AzureAdJoined: YES
    • AzureAdPrt: NO
    • IsDeviceJoined: YES
  • next, go to the System Properties – Remote Desktop settings and disable the Network Level Authentication option (enabled by default):

On the computer you will be connecting from (not Entra ID-joined):

  • next, download the RDP connection file from the portal:

  • and then edit the downloaded RDP file (with Notepad) – it should look like the below (more on the available options):
    • remove the line with the username (as it will be provided on connection)
    • add the following two lines:
      • enablecredsspsupport:i:0
      • authentication level:i:2

  • try connecting to the virtual machine now, by using the edited RDP file, username, and password of your Entra ID account:
    • for the username, make sure you are using the AzureAD\upn-or-email-address format (in my case, AzureAD\[email protected])

  • your connection should be working, and you will have either the user or admin permissions on the system (depending on the assigned Entra ID role):

Hope this helps.

Cheers!

Fixing permissions for EC2 private key file

This time, I was playing around with AWS and created some EC2 instances.

When you are creating and working with your instances, you will need to take care of the authentication – you would usually import or create new key pair and use private key on your machine to connect via SSH to the EC2 instance in AWS. The whole process of creating a key pair and downloading the private key is pretty simple – on the page below, you select name, type and format of your key pair and, when created, private key begins automatic download to your PC:

Now you can create your instance and select the created key pair for authentication:

If you have your private key ready and the instance is up and accessible to you, you can use (for example) SSH to connect to it:

So… we have a challenge! Looks like our private key is not secured enough and others may have access to it!

If we look at the permissions, we can see that all of them are actually inherited… so, we’ll need to remove the inheritance/inherited permissions and give them only to the account that needs it:

And after some “tweaking”:

If we retry the connection, this happens:

 

Excellent!

And if you’re not a fan of clicking through the permissions dialog, here are scripts that can help you with this – they basically remove the inheritance and add full access permissions to the owner of the file (needs path to your private key file as a parameter!):

  • the “PowerShell” flavour:

  • the “CMD” flavour:

Hope it helps!

Cheers!

P.S. Scripts are also available at my GitHub (https://github.com/TomicaKaniski/toms-notes-code/).

P.P.S. There’s also a script that restores inheritance and inherited permissions… in case you… mess something up. šŸ˜€

Microsoft AZ-500 down, more to go

Another month, another Azure cert! šŸ™‚

So, for the last couple of weeks, I was reading about, learning and playing around with Azure security technologies, mainly as a preparation for AZ-500 (Microsoft Azure Security Technologies) exam.

And then… today I took the exam and… PASSED!

I must say, with a few certificates under my sleeve, this exam was not the easiest I took. I was feeling prepared and still – passing it demanded concentration on the details and a bit of thinking! Nonetheless, it’s over now – one down, more to go!

Note that… by passing this exam, I’m not automatically an Azure security guru (!) – it just means that I know a thing or two about what Azure offers in terms of security and how it works. šŸ™‚

What did I use to prepare?

There is a great book about Azure governance called Pro Azure Governance and Security, written by my MVP colleagues Peter De Tender, David Rendon and Samuel Erskine. It’s purpose is not to be an exam prep guide, but to tackle into the world of governance and security features available within Microsoft Azure (which are part of the exam, who would know).

There is also a great post, containing a bunch of helpful AZ-500 material from Stanislas Quastana, located here, and Thomas provided some useful links in his post here and even did a webinar on Azure Security Center (hosted by Altaro) the other day – you can find the recording here.

Of course, there is also the official exam page with skills measured and docs.com.

And… don’t forget to try things out yourself! There is also a free Azure subscription, you know?! šŸ™‚

If you’ll be taking this exam – good luck, hope this resources help you!

Cheers!

Windows Firewall blocking pings

A short one this timeā€¦ Smile

Have you ever had an issue with Windows Firewall blocking your pings on a network using Public profile, although the ā€œFile and Printer Sharingā€ exception is enabled for this profile?
(oh, yes, and donā€™t you dare to say that Windows Firewall should be disabled by default! Smile)

So, this is what Iā€™m talking about:

image

As you see in the previous picture, the exception is enabled for both profiles (this PC is not domain-joined, but it would be the same with domain-joined PC on a network which is using the Public profile). When I try to ping it, Iā€™m getting the standard ā€œRequest timed out.ā€ message. Why is that? Is this a feature or bug?

Well, Iā€™ve deliberately left-out two things:

  • if I try to ping my machine from the same subnet, the ping is passing through
  • if I try to ping my machine from the different subnet (routing is all set and working OK, in case youā€™re wondering), the ping is not passing through

The security feature that enables this kind of behavior is set in Windows Firewall by default ā€“ by default, Windows Firewall allows ping (and other traffic) only from the Local subnet, for all networks that use the Public profile. Of course, you may want to change this in certain scenarios (and you canā€¦ easily).

firewall_2

This is yet another thing that should be kept in mind during troubleshooting, right? (hope it helps) Smile

Have a great weekend!

Microsoft Security Essentials

Novi BESPLATNI Microsoftov antivirus je konačno dostigao RTW (release to Web)!

Dorađeni nasljednik Windows Live OneCare sigurnosnog rjeÅ”enja koji je već nekoliko mjeseci u beti, možete preuzeti na službenim stranicama.

S obzirom da ga koristim na svim svojim računalima otkako sam čuo za njega (odnosno, uključio se u testiranje), preporučio bih ga svima koji trebaju zaŔtitu od virusa/spywarea.

Kako do sada imam samo dobra iskustva sa ovim programom (a i njegovim prethodnikom), mislim da se isplati isprobati i vidjeti da li zadovoljava i vaÅ”e želje i potrebe…
logo_mse
Slobodno pogledajte i First look na Ars Technica stranicama.