Microsoft on Thursday announced a preview of remote authentications into Windows-based Azure virtual machines (VMs) using Azure AD credentials.
Apparently, this capability, in which IT pros use their normal “federated or managed” Azure AD credentials to gain VM access, hasn’t been available previously. The preview, which requires setup, is currently limited for use with Azure VMs running the Windows Server 2019 Datacenter edition or Windows 10 version 1809 (or later) operating systems. It’s available across all Azure regions, but is not available for Azure Government tenancies.
Conditional Access and RBAC Controls
The preview may help tighten up some IT security practices. Possibly, IT pros have resorted to sharing administrator account passwords for Azure VMs, which isn’t the best security practice, noted Alex Simons, corporate vice president of program management at the Microsoft Identity Division, in the announcement.
Also, local user accounts may have been created to access the VMs. However, they can be hard to track as IT personnel come and go, he noted.
The preview permits the use of Azure AD Conditional Access rules for added security. For instance, it’s possible to automatically check if a user is a noted sign-in risk before granting access to the VMs. The preview also lets organizations enforce multifactor authentication (MFA), where an additional credential check besides a password is used to verify a user’s identity.
Organizations can also set up personnel access barriers using the Azure Role Based Access Control (RBAC) feature with the new preview, which lets assigned VM access be expired, too.
The Azure AD access preview feature can be set up via a toggle option within the Azure Portal when creating a new Azure VM. It also can be set up using the Azure Cloud Shell solution, which also is the tool to use for “an existing Windows VM,” according to Microsoft’s documentation.
During the setup process, role assignments need to be made. Microsoft only permits two roles for Azure VM access under its RBAC policy. The Virtual Machine Administrator role has administrator privileges, while the Virtual Machine User role has “regular user privileges,” the documentation explained.
A Remote Desktop Protocol (RDP) connection is used to authenticate into the Azure VM. If an organization wants to enforce MFA for Azure VM access, then MFA has to be part of the Windows 10 RDP client authentication process. Currently, that’s just enabled using Windows Hello, Microsoft’s biometric authentication scheme. Additionally, Windows 10 version 1809 or greater is required, per the documentation.
These RDP connections also need to be made using “Windows 10 PCs that are Azure AD joined or hybrid Azure AD joined to the same directory as the VM,” the documentation added.
Possibly a more simplified process will arrive with the next Windows 10 feature update known as “20H1.” A note in Microsoft’s documentation suggested as much, stating that:
Windows 10 20H1 will add support for Azure AD Registered PC to initiate remote desktop connection to your VM. Join the Windows Insider Program to try this out and explore new features of Windows 10.
Windows 10 version 20H1 is expected to arrive in the spring of 2020, possibly in the March/April timeframe.