Azure: Conditional Access and MFA

Multi-factor authentication is a must in this day and age, with phishing techniques becoming more and more sophisticated and more difficult to detect/block. Azure MFA can be used to secure your Office 365 workload (and, if you’re using it as the authentication method for other services, they can be secured too).

MFA is available in all of the levels of Azure AD licensing however it’s most powerful when combined with Conditional Access, which requires Azure AD Premium P1 or P2. In this post I’m going to run through a few of the different rules I’ve set up on various tenancies. Continue reading “Azure: Conditional Access and MFA”

Azure AD password protection

Users are prevented from picking commonly used passwords

Azure AD Password Protection is part of Azure Active Directory and helps prevent users from picking poor/easily guessable/compromised passwords. Microsoft maintain a “global banned passwords” list which stores passwords which are “deemed too common”. Obviously this list is not published, but by using Azure AD Password Protection you can have password changes run against it for both cloud and on-premises users. You can also create a custom banned password list, of up to 1000 entries, containing easily guessable things about your organisation, e.g. product names.

When a password change is processed, the service will “normalise” the password (which in essence would be taking it to lower case, swapping out any common substitutions, e.g. Pa$$w0rd -> password), and then checking the resulting string against the banned password lists. If it matches the user will get an error telling them to pick something more difficult to guess.

The only thing I don’t like about this at the moment – and hopefully is something that will be worked on in a future update – is that it’s all or nothing. At work we give staff a much more strict password policy than pupils, so it would be nice to be able to do the same here.

Continue reading “Azure AD password protection”

Backing up my Azure workload to Azure

AzureI’ve looked at using Azure to back up on-premise workloads in a couple of posts now (Azure Backup for smaller loads, and Azure Backup Server for things like a Hyper-V cluster), so I think it’s time I looked at backing up workloads that are already running from Azure. I’m going to look at backing up Virtual Machines and storage accounts – there’s not much more I store in Azure that would need backing up.

I’m going to take a quick look at the options for storage accounts, virtual machines and databases.

Continue reading “Backing up my Azure workload to Azure”

Azure AD Application Proxy

My test application – an internal IIS test page with anonymous access disabled – working through Azure AD App Proxy

Azure AD Application Proxy is a really neat tool for publishing internal applications without exposing your servers to the Internet. If your applications require authentication for users to access them you can get Azure to handle all this for you, and it supports single sign on. Alternatively if you’ve got an old or obscure application that can’t cope with Azure SSO you can configure it to use passthrough authentication, where the internal application remains responsible for this task.

You can use Conditional Access to restrict and secure access to your application, such as enforcing MFA, or only permitting access from specific devices or locations. The way the proxy works does not require you to open any inbound ports through your firewall – the proxy connector simply connects outbound to Azure and all traffic is routed through that connection.

You’ll need Azure AD Premium P1 or P2 for this to work. There’s been some talk of it working on the Office 365 Basic level of Azure AD however it’s not listed as supported, and I’d expect that this may be an educational SKU specific exception case.

Continue reading “Azure AD Application Proxy”

WAC: Azure Backup

If you’ve connected Windows Admin Centre to Azure you’ll find a section called Azure Backup. This will allow you to back up your on-site workloads to Azure using the Microsoft Azure Recovery Services agent. It’s ideal for backing up physical servers or individual virtual machines, however if you’re after backing up all the guests on your Hyper-V host you’re better off looking into Azure Backup Server, which runs on the host rather than the guest.

In this post I’m going to look at configuring and backing up a server through Windows Admin Centre, and then at how to recover the data – both for a partial failure (such as some files being deleted but the server still boots) and a total failure.

Continue reading “WAC: Azure Backup”

Windows Admin Centre

Stop using Server Manager and get WAC!

Windows Admin Centre is a web based server (and desktop) administration package which, eventually, should replace the majority of the work currently done through MMC consoles and snap-ins. If you’ve ever opened Server Manager on a Windows 2019 machine you’ll have seen the popup telling you to “Go get Windows Admin Centre!”. Whilst it’s not there yet, it is constantly being updated and improved and I find it really useful.

It’s a lot more than just managing a couple of systems – when I set up our hyperconverged Hyper-V cluster I primarily did this from within WAC (post to follow on this if I get chance to write it up) – and it integrates nicely with a lot of Azure services (including any Azure VMs you might have)

Continue reading “Windows Admin Centre”

Universal Print

Universal Print is the new way to cloud print from your devices. It replaces Hybrid Cloud Print and is a lot easier to set up and manage. You’ll need your devices to be connected to Azure AD (either domain joined or hybrid joined, or registered).

It’s included in the following subscriptions:

  • Microsoft 365 Business Premium
  • Microsoft 365 Enterprise F3/E3/E5
  • Windows 10 Enterprise E3/E5
  • Microsoft 365 Education A3/A5
  • Windows 10 Education A3/A5

There’s also a stand-alone licence but this requires (but does not include) Azure AD.

Continue reading “Universal Print”

Hybrid Cloud Print

Hybrid Cloud Print is a solution to allow users to print to on-premise printers from their devices without needing to be on site or even have VPN connectivity – they just need Internet access. It is however fairly complicated to set up and requires multiple app registrations in Azure, and an Application Proxy server setting up. In this post I go through the steps on how to set it up and print from an Intune managed device.

Hybrid Cloud Print is being replaced with Universal Print, which is a lot easier to set up and manage – no messing with SQLite and it has a portal in Azure, however it’s only currently available in preview to people with specific existing subscriptions. I’ve also gone through setting up Universal Print.

Continue reading “Hybrid Cloud Print”

Azure Backup Server – protecting our Hyper-V workload

The Azure Backup Server console showing jobs in progress

We recently migrated our VMWare 3-node plus SAN cluster to a 2-node hyperconverged Hyper-V setup, and after reviewing a few options for backing the thing up I decided on Azure Backup Server.

Our previous setup involved Veeam doing the local backups, then Cloudberry transferring all this into an Azure storage account periodically. I like this setup but want to simplify it (and save money). Best thing here is Azure Backup Server is essentially free – you’re just paying for the data transfer and storage costs in Azure – which I am already paying for – and a fixed fee per item. It will do local backups, i.e. Disk-to-disk, but also allow you to back up to Azure (hence the name), i.e. Disk-to-disk-to-cloud. Perfect.

Continue reading “Azure Backup Server – protecting our Hyper-V workload”