Search This Blog

Dec 15, 2022

Decentralized Identity (DID) - Verifiable Credential - Microsoft Verified ID

Traditional IDs are issued/owned by IdPs. From user's perspective, these IDs among different IdPs can be inconsistent, hard to maintain, and there is no guarantee of privacy, control, etc.

Decentralized ID lets a user owns his/her ID. Any other entity can then add claims to DID. For example, an employer can add employment claim to its employees' DIDs. Therefore, traditional IdPs no longer own IDs, they either become irrelevant to a person (if they can't add/verify claims about the said person), or they transform themselves to be claim issuer (if they know something about the holder) /verifiers (in this case, the old IdP is just a consuming party of DID model).  

"Claims" here is called "Verifiable Credentials"(VCs) in DID context. It's verifiable because it's digitally signed. Entities that assign/sign VCs are called Issuer.

DID creation, change, as well as claim history, are stored in a public, decentralized network. It can be tracked and verified without a centralized IdP. Such network is called Trust Systems. Examples include ION (Identity Overley Network) and DID:web. Trust System can be built on top of existing blockchain network such as Bitcoin.

For the model to work, there are implicit trusts listed below:

  • Issuer trusts holder
  • Verifier trusts issuer
  • Holder trusts verifier



Tags: , ,

Dec 14, 2022

Set up a hybrid Azure AD lab

 General steps

  1. Set up an on-premise AD with forest name johnfoo.tk
  2. get a free domain from freenom (johnfoo.tk)
  3. In Freenom, configure to use your own DNS server, pointing to on-prem DC IP
  4. set up Azure AD 
  5. create an Azure account for AAD Connect, make it Global Admin
  6. create an AD service account for AD, give it DC Sync permission (or let AD Connect create for you)
  7. Add and verify Custom Domain in AAD. Create the TXT record on your AD DNS. The "@" -named record required by Azure is equivalent of "(same as parent)" record in Windows DNS. Just leave the record name blank when create the TXT record.
  8. Install AD Connect, enable
    1. PHA (recommended, for auth fault tolerance, or PTA). Of course, use federation is also possible depending on if you are using ADFS right now on prem
    2. Enable Seamless SSO (for on prem users SSO into Azure)
    3. Be careful what attribute to use for join rule (?). UPN is a good candidate. Unless on prem users are already having email address, using mail for linkage will not work

Manually join Windows clients into Azure AD

  1. Enable join/register option for regular users: AAD|Devices|Device Settings|Users may join devices to Azure AD
  2. On Win client, Accounts, connect to work, then select "join this device to Azure AD", follow on screen instructions 
  3. use "AzureAD\azureUPN" to log into the newly joined machine (e.g. AzureAD\jlan@johnfoo.tk)

Manually register Windows clients into Azure AD

  1. Same steps as above, but in step 2, do not select "join this device to AZure AD", instead, just click on "next" button 

Create a B2C Tenant

  1. Run "az provider register --namespace Microsoft.AzureActiveDirectory"
  2. Follow on screen instruction

Grant Admin access to an Azure-joined machine

  1. Tenant wide permission
    1. Azure AD has a "Device administrators" role that is used for this purpose
    2. Go to Devices | Device Settings | Manage Addtional local administrators on all Azure AD Joined devices | +assignment
  2. Individual machine
    1. Locally on the machine, using Account Settings to elivate a user
    2. "net localgroup administrators /add "Contoso\username" for adding on-prem user
    3. "net localgroup administrators /add "AzureAD\UserUpn" for adding Azure user
    4. use MDM solution

Enabled Hybrid AD join

  1. Run ADC, select Configure | additional tasks | Configure device options
  2. Follow on screen instruction

Tags: , , ,

Dec 13, 2022

Create a split-DNS for AD forest with same AD-domain name and DNS-domain name

 This is useful for a lab environment where you have an AD forest uses same domain name AD-wise and DNS-wise


  • Set up
    • domain name: foo.bar
    • internal subnet: 192.168.0.0/24
  • Commands
    • Add-DnsServerClientSubnet -Name "loopback" -IPv4Subnet 127.0.0.0/24
      Note: don't forget to add loopback as internal subnet 
    • Add-DnsServerClientSubnet -Name "internal" -IPv4Subnet 192.168.0.0/24
    • Add-DnsServerZoneScope -ZoneName "foo.bar" -Name "internet"
    • Add-DnsServerResourceRecord -ZoneName "foo.bar" -A -Name "@" -IPv4Address "yourPublicIP" -ZoneScope "internet"
    • Repeat above to add other A records that needs a public internet presence
    • Add-DnsServerResourceRecord -ZoneName "johnfoo.tk" -name "@" -NameServer "yourPublicIP" -NS -ZoneScope "internet" (Optional, your DNS provider already knows how to find your name server)
    • Add-DnsServerQueryResolutionPolicy -Name "NonInternalPolicy" -Action ALLOW -ClientSubnet "ne,Internal,loopback" -ZoneScope "Internet,1" -ZoneName "foo.bar"
    • Add-DnsServerResourceRecord -ZoneName "johnbook.ga" -name "@" -TXT -DescriptiveText "MS=ms35639551" -ZoneScope "internet" 

