May 09 2022 08:08 PM
May 09 2022 08:08 PM
We are a small development company using Office365. For a new project we now want to use some Windows VMs in the cloud. Because Azure integrates nicely with Office365 it seems to make sense to create these VMs on Azure. The plan is that the existing Office365 logins stored in Azure AD can also be used to grant access to the VMs Windows OS (as managing separate credentials for each VM is a PITA).
We created the VMs and assigned access rights - there are specific roles for this (login as user, login as administrator) which is exactly what we need. We tried to login and - bummer. Login doesn't work.
After some searching we found out that the reason seems to be that we have MFA turned on and this is not supported by the Windows OS. So we figured we need to change access configuration e.g. by using Bastion instead of plain RDP for remote access but - bummer. Bastion also doesn't support MFA.
After looking around for a while we came to the conclusion that currently there seems to be no way to get this done (at least with an acceptable amount of work/money for a small company like us). The official MS suggestion is to turn off MFA for RDP by using Azure AD conditional access. This is acceptable because we are securing remote access by source IP so MFA for RDP is overkill anyway. So we opened up the Azure AD configuration page and - bummer. Azure AD conditional access is only available when using Azure AD Premium which increases costs by about 5-10$ per user per month. That's inacceptable only to turn off functionality!
Therefore we decided to disable enforcing company-wide MFA so those users who need RDP to the VMs could remove their MFA and successfully login. This indeed works but - bummer. Everytime a MS website is opened (e.g. the Azure Portal) there is a message saying the user needs to configure MFA. After a click on the "Next" button the setup screen opens where the user can select "Skip setup" and login without MFA. How stupid is that - but so far we found no way to get rid of this.
Sure, we could manage separate credentials for each VM - but that's what we want to prevent and something that we could also do with all other cloud providers so why use Azure?
We are currently unsure if we should just delete all Azure resources and move our VMs to another cloud provider. So we'd like to ask if there is something that we missed:
May 14 2022 12:07 AM
I'm confused about whether you have or don't have conditional access. But there are a few things to look at:
May 15 2022 07:36 AM
@Luke Murray As I said: "Azure AD conditional access is only available when using Azure AD Premium which increases costs by about 5-10$ per user per month. That's inacceptable only to turn off functionality!" So: No.
From what I understand both your suggestions involve the use of conditional access policies and are therefore not what I'm looking for.
May 15 2022 11:02 AM
There are some questions/answers that could help the community better analyze it.
What is the licensing that you have on the O365 tenant?
What kind of permission granularity will you desire to have within the VMs?
Without all the context here are some of my considerations:
If you considered so far Bastion, why not consider Azure VPN Gateway with Azure AD authentication with security defaults.
Will allow it MFA to login.
It's about same price for East US for example.
Regarding the authentication on Windows, you could have AADDS where VMs will join domain, and have it sync with the Azure AD tenant where is your O365.
Hope it helps to shed some light.
May 15 2022 11:51 AM
May 15 2022 09:15 PM
May 15 2022 09:46 PM
May 15 2022 09:55 PM
May 15 2022 10:05 PM
May 15 2022 10:11 PM
May 15 2022 10:13 PM
May 15 2022 10:47 PM
May 15 2022 10:55 PM
May 15 2022 11:09 PM
May 15 2022 11:12 PM
May 15 2022 11:17 PM
May 16 2022 12:15 AM
May 16 2022 12:51 AM