Azure Archives - Page 2 Of 2 - Device Management Blog

Basic Authentication Microsoft 365 Apps for Enterprise | Office 365 | Azure AD

In this article, I will explain how to identify users using Basic Authentication Microsoft 365 apps in your organization. What is Basic Authentication and why do we need to disable basic authentication? More details about Azure AD authentication is explained in the post.

Identify Clients Using Basic Authentication ( O365 )

Basic Authentication based on where credentials are the base64 encoding of id and password joined by a single colon: is similar like a username and password is provided every time for a request made by the client, that means the client will pass the user name and password with every request which makes easier for attackers to get the user’s credential and it is pron to Password spray attack because it uses a simple HTTP login method to get authenticated.

This is how the login looks like, very familiar right?

Basic Authentication Microsoft 365 Apps for Enterprise

How to Identify users using Basic Authentication Against Microsoft 365 services! yes, this is something interesting to check who and all are connecting to Microsoft 365 resource using basic authentication.

How to Identify Application using Basic authentication using Azure Sign Logs

Let’s use Azure ad sign Logs, what azure sign logs yes you heard it correct, you can use Azure ad sign-in Report to understand basic auth usage in your tenant. Let me explain this is steps.

Step 1: Sign in to the Azure AD portal, you can use the new portal https://aad.portal.azure.com, scroll down and you can see Sign-ins under Monitor

Step 2: In the sign-in page, you can see Add filters option on the right page > Client app

Step 3: Once the Client app is selected it will show none selected > tap on that this will provide a drop-down with the list of client apps and segregated as Modern Authentication Clients and Legacy authentication Clients. Select all the applications under legacy authentication clients.

You can select on one of the records to see which Client app is being user in my example Mapi Over HTTP

You can see all the Client apps using basic authentication > Tap on Download to so you will get the report handy. You should make sure you had selected the client app in the columns to display the app details in the report.

Basic Authentication Microsoft 365 Apps for Enterprise | Office 365 | Azure AD 13

Download Azure Signing Logs to Excel in JSON or CSV format

To download the sign-ins to JSON or CSV format, click on the Download button at the top of the Sign-ins page. If you filter the sign-ins by certain client apps, your download will be based on the filter selections you’ve made.

We recommend downloading to JSON because this format includes all the sign-in details, including user agent. The CSV format will only show the top-level information in each row of the sign-in logs.

Basic Authentication Microsoft 365 Apps for Enterprise | Office 365 | Azure AD 2 — Basic Authentication Microsoft 365 Apps for Enterprise | Office 365 | Azure AD 14

Using the Microsoft Graph API to get sign-ins

If you need to download more than 250,000 sign-in records, you can do so using the audit logs API in Microsoft Graph. you can use the below queries to collect the logs from Microsoft Graph.

GET tenant user activities GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits
GET tenant user sign-ins GET https://graph.microsoft.com/v1.0/auditLogs/signIns

Resources

Intune WUfB Feature Update Policy to Upgrade Windows 10 version 20H2

RDP of Azure AD Joined Device MS-Organization-P2P-Access Certificate

How to Take RDP of Azure AD Joined Device | Azure VM

Let’s check how to Take the RDP of Azure AD Joined Azure VM (Virtual Machine). Use your corporate Active Directory credentials to log in to the VM, enforce MFA, and enable access via RBAC roles. More details are available in RDP Of Azure AD Joined Device MS-Organization-P2P-Access Certificate – HTMD Blog #2 (howtomanagedevices.com)

NOTE! – The option to log in with Azure AD credentials is only supported for Server 2019 Datacenter edition or Windows 10 1809 and later.

You need to enable the RDP settings on Azure VM or Windows physical devices. You can open Windows 11 Settings app and search for Remote Desktop Settings. You can also use Group Policy Settings (Domain Join and Hybrid Joined) or Intune Settings (Azure AD Joined) to configure the RDP settings for Windows devices.

Open the Remote Desktop configuration
Enable Remote Desktop -> Click on Confirm.
The RDP setting is enabled on Windows 11 devices as shown below.

How to Take RDP of Azure AD Joined Device | Azure VM 1

Login with AAD credentials – Azure VM

How to enable Azure AD Join for Azure VMs? Login to Azure VM with AAD credentials. While creating an Azure Virtual Machine, you need to select the following option called – Login with AAD credentials to ON

NOTE! – More details about the Azure Virtual Machine creation process are available in the previous post.

Login with AAD credentials to ON - Take RDP of Azure AD Joined Azure VM — **Login with AAD credentials** to ON – Take RDP of Azure AD Joined Azure VM

AAD Login for Windows VM hosted in Azure

AAD login for the Windows process is part of the virtual machine creation ARM template when you select the option “Login with AAD Credentials = ON.”

