Azure VM, Azure Virtual Desktop, domain, auth with Azure AD accounts

README.md

AD DS

• Password hashes generated after AD DS creation
• Synchronized credential information in Azure AD can't be re-used if you later create a managed domain - you must reconfigure the password hash synchronization to store the password hashes again. Previously domain-joined VMs or users won't be able to immediately authenticate - Azure AD needs to generate and store the password hashes in the new managed domain.
• Azure AD Connect vs Azure AD Connect Cloud Sync
• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#password-hash-sync-process-for-azure-ad-domain-services
• The steps to generate and store these password hashes are different for cloud-only user accounts created in Azure AD versus user accounts that are synchronized from your on-premises directory using Azure AD Connect.
• Scoped synchronozation
  • By groups
• Cipher selection
  • What is needed for VM or AVD?
• Pricing
  • TODO
• Only one Azure AD DS per directory

Network

• You need global administrator privileges in your Azure AD tenant to configure Azure AD DS.
• You need Contributor privileges in your Azure subscription to create the required Azure AD DS resources.
• https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-networking#application-workload-connectivity-options
• https://docs.microsoft.com/en-us/azure/active-directory-domain-services/network-considerations

Azure VM

• To secure remote access to virtual machines (VMs) that run in an Azure Active Directory Domain Services (Azure AD DS) managed domain, you can use Remote Desktop Services (RDS) and Network Policy Server (NPS).
  • RD Connection Broker server, RD Web Access server, and RD Gateway server.
  • RD Session Host server.
• Bastion host
  • Works on one Vnet only
  • 117 - 178 € / month + 0.0734 € / outbound gigabyte
• JIT

Azure VM with Azure login

Not feasible:

• Requires Windows 10 client + At least Azure registeration for the client to connect with RDP

• with virtual desktop infrastructure(VDI) even more limited

• https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

• Remote connection to VMs joined to Azure AD is only allowed from Windows 10 PCs that are either Azure AD registered (starting Windows 10 20H1), Azure AD joined or hybrid Azure AD joined to the same directory as the VM.

  • Windows 10 Build 20H1 added support for an Azure AD registered PC to initiate RDP connection to your VM. When using an Azure AD registered (not Azure AD joined or hybrid Azure AD joined) PC as the RDP client to initiate connections to your VM, you must enter credentials in the format AzureAD\UPN (for example, AzureAD\[email protected]).
  • https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register
    • One registration per device?
  • https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
  • https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid

• In order to log in to the VM using your Azure AD credential, you will first need to configure role assignments for the VM as described in one of the sections below.

  • "Virtual Machine Administrator Login"

When login with corrent credential/OS X (caused by unauthrized client)

Unable to connect We couldn't connect to the remote PC because your credentials did not work. The remote machine is AAD joined. If you are using your work account you must disable Network Level Authentication on the remote machine. If you are using a local account, verify your username and password. Error code: 0x2607

Azure VM with Azure AD DS

• AD join is OS setting
• Azure AD DS must exist on same VNet or peering must exists. Domain must be found with VNet DNS
• Adding Admins, Users and RDP Users from Azure AD still must be handled manually

Azure Virtual Destop

• License requirement
  • Windows 10 Enterprise multi-session or Windows 10 Enterprise Microsoft 365 E3, E5, A3, A5, F3, Business Premium Windows E3, E5, A3, A5
  • Windows Server 2012 R2, 2016, 2019 RDS Client Access License (CAL) with Software Assurance
• A Windows Server Active Directory in sync with Azure Active Directory. You can configure this using Azure AD Connect (for hybrid organizations) or Azure AD Domain Services (for hybrid or cloud organizations).
  • A Windows Server AD in sync with Azure Active Directory. User is sourced from Windows Server AD and the Azure Virtual Desktop VM is joined to Azure AD Domain Services domain.
  • An Azure AD Domain Services domain. User is sourced from Azure Active Directory, and the Azure Virtual Desktop VM is joined to Azure AD Domain Services domain.
• The user must be sourced from the same Active Directory that's connected to Azure AD. Azure Virtual Desktop does not support B2B or MSA accounts.
• The Azure virtual machines you create for Azure Virtual Desktop must be:
  • Standard domain-joined or Hybrid AD-joined. Azure AD-joined virtual machines are available in preview.
• https://docs.microsoft.com/en-us/azure/virtual-desktop/overview#supported-virtual-machine-os-images