SOLVED

Multifactor Authentication MFA and Virtual Machines VM

Copper Contributor

We are a small development company using Office365. For a new project we now want to use some Windows VMs in the cloud. Because Azure integrates nicely with Office365 it seems to make sense to create these VMs on Azure. The plan is that the existing Office365 logins stored in Azure AD can also be used to grant access to the VMs Windows OS (as managing separate credentials for each VM is a PITA).

 

We created the VMs and assigned access rights - there are specific roles for this (login as user, login as administrator) which is exactly what we need. We tried to login and - bummer. Login doesn't work.

 

After some searching we found out that the reason seems to be that we have MFA turned on and this is not supported by the Windows OS. So we figured we need to change access configuration e.g. by using Bastion instead of plain RDP for remote access but - bummer. Bastion also doesn't support MFA.

 

After looking around for a while we came to the conclusion that currently there seems to be no way to get this done (at least with an acceptable amount of work/money for a small company like us). The official MS suggestion is to turn off MFA for RDP by using Azure AD conditional access. This is acceptable because we are securing remote access by source IP so MFA for RDP is overkill anyway. So we opened up the Azure AD configuration page and - bummer. Azure AD conditional access is only available when using Azure AD Premium which increases costs by about 5-10$ per user per month. That's inacceptable only to turn off functionality!

 

Therefore we decided to disable enforcing company-wide MFA so those users who need RDP to the VMs could remove their MFA and successfully login. This indeed works but - bummer. Everytime a MS website is opened (e.g. the Azure Portal) there is a message saying the user needs to configure MFA. After a click on the "Next" button the setup screen opens where the user can select "Skip setup" and login without MFA. How stupid is that - but so far we found no way to get rid of this.

 

Sure, we could manage separate credentials for each VM - but that's what we want to prevent and something that we could also do with all other cloud providers so why use Azure?

 

We are currently unsure if we should just delete all Azure resources and move our VMs to another cloud provider. So we'd like to ask if there is something that we missed:

  • Is there a (feasible) way to get RDP login to Azure VMs to work when using Azure AD credentials with MFA?
  • Is there a way to turn off MFA for RDP only without additional costs?
  • Is there a way to get rid of the stupid MFA setup screens when turning company-wide MFA off?
  • Is there any other approach or solution to our (quite simple and common) requirements?
24 Replies

I'm confused about whether you have or don't have conditional access. But there are a few things to look at:

 

@Luke Murray As I said: "Azure AD conditional access is only available when using Azure AD Premium which increases costs by about 5-10$ per user per month. That's inacceptable only to turn off functionality!" So: No.

 

From what I understand both your suggestions involve the use of conditional access policies and are therefore not what I'm looking for.

HI @SandroRudin 

There are some questions/answers that could help the community better analyze it.
What is the licensing that you have on the O365 tenant?
What kind of permission granularity will you desire to have within the VMs?


Without all the context here are some of my considerations:
If you considered so far Bastion, why not consider Azure VPN Gateway with Azure AD authentication with security defaults.
Will allow it MFA to login.

It's about same price for East US for example.

DavidTex_0-1652637669811.png


Regarding the authentication on Windows, you could have AADDS where VMs will join domain, and have it sync with the Azure AD tenant where is your O365.

Hope it helps to shed some light.

You can use Network Gateway with per user MFA, by adding the private IP your traffic will be coming from (from the NAT gateway) into the per user MFA.

Conditional Access is part of Business Premium now, so depending on your Office licenses, you may already have it.
We are having Office 365 "Business Basic" licenses. If I go to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies the "New policy" button is deactivated and a link to purchase Premium (P2) is shown.

Looking at the documentation I see that VPN Gateways require Conditional Access Policies as well so not what I'm looking for I think. I may be wrong though so if someone could post a link to a step by step setup guide that gives me what we need without CAP I would appreciate it.

Again the requirements:
- We want a simple Windows VM where we can configure login by assigning IAM roles (login as user/admin) and don't need additional local credentials.
- We don't care if we have to enable or disable MFA but we don't want to get bothered upon every Azure login with a redirect to the setup MFA wizard (which can be cancelled).
- The solution must not significantly increase the costs and it must not require a huge setup.

As of now I feel Azure cannot provide this. Very disappointing (but thanks for the responses).
Btw when I say IAM roles I mean RBAC
Hmm, I wonder if it's setting up Windows Hello/PIN that you might be prompted for when logging in each time - this can be turned off.

