Forum Discussion
Solved
Multifactor Authentication MFA and Virtual Machines VM
We are a small development company using Office365. For a new project we now want to use some Windows VMs in the cloud. Because Azure integrates nicely with Office365 it seems to make sense to create...
- Ok, so I think I found the problem.
As described above I have disabled MFA for my account in order to be able to login to the VMs using the AzureAD credentials. I was then able to login as desired but got redirected to the MFA setup wizard every time I logged in to some MS website. I then skipped the setup as I expected this would deny login to the VMs again.
I now realized that this MFA setup was for another organization where I was added as an external user. This organization still has company-wide MFA required and therefore I was bothered with the setup at every login. I now completed the MFA setup process and it really only requires it for that company and not for my own company so login to the VMs is still possible. I have to admit that I find this behavior quite confusing as it is nowhere shown for what organization you are setting up MFA.
Therefore my main problem is solved now. I would prefer to enable MFA and disable it only for RDP or even better enable it everywhere but unfortunately this seems to be too complicated. If a simple solution pops up please let me know.
We are having Office 365 "Business Basic" licenses. If I go to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies the "New policy" button is deactivated and a link to purchase Premium (P2) is shown.
Looking at the documentation I see that VPN Gateways require Conditional Access Policies as well so not what I'm looking for I think. I may be wrong though so if someone could post a link to a step by step setup guide that gives me what we need without CAP I would appreciate it.
Again the requirements:
- We want a simple Windows VM where we can configure login by assigning IAM roles (login as user/admin) and don't need additional local credentials.
- We don't care if we have to enable or disable MFA but we don't want to get bothered upon every Azure login with a redirect to the setup MFA wizard (which can be cancelled).
- The solution must not significantly increase the costs and it must not require a huge setup.
As of now I feel Azure cannot provide this. Very disappointing (but thanks for the responses).
Looking at the documentation I see that VPN Gateways require Conditional Access Policies as well so not what I'm looking for I think. I may be wrong though so if someone could post a link to a step by step setup guide that gives me what we need without CAP I would appreciate it.
Again the requirements:
- We want a simple Windows VM where we can configure login by assigning IAM roles (login as user/admin) and don't need additional local credentials.
- We don't care if we have to enable or disable MFA but we don't want to get bothered upon every Azure login with a redirect to the setup MFA wizard (which can be cancelled).
- The solution must not significantly increase the costs and it must not require a huge setup.
As of now I feel Azure cannot provide this. Very disappointing (but thanks for the responses).
Hmm, I wonder if it's setting up Windows Hello/PIN that you might be prompted for when logging in each time - this can be turned off.
* https://matrixpost.net/disable-windows-hello-for-business-prompt-on-azure-ad-joined-devices/
Skip down to: Disable Windows Hello for Business by using a Group Policy
* https://matrixpost.net/disable-windows-hello-for-business-prompt-on-azure-ad-joined-devices/
Skip down to: Disable Windows Hello for Business by using a Group Policy
- I don't think that's the problem. If you look at the very first link that you have posted above there is a blue box ("Important") that says "Remote connection to VMs joined to Azure AD is only allowed from Windows 10 or newer PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM." I am connecting from my private machine that is not connected to my business AzureAD so no surprise it doesn't work - but that's exactly what we want to do, and I think that's quite a legitimate requirement. As a company you may have people working for you from their own devices, but you want to provide them VMs in the cloud for specific tasks and login using AzureAD credentials (instead of separate local credentials per VM).
- Arh...
To successfully connect to an AzureAD joined computer using Remote Desktop, you will need first to save your connection settings to a .rdp file.
To do this, open the Remote Desktop Connection program, enter the IP Address or computer name, then click the "Save As" button at the bottom of the screen. Save it someplace convenient, since we'll need to edit this file by hand.
Next, Right-Click the saved .rdp file and open with Notepad.
Go to the very bottom of the file, add the following lines:
enablecredsspsupport:i:0
authentication level:i:2
Save the file and close.
Now, try double clicking the modified .rdp file and login using the format:
AzureAD\YourFullUsername- Here's better article with pictures, but you need to edit the RDP file and change the authentication and credssp support: https://www.niallbrady.com/2017/08/23/how-can-i-rdp-to-an-azure-ad-joined-windows-10-device/
- You can Start, Run and type in: gpedit.msc
To open the Local Group Policy editor on the Machine or registry key can be found in this article: https://www.thewindowsclub.com/how-to-disable-windows-hello-prompt