AAD Login for Windows - Take RDP of Azure AD Joined Azure VM — AAD Login for Windows – Take RDP of Azure AD Joined Azure VM

Login with the Local Admin Account

The build process of Azure AD Joined (? Is this really AAD Joined VM?) Azure VM is completed. Now, you can log in to VM using the local admin account to check the experience if you are interested:)

Connected to an Azure AD - Connect to Azure AD Joined Virtual Machine — **Connected to an Azure AD – Connect to Azure AD Joined Virtual Machine**

In this post (below), I have explained how to take the RDP of Azure VM using Azure AD credentials from the Azure Bastion solution. Learn more about Azure Bastion.

Configure RDP Access for Azure VM

Let’s try to Configure RDP Access for Azure VM now.

Navigate to the specific virtual machine overview page
Select Access control (IAM) from the menu options
Select Add, Add role assignment to open the Add role assignment pane.
In the Role drop-down list, select a role such as Virtual Machine Administrator Login (admin user) or Virtual Machine User Login (non-admin user)

Virtual Machine Administrator Login - RDP of Azure AD Joined Azure VM — **Virtual Machine Administrator Login** – RDP of Azure AD Joined Azure VM

Search for the user. Select the user and Click on the SAVE button to complete the process.

How to Take RDP of Azure AD Joined Azure VM

Login with Azure AD Credentials

As I mentioned above you can take the RDP of Azure VM only from an Azure AD joined or Hybrid Azure AD joined VM. In the following scenario, I have taken RDP of Azure AD and Joined Azure VM using Bastion.

Logging in to Windows 10 Azure VM using Azure AD Credentials - Take RDP of Azure AD Joined Azure VM — Logging in to Windows 10 Azure VM using Azure AD Credentials – Take RDP of Azure AD Joined Azure VM

Check the below screenshots to get more details.

How to Take RDP of Azure AD Joined Device | Azure VM 3

Take RDP of Azure AD Joined Azure VM Using Bastion

Now let’s see how to take the RDP of Azure AD joined Azure VM using Bastion.

Build TWO Windows 10 1909 VMs with Login with AAD credentials to ON option – Let’s call these VMs ==> anoopwin10-1 & anoopwin10-2
Connect to anoopwin10-1 using local admin credentials (anoopwin10-1\anoop) as you can in the below screen capture via Azure Bastion

How to Take RDP of Azure AD Joined Device | Azure VM 4

Once logged into anoopwin10-1 azure VM, take MSTSC or RDP of anoopwin10-2 VM using Azure AD Credentials.

Results

The Azure Virtual Machine is connected to Azure AD. The RDP access is available via Azure Bastion if you are ok to spin up one extra Azure AD joined Windows 10 VM in Azure.

How to Take RDP of Azure AD Joined Device | Azure VM 5

Resources

New Azure Intune Portal App for Windows Devices

I have noticed that there is a new Azure portal application for Windows devices. You can download the app from Microsoft trusted website. Yes, it’s exciting for me that I can use this new Azure Portal Application for Intune Device Management as well.

Download and Install Azure Portal Application

You can download the new Azure portal app from Microsoft’s official website – https://ms.portal.azure.com/App/Welcome.

I got this piece of information from the walkingcat tweet. I downloaded the AzurePortalInstaller.exe from the Microsoft Azure site mentioned above and double click on it to install it.

I have explained the entire download and installation process of the new Azure Portal App is in the above video tutorial.

Details – Azure Intune Portal Application

I initially felt like a new Azure portal application is a PWA application based on chrome or Microsoft Edge Chromium browser. But, I could find any processes running in the background while the new Azure Portal application is running.

Processes – Azure Portal Launcher Application

I have checked the processes running on Windows 10 1809 machine while Azure portal application is open. I could find three (3) processes with the same exe as you can see below.

Microsoft Azure Portal Launcher (MicrosoftAzurePortal.exe)
- Microsoft Azure Portal EXE (MicrosoftAzurePortal.exe)
- Sign in to Microsoft Azure (MicrosoftAzurePortal.exe)

Folder Location of Azure Portal Application

I found that the portal launcher application created specific folders in my user profiles as I showed in the above video. You can check the details of the Azure Portal application folder details.

C:\Users\Anoop C Nair\AppData\Local\Microsoft\AzurePortal\Production\MicrosoftAzurePortal.exe

Version – Azure Application Portal Launcher Application

I think the version details you can get from the file called version inside the same folder as mentioned above.

Azure Portal App Launcher == v3.0.10

Known Issues

Azure portal App is challenging to close, and you need to close it from Windows task manager.
It won’t really work offline unlike other PWA apps 🙂
Not sure whether it will work for Windows 7 or Windows 8 or Previous versions of Windows 10? I tested with Windows 10 1809 and Microsoft Edge Chromium, Chrome, etc… installed device.