Tags: ,

Dec 12, 2022

What is DNS DNAME record and how it works

 


Tags: ,

Dec 11, 2022

Setting up ADC using gMSA - and ADC concepts in general

Connector concepts

  1. for an ADC service, on one side, it's on-prem AD, on the other, it's AAD. 
  2. ADC is therefore divided with 3 components: connector space to AD, metaverse, and connector space to AAD




  3. With these 3 components in mind, there are below operations can be performed
    1. Take connectors for AD for example, import from AD (to pick up new changes in AD), this picks up AD object and create a corresponding staging object in Connector Space
    2. or to export to AD (for writeback), this exports staging object to AD
    3. Synchronization: meaning create metaverse objects from staging objects, then create staging objects on the connector space other side of flow
    4. Same operations are applicable on AAD connectors in same way
  4. Seamless SSO VS. AADj-join SSO. 
    1. Seamless SSO: 
      1. For AD users on on-prem device to access cloud resource
      2. Leverage a computer object in on-prem AD to represent Azure AD. When a Windows AD user access cloud access, in the background the user is redirected to access the computer object first and get a kerberos ticket, which can be sent to, and decrypted by AAD.
    2. Azure-joined SSO (aka Azure Kerberos)
      1. For AAD-join device to access on-prem resources
      2. Same concept of having a computer object in on-prem AD representing Azure.
      3. Azure uses the computer object to acquire partial Kerberos TGT for user. User then use it to acquire full TGT from AD

Steps

  1. Create a security group for hosts that will be running ADC service, place all host as member "ADCHosts"
  2. Create the gMSA account
    1. Import-module ActiveDirectory
    2. Add-KdsRootKey -EffectiveImmediately
    3. New-ADServiceAccount -Name ADCsvc -Description "gMSA for Azure AD Connect installation" –DNSHostName ADCsvc.johnfoo.tk -principalsAllowedToRetrieveManagedPassword ADChosts

      Note: param DNSHostName doesn't really do anything here other than used for populating gMSA's DNSHostName attribute.
  3. On ADC server, install gMSA account
    1. Install-ADServiceAccount -Identity ADCsvc$
      Note: 
      1. don't forget the $ sign at the end, remember this is really a computer account
      2. If you get access denied error, reboot ADC host for membership change in step 1 to take effect
  4. Run ADC Installer
    1. custom installation
    2. use existing service account
    3. specify "johnfoo\adcsvc$" fun ADC service itself
    4. specify a "Global Administrator" for AAD
    5. specify an existing account or let ADC installer creates a new account for on-prem AD. This account needs DC Sync (replication) permission. 
      Note: the account created by installed is called "MSOL_*" under "users" container. To get the exact name, check ACL entries on top of domain that has DC Sync permission
  5. If you use ADC to sync extension attributes (e.g. employeeType), there should be an app in AAD called "Tenant Schema Extension App" , this is where you can find App ID so you can retrieve extension attributes (for example, create a dynamic group based on an extension attribute)

How to initiate a manual sync (see figure above)

    1. open "Synchronization Service"
    2. On "Operations" tab, right click a connector that is for AD, run, import, or
      On "Connectors" tab, right click a connector for AD, run, import
    3. then Run -> sync on both sides
    4. Finally export on AAD connector

How to change existing sync rules

    1. use Synchronization Rules Editor
    2. A rule defines scoping/filter/join rules/transforming rule
    3. Understand rule types for different phase of operations: provision/join/
    4. Example: if you want to change "sync criteria" (a.k.a "how to uniquely identify users cross forest", which is not possible to be changed using ADC configure GUI once initially set up), this can be done by editing rule for AD inbound rule for user, interOrgPerson, AccountEnable etc., page "join rule" 
    5. special notes for "join rules", while there can be multiple sync rules for a connector source, there can be ONLY one sync rule that defines join rules. Such sync rule will have "join" at end of the sync rule name. So for example above, you only need to find and make changes in "inbound from AD * join" rules
    6. see here

Notes:

