Project: Certificate Expiry Notification Tool

Application screenshot
Certificate Expiry Notification Tool main screen

I’ve always hated having to set calendar reminders whenever an SSL certificate or Azure AD App Registration certificate expired. What if you forget to set the reminder? What if you’re off sick and miss it? In most cases missing it means disruption of service for a while, but in some cases – for example some of the Apple certificates/tokens used when managing Apple devices in Intune – missing the renewal means you need to re-enroll all your devices. If you’ve restricted profile removal then you’ll have to factory reset them all too.

I had an idea a while ago for a system to track these, and send reminders, and recently I’ve been working on a system to do just this. There’s many different ways I could have gone about this – PowerShell script, or maybe something in PowerApps/Flow, but I wanted a nice web interface, and my weapon of choice for web development is PHP. 

This project will show you a list of certificates and secrets, along with their expiry date and a status indicator (Expired/Warning/Okay). It will automatically pull any Azure AD App Registrations secrets and certificates, and the Intune Apple VPP tokens, Push Notification and Enrollment Program tokens from the Microsoft Graph API. Email alerts can be configured, which will also use the Graph API to send the mail. Continue reading “Project: Certificate Expiry Notification Tool”

Azure AD and Windows Hello: SSO to on-premise resources

One of the main reasons people might choose a hybrid Azure AD joined configuration for their devices is that they still want to be able to access on-premises resources, for example a file server, or printers. In my opinion, hybrid join should be avoided and it is usually worth the extra work required on the infrastructure to support your devices being Azure AD joined and having no relationship to the AD domain.

In this post I’ll look at how SSO to on-premise resources actually works, when you are logged on to an Azure AD joined device, with a user account which is synced from your on-premise AD. I’ll also look at how you can configure this so that users logging on using Windows Hello for Business can also SSO. Continue reading “Azure AD and Windows Hello: SSO to on-premise resources”

PHP: Implement Azure AD login to your site

A while ago I wrote some code to enable one of my PHP projects to log in via authentication with ADFS. I’ve recently updated this to talk directly with Azure AD, and have split this off into a separate project which I’ll share here.

Basically this works using oAuth2, browser sessions, a database and a couple of scripts, and on the Azure AD side you need to create an App Registration. Within this sample project the following flow happens:

  • User lands on index.php. If they do not have a session key cookie, one is generated, and this is stored in the database along with the page the user was attempting to access. They are redirected to login.microsoftonline.com to authenticate.
  • If you allowed authentication from any tenant, and used the common endpoint (rather than your specific tenant ID), the user may be asked to allow your app to access their account. If they are on their home tenancy, you will have already approved this for all users.
  • The user is redirected to the oauth.php file, where a background request is made back to login.microsoftonline.com to obtain a token. Once this has been successful, the user is redirected back to their original destination.
  • If the user lands on index.php and their session key cookie already exists, and exists in the database, and has not expired, they will be allocated that token’s data.
  • If the user lands on index.php with a session key cookie, but it is going to expire in the next 10 minutes, we will perform a refresh request in the background.
  • If the user lands on index.php with a session key cookie, but it’s expired, they are redirected back to login.microsoftonline.com – which may automatically log them back in, or may prompt, depending on their settings.

Continue reading “PHP: Implement Azure AD login to your site”

Azure Cloud Shell

Azure Cloud Shell is a great feature which gives you a PowerShell (or Bash) window in the browser. Whilst you can’t access on-premise resources from the shell you can manage anything cloud based. By default there’s a huge selection of Azure modules loaded, plus things like Teams.

There’s no specific licensing for using the Cloud Shell – however you will need an Azure subscription and a storage account. This is required for it to store any settings, plus you can store your own scripts in this storage if you like.

The Cloud Shell is available from some of the admin portals, including:

  • Azure Portal
  • Office 365 Admin Centre
  • Exchange Admin Centre (new version)

Continue reading “Azure Cloud Shell”

Azure: Conditional Access and MFA

Multi-factor authentication is a must in this day and age, with phishing techniques becoming more and more sophisticated and more difficult to detect/block. Azure MFA can be used to secure your Office 365 workload (and, if you’re using it as the authentication method for other services, they can be secured too).

MFA is available in all of the levels of Azure AD licensing however it’s most powerful when combined with Conditional Access, which requires Azure AD Premium P1 or P2. In this post I’m going to run through a few of the different rules I’ve set up on various tenancies. Continue reading “Azure: Conditional Access and MFA”

Azure AD password protection

Users are prevented from picking commonly used passwords

Azure AD Password Protection is part of Azure Active Directory and helps prevent users from picking poor/easily guessable/compromised passwords. Microsoft maintain a “global banned passwords” list which stores passwords which are “deemed too common”. Obviously this list is not published, but by using Azure AD Password Protection you can have password changes run against it for both cloud and on-premises users. You can also create a custom banned password list, of up to 1000 entries, containing easily guessable things about your organisation, e.g. product names.

When a password change is processed, the service will “normalise” the password (which in essence would be taking it to lower case, swapping out any common substitutions, e.g. Pa$$w0rd -> password), and then checking the resulting string against the banned password lists. If it matches the user will get an error telling them to pick something more difficult to guess.

The only thing I don’t like about this at the moment – and hopefully is something that will be worked on in a future update – is that it’s all or nothing. At work we give staff a much more strict password policy than pupils, so it would be nice to be able to do the same here.

Continue reading “Azure AD password protection”

Backing up my Azure workload to Azure

AzureI’ve looked at using Azure to back up on-premise workloads in a couple of posts now (Azure Backup for smaller loads, and Azure Backup Server for things like a Hyper-V cluster), so I think it’s time I looked at backing up workloads that are already running from Azure. I’m going to look at backing up Virtual Machines and storage accounts – there’s not much more I store in Azure that would need backing up.

I’m going to take a quick look at the options for storage accounts, virtual machines and databases.

Continue reading “Backing up my Azure workload to Azure”

Azure AD Application Proxy

My test application – an internal IIS test page with anonymous access disabled – working through Azure AD App Proxy

Azure AD Application Proxy is a really neat tool for publishing internal applications without exposing your servers to the Internet. If your applications require authentication for users to access them you can get Azure to handle all this for you, and it supports single sign on. Alternatively if you’ve got an old or obscure application that can’t cope with Azure SSO you can configure it to use passthrough authentication, where the internal application remains responsible for this task.

You can use Conditional Access to restrict and secure access to your application, such as enforcing MFA, or only permitting access from specific devices or locations. The way the proxy works does not require you to open any inbound ports through your firewall – the proxy connector simply connects outbound to Azure and all traffic is routed through that connection.

You’ll need Azure AD Premium P1 or P2 for this to work. There’s been some talk of it working on the Office 365 Basic level of Azure AD however it’s not listed as supported, and I’d expect that this may be an educational SKU specific exception case.

Continue reading “Azure AD Application Proxy”

WAC: Azure Backup

If you’ve connected Windows Admin Centre to Azure you’ll find a section called Azure Backup. This will allow you to back up your on-site workloads to Azure using the Microsoft Azure Recovery Services agent. It’s ideal for backing up physical servers or individual virtual machines, however if you’re after backing up all the guests on your Hyper-V host you’re better off looking into Azure Backup Server, which runs on the host rather than the guest.

In this post I’m going to look at configuring and backing up a server through Windows Admin Centre, and then at how to recover the data – both for a partial failure (such as some files being deleted but the server still boots) and a total failure.

Continue reading “WAC: Azure Backup”

Windows Admin Centre

Stop using Server Manager and get WAC!

Windows Admin Centre is a web based server (and desktop) administration package which, eventually, should replace the majority of the work currently done through MMC consoles and snap-ins. If you’ve ever opened Server Manager on a Windows 2019 machine you’ll have seen the popup telling you to “Go get Windows Admin Centre!”. Whilst it’s not there yet, it is constantly being updated and improved and I find it really useful.

It’s a lot more than just managing a couple of systems – when I set up our hyperconverged Hyper-V cluster I primarily did this from within WAC (post to follow on this if I get chance to write it up) – and it integrates nicely with a lot of Azure services (including any Azure VMs you might have)

Continue reading “Windows Admin Centre”