Blog Post

Microsoft Security Community Blog
14 MIN READ

How to enforce usage of Privileged Access Workstations for Admins

Sascha Windrath's avatar
Sascha Windrath
Icon for Microsoft rankMicrosoft
May 03, 2024
Intro   You probably already came across the challenge to make sure that administrators using a highly privileged administrative role in Entra ID or an Azure RBAC role which allows control over s...
Updated May 06, 2024
Version 2.0
admin
cloud security
microsoft entra
security
Sascha Windrath's avatar
Sascha Windrath
Icon for Microsoft rankMicrosoft
May 05, 2024

Quaywe : Hi, thank you. That is a good point! What I did in the past when implementing this for Privileged Access Workstations was to use an Azure Virtual Network Gateway of type VPN using OpenVPN as the tunnel type and Entra ID (former Azure Active Directory) as authentication type. Then you would need to take an initial hop from the Point-to-Site subnet to an intermediary like ExpressRoute Gateway or a Site-to-Site connection. If using ExpressRoute you would need to use another Gateway of type ExpressRoute to use an existing ExpressRoute Circuit (https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-linkvnet-portal-resource-manager#circuit-owner-operations) and if you would use Site-to-Site VPN you could use the existing VPN Gateway and add the Site-to-Site connection. BUT, that again are just some starting thoughts and each environment is different. Sure there are a lot of possibilities you can use. 

 

You then leverage Conditional Access to target the assigned user group for the VPN Gateway (You should use a dedicated VPN Gateway for this: Configure P2S for different user and group access: Microsoft Entra authentication and multi app - Azure VPN Gateway | Microsoft Learn) and enforce usage of a PAW, a compliant device, phishing resistant MFA. Then you would be able to log on to that VPN Gateway from your PAW. The configuration for that VPN Gateway is published via Intune as a Configuration Profile (Create an Intune profile for Azure VPN clients - Azure VPN Gateway | Microsoft Learn). 

 

The PAW that I am talking about is a cloud-only device, it is joined to Entra ID and not to Active Directory. No hybrid device! Therefore you want to use Azure VMs as jump hosts which are AD domain joined. Those should sit in a separate subscription (security boundary). They also should be treated as virtual PAWs (configuration wise, administrative wise). 

 

This is a huge topic. Again, always mind to secure all intermediaries and devices the admins use to protect their credentials.

Securing privileged access Enterprise access model - Privileged access | Microsoft Learn