  1. If install ADC on a member server, Virtual Service Account is recommended
  2. Duplicate attribute resiliency Instead of failing to provision objects with duplicate UPNs / proxyAddresses, the duplicated attribute is “quarantined” and a temporary value is assigned.
  3. UserPrincipalName soft match When this feature is enabled, soft-match is enabled for UPN in addition to the primary SMTP address, which is always enabled
  4. What should be used as sourceAnchor: 
    1. ObjectID if single forest; 
    2. still ObjectID even in multi-forest scenario, or use something won't change even when moving user between forests. 
    3. EmployeeID would be one if uniqueness can be guaranteed
    4. For where you don't have a proper attribute to use, Microsoft provides ms-DS-ConsistencyGuid
  5. Predecessor: DirSync -> Azure AD Sync
    Sibling: Azure AD Cloud Sync

Tags: ,

How to sync extension attribute from on-prem AD to AAD - and how to use it

ADC syncs a default set of attributes from AD to AAD out of box. To sync extension attributes (the term 'extension attributes' here doesn't refer to "extensionattribute1-15", but rather any attribute that is not included by default by ADC for sync with Azure):

  1. Open ADC | Configuration | Customize Sync Options
  2. In "optional features", check "Directory extension attribute sync"
  3. In attribute select page, check and select what you want to include to be sync'ed

Within Azure AD portal, how to retrieve extension attribute
  1. There should be a new app called "Tenant Schema Extension App" , this is where you can find App ID so you can retrieve extension attributes
  2. E.g. Creating a dynamic group based on extension attribute
    1. when create group rule, select "Get custom extension properties" option
    2. In new window, paste in the App ID you copied from step 1, then click on refresh button
    3. back to attribute dropdown list, at buttom the new attribute should be available for you to chose. The attribute name is in format similar to "extension_appID_GUID_onPremAttName"

Tags: , ,

Dec 8, 2022

Azure - Places to enable MFA - and special notes about Authentication App as a factor

There are multiple places where you can mandate MFA. Below are the list and the advantages/disadvantages of each place.

  • Conditional Access Policy

    This method focuses on "access control". It forces MFA based on certain conditions when user is accessing resources. Naturally, this is fit for when you want to have higher level of assurance when certain resources are accessed

  • Identity Protection\MFA registration policy

    This place is to force users to register MFA rather than define when to use

  • Sign-in risk policy

    Force user to use MFA base on risk detected. What considered as "risky" is determiend by MS algorithm that is not disclosed. Factors include unusual logon behavior, unusual location etc.

  • Security Default

    This is a heavy hand approach. "Security Default" enforces a bunch of best practices tenant-wide along with MFA requirement.

Places you define what factors you can offer to users for registration, and how each factor should behave
  • Legacy
    • AAD | Security | Multifactor authentication | additional cloud-based MFA settings
    • AAD | Password Reset | SSPR Policy (if used, only for SSPR)
  • New
    • AAD | Security | Authentication policies (how each factor should behave )
Besides the above 4 approaches to require MFA, it can also be registered on per-user basis in AAD portal. To improve Authenticator registration rate among users, you can create a registration campaign under "Security | Authentication methods | Registration campaign"

Special notes about registering Authenticator App as a factor:

When doing a per-user registration, other form of factors (SMS, voice call) can be assigned to users in AAD portal, but Authenticator App can only be registered by user himself in "my account" portal
Tags: ,

Dec 2, 2022

How "Authentication Context" Works in Azure

 First of all, let's just say "Authentication Context" has little to do with authentication, not sure why MS picked such a misleading name. It's really a labeling system to give content owner more control over what should be protected, and how.


    1. Create the context
      It's a label can be defined in AAD | security - in here, everything is just a text tag. It has no meaning now until after you use it in a Conditional Access Policy
    2. Link the "auth context" created in step 1 to a "sensitivity label"
      "auth context" created above will be shown as an option for you to choose from in your Sensitivity Label'| site setting | "Define external sharing and device access settings" page, there is an option called "Use Azure AD Conditional Access to protect labeled SharePoint sites", under which you will see the label you created in step #1
    3. Link the context to an access policy
      Create a conditional access policy targeting this label (traditionally you can only target applications, user actions, but now you can target a tag/label)
    4. How everything works together
      For documents with the abovementioned sensitivity label, its access settings -> context name -> access policy in scope for the context
    5. This way, the level of protection is not limited to be defined only by Azure admin, but by content owner as well.
      In other words, Azure AD admin defines a protection option, content owners decide if they want to use that option themselves (by enabling the label) (compare to the old way where Azure admin push down a policy for all things in scope)
Tags:
Subscribe to: Posts (Atom)