* https://matrixpost.net/disable-windows-hello-for-business-prompt-on-azure-ad-joined-devices/

Skip down to: Disable Windows Hello for Business by using a Group Policy
You can Start, Run and type in: gpedit.msc
To open the Local Group Policy editor on the Machine or registry key can be found in this article: https://www.thewindowsclub.com/how-to-disable-windows-hello-prompt
I don't think that's the problem. If you look at the very first link that you have posted above there is a blue box ("Important") that says "Remote connection to VMs joined to Azure AD is only allowed from Windows 10 or newer PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM." I am connecting from my private machine that is not connected to my business AzureAD so no surprise it doesn't work - but that's exactly what we want to do, and I think that's quite a legitimate requirement. As a company you may have people working for you from their own devices, but you want to provide them VMs in the cloud for specific tasks and login using AzureAD credentials (instead of separate local credentials per VM).
Arh...


To successfully connect to an AzureAD joined computer using Remote Desktop, you will need first to save your connection settings to a .rdp file.

To do this, open the Remote Desktop Connection program, enter the IP Address or computer name, then click the "Save As" button at the bottom of the screen. Save it someplace convenient, since we'll need to edit this file by hand.

Next, Right-Click the saved .rdp file and open with Notepad.

Go to the very bottom of the file, add the following lines:

enablecredsspsupport:i:0
authentication level:i:2

Save the file and close.

Now, try double clicking the modified .rdp file and login using the format:

AzureAD\YourFullUsername

Here's better article with pictures, but you need to edit the RDP file and change the authentication and credssp support: https://www.niallbrady.com/2017/08/23/how-can-i-rdp-to-an-azure-ad-joined-windows-10-device/
Did that already. It works already. But not with MFA enabled.
Ok, so it doesn't sound like per-user MFA is supported.

So you either have to disable user based MFA (https://www.alitajran.com/disable-mfa-office-365-with-powershell/)

or upgrade your Business Basic to M365 Business Premium licenses to use Conditional Access (and look into Azure Virtual Desktop - which might be more what you are after the licenses are included in M365 Business Premium), from a security perspective this is the recommended option.
If you go disabling the MFA route, then you might have to turn off Security Defaults to stop MFA prompting to setup: https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-aut... or go into the users and set 'Disabled'.

But best practice would be to get a license that supports Conditional Access for increased security controls.
I really appreciate if somebody tries to help, but did you ever really read my problem description?

I have disabled company-wide and per-user MFA already which is why I can login using the AzureAD credentials. The fact that MFA is not supported is the main cause of all problems.
I know Conditional Access policies can solve the issue, but the price per user per month is inacceptable only to turn off MFA functionality (which is a workaround that I don't even like to do).
Right now the main issue is that every time I open the Azure Portal I get redirected to the MFA setup wizard which is seriously getting on my nerves and therefore not an acceptable longterm solution.

So again, I appreciate your help and I understand that my description may not be perfectly clear but I do think that I explained more or less what the situation is so please try to address my problems and requirements.

Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
Browse to Azure Active Directory > Properties.
Select Manage security defaults.
Set the Enable security defaults toggle to No.
Select Save.
Asi I said three times already, I have turned off company-wide MFA, which is why I can remove MFA from my account which is why I can login. The redirect to the wizard is still popping up every time I login to Azure portal and I can then just skip setup on the first step.
Sorry, I don't know; you may need to open a support case with Microsoft to check the setting on the Tenancy.

I just did some testing after disabling Security Defaults and removing any authentication information from my user account (https://account.activedirectory.windowsazure.com/Proofup.aspx). It is allowing me to log in with no prompts.
So I open your link or go to Azure Portal, "View account", "Update security information" and I get stuck in an endless loop.
To be more precise: I open the Azure Portal (redirect to MFA setup, skip), then "View account" (redirect to MFA setup, skip), then "Update security information" and then redirect to MFA setup, skip, redirect to MFA setup, skip, ...
I have no idea what MS is thinking...
1 best response

Accepted Solutions
best response confirmed by SandroRudin (Copper Contributor)
Solution
Ok, so I think I found the problem.
As described above I have disabled MFA for my account in order to be able to login to the VMs using the AzureAD credentials. I was then able to login as desired but got redirected to the MFA setup wizard every time I logged in to some MS website. I then skipped the setup as I expected this would deny login to the VMs again.
I now realized that this MFA setup was for another organization where I was added as an external user. This organization still has company-wide MFA required and therefore I was bothered with the setup at every login. I now completed the MFA setup process and it really only requires it for that company and not for my own company so login to the VMs is still possible. I have to admit that I find this behavior quite confusing as it is nowhere shown for what organization you are setting up MFA.
Therefore my main problem is solved now. I would prefer to enable MFA and disable it only for RDP or even better enable it everywhere but unfortunately this seems to be too complicated. If a simple solution pops up please let me know.

View solution in original post