Catégorie : Authentication

Intune to configure one VPN connection to reach your Azure and on-premise

This article describes you how to configure an Azure VPN Intune profile. This profile will contain the configuration about the Azure VPN Point 2 Site.

The scenario is the following. You have established a VPN between your on-premise and Azure (with BGP routing), and now you want with your laptop access the resources in both places with only one VPN connection. This VPN connection will start automatically without any prompt when you are outside your company.

 

STEP 1 – Configure the Azure VPN P2S

Go to your Azure Virtual Network Gateway, and select the tab « Point-to-site configuration »

Enter an IP range (not in conflict with other routed networks), this range will be used by your remote laptops

Select « Azure certificate » to work without any prompt. You need enter the name of your ROOT Certificate authority, and the « public certificate data » coded in base64.

When the configuration is finished, download the VPN client, and extract the files inside the ZIP archive.

 

STEP 2 – Get the informations

From the data you get, please open the GENERIC folder and open the VPNSETTINGS.XML

Look for the value of <VpnServer>, looks like « azuregateway-xxxxxx.vpn.azure.com« . This value is the Azure VPN Server name

Additionnaly, we need to identify the SSL Server certificate thumbprint. The only way that is found, if to create from scratch on your Windows 10 computer a new VPN connection, by entering the corresponding informations.

When open a PowerShell console and type the following command

$vpn = Get-VpnConnection -Name “test connection”
$vpn.EapConfigXmlStream.InnerXml

then copy the output, and consider it as the XML configuration.

 

STEP 3 – configure your Intune profile

Create a new Intune configuration and select the VPN profile.

Enter the Azure VPN Server name on the « Servers » list. Set the description you want.

On the parameter « EAP XML », you can paste the previous XML configuration

 

Finally, navigate to the next parameters on the Intune profile and configure what is suitable for you, like the Split tunneling and the Trusted Network Detection.

Hope you enjoyed

 

A new era has come, the end of passwords

Last week, Microsoft just released the public preview of the « password-less login »

Till last week, this functionnally only works with « Microsoft accounts ». Now Microsoft has push this technology to « Azure AD », which means you can use it on your Enterprise with Azure and Office 365. Instead of using a password, you can only use USB or NFC security key !

To enable this feature, you should follow a few steps decribed bellow. It’s very easy.

 

Requirements

Please, be sure that you have a « security key » which is compatible FIDO2.

Personnally I’m using the Yubikey 5

https://www.yubico.com/

yubikey-5-family-720x720

Use a web browser like EDGE, but be sure that it is up to date. Don’t try to enroll with a « private session » or « icognito ». The process will fail with the user enrollment.

 

STEP 1 – Enable password-less feature on Azure AD

Go to your Azure Active Directory and select « authentication methods ».

Enable the feature « FIDO2 Security Key » for all users, or a subset of users.

Capture5

 

STEP 2 – Enroll your first user

 

Now the feature is enabled on your tenant, you can proceed to enroll your first user.

With your selected account, go to your azure user profile

https://account.activedirectory.windowsazure.com/

and go to « Edit security info » and « Add Method« , select « Security key »

Capture6.PNG

 

then select if your key is connected throught « USB » or « NFC »

Capture2

Finally, you will be prompted to enter your PIN and select the name of the « security key » in case you have multiple.

 

 

STEP 3 – Login with your Security Key

 

You are now ready to login without any password, only with the help of your security key 🙂

You can test it by going to the Azure Portal, or Office 365 apps. On the login page just select « Security Key » directly on the page, or on the « sign-in options »

Please be aware of you can have multiple identities in one « security key », during the login process, after the PIN, you will be prompted to select which identity you want to use.

 

STEP 4 – Manage you Yubikey

If you are using the Yubikey, i recommend you to use the « YubiKey Manager » to manage everything arround the key, like the PIN, Reset, setup the smartcard and certificates, etc…

Capture8

The end of the password era on Microsoft accounts

Hi,

Here you will find here some information on how to setup your Microsoft account to login without any password. For the purpose I will use a YubiKey 5 which is USB and NFC.

YubiKey 5 Series Keys

 

You also need to have a computer with Windows 10 at least version 1809

To setup your Microsoft account, please proceed as follow

STEP 1

Login to your Microsoft account with your password https://account.microsoft.com/account

Capture1

 

 

STEP 2

Go to the « Security » on the top of the page, and select « more security options » on the bottom

Capture2

STEP 3

then go to the « Set up a security key »

Capture3

 

The system will ask if you are using an USB key or a NFC device. In my case I’m using an « USB device » and click « next »

Capture4

 

Then be sure that you USB device is inserted on your computer and follow the instructions. In my case I just need to « tap » the device with my finger.

Capture5

and finally enter a friendly name to easily recognize your device afterwards

Capture6

STEP 4

You can now test if the configuration works as expected.

Close your browser and go to the Microsoft account login page. Don’t enter any username, just click on « Sign in with Windows Hello or a security key« .

And follow the instructions on the screen, on my case i just need to « tap » the USB device with my finger.

Capture8Capture9

 

Well done, you are now ready to use your Microsoft account without any password !

Your Microