A while ago I wrote some code to enable one of my PHP projects to log in via authentication with ADFS. I’ve recently updated this to talk directly with Azure AD, and have split this off into a separate project which I’ll share here.
Basically this works using oAuth2, browser sessions, a database and a couple of scripts, and on the Azure AD side you need to create an App Registration. Within this sample project the following flow happens:
User lands on index.php. If they do not have a session key cookie, one is generated, and this is stored in the database along with the page the user was attempting to access. They are redirected to login.microsoftonline.com to authenticate.
If you allowed authentication from any tenant, and used the common endpoint (rather than your specific tenant ID), the user may be asked to allow your app to access their account. If they are on their home tenancy, you will have already approved this for all users.
The user is redirected to the oauth.php file, where a background request is made back to login.microsoftonline.com to obtain a token. Once this has been successful, the user is redirected back to their original destination.
If the user lands on index.php and their session key cookie already exists, and exists in the database, and has not expired, they will be allocated that token’s data.
If the user lands on index.php with a session key cookie, but it is going to expire in the next 10 minutes, we will perform a refresh request in the background.
If the user lands on index.php with a session key cookie, but it’s expired, they are redirected back to login.microsoftonline.com – which may automatically log them back in, or may prompt, depending on their settings.
Azure Cloud Shell is a great feature which gives you a PowerShell (or Bash) window in the browser. Whilst you can’t access on-premise resources from the shell you can manage anything cloud based. By default there’s a huge selection of Azure modules loaded, plus things like Teams.
There’s no specific licensing for using the Cloud Shell – however you will need an Azure subscription and a storage account. This is required for it to store any settings, plus you can store your own scripts in this storage if you like.
The Cloud Shell is available from some of the admin portals, including:
Multi-factor authentication is a must in this day and age, with phishing techniques becoming more and more sophisticated and more difficult to detect/block. Azure MFA can be used to secure your Office 365 workload (and, if you’re using it as the authentication method for other services, they can be secured too).
MFA is available in all of the levels of Azure AD licensing however it’s most powerful when combined with Conditional Access, which requires Azure AD Premium P1 or P2. In this post I’m going to run through a few of the different rules I’ve set up on various tenancies. Continue reading “Azure: Conditional Access and MFA”
Azure AD Password Protection is part of Azure Active Directory and helps prevent users from picking poor/easily guessable/compromised passwords. Microsoft maintain a “global banned passwords” list which stores passwords which are “deemed too common”. Obviously this list is not published, but by using Azure AD Password Protection you can have password changes run against it for both cloud and on-premises users. You can also create a custom banned password list, of up to 1000 entries, containing easily guessable things about your organisation, e.g. product names.
When a password change is processed, the service will “normalise” the password (which in essence would be taking it to lower case, swapping out any common substitutions, e.g. Pa$$w0rd -> password), and then checking the resulting string against the banned password lists. If it matches the user will get an error telling them to pick something more difficult to guess.
The only thing I don’t like about this at the moment – and hopefully is something that will be worked on in a future update – is that it’s all or nothing. At work we give staff a much more strict password policy than pupils, so it would be nice to be able to do the same here.
I’ve looked at using Azure to back up on-premise workloads in a couple of posts now (Azure Backup for smaller loads, and Azure Backup Server for things like a Hyper-V cluster), so I think it’s time I looked at backing up workloads that are already running from Azure. I’m going to look at backing up Virtual Machines and storage accounts – there’s not much more I store in Azure that would need backing up.
I’m going to take a quick look at the options for storage accounts, virtual machines and databases.
Azure AD Application Proxy is a really neat tool for publishing internal applications without exposing your servers to the Internet. If your applications require authentication for users to access them you can get Azure to handle all this for you, and it supports single sign on. Alternatively if you’ve got an old or obscure application that can’t cope with Azure SSO you can configure it to use passthrough authentication, where the internal application remains responsible for this task.
You can use Conditional Access to restrict and secure access to your application, such as enforcing MFA, or only permitting access from specific devices or locations. The way the proxy works does not require you to open any inbound ports through your firewall – the proxy connector simply connects outbound to Azure and all traffic is routed through that connection.
You’ll need Azure AD Premium P1 or P2 for this to work. There’s been some talk of it working on the Office 365 Basic level of Azure AD however it’s not listed as supported, and I’d expect that this may be an educational SKU specific exception case.
If you’ve connected Windows Admin Centre to Azure you’ll find a section called Azure Backup. This will allow you to back up your on-site workloads to Azure using the Microsoft Azure Recovery Services agent. It’s ideal for backing up physical servers or individual virtual machines, however if you’re after backing up all the guests on your Hyper-V host you’re better off looking into Azure Backup Server, which runs on the host rather than the guest.
In this post I’m going to look at configuring and backing up a server through Windows Admin Centre, and then at how to recover the data – both for a partial failure (such as some files being deleted but the server still boots) and a total failure.
Windows Admin Centre is a web based server (and desktop) administration package which, eventually, should replace the majority of the work currently done through MMC consoles and snap-ins. If you’ve ever opened Server Manager on a Windows 2019 machine you’ll have seen the popup telling you to “Go get Windows Admin Centre!”. Whilst it’s not there yet, it is constantly being updated and improved and I find it really useful.
It’s a lot more than just managing a couple of systems – when I set up our hyperconverged Hyper-V cluster I primarily did this from within WAC (post to follow on this if I get chance to write it up) – and it integrates nicely with a lot of Azure services (including any Azure VMs you might have)
Universal Print is the new way to cloud print from your devices. It replaces Hybrid Cloud Print and is a lot easier to set up and manage. You’ll need your devices to be connected to Azure AD (either domain joined or hybrid joined, or registered).
It’s included in the following subscriptions:
Microsoft 365 Business Premium
Microsoft 365 Enterprise F3/E3/E5
Windows 10 Enterprise E3/E5
Microsoft 365 Education A3/A5
Windows 10 Education A3/A5
There’s also a stand-alone licence but this requires (but does not include) Azure AD.
Hybrid Cloud Print is a solution to allow users to print to on-premise printers from their devices without needing to be on site or even have VPN connectivity – they just need Internet access. It is however fairly complicated to set up and requires multiple app registrations in Azure, and an Application Proxy server setting up. In this post I go through the steps on how to set it up and print from an Intune managed device.
Hybrid Cloud Print is being replaced with Universal Print, which is a lot easier to set up and manage – no messing with SQLite and it has a portal in Azure, however it’s only currently available in preview to people with specific existing subscriptions. I’ve also gone through setting up Universal Print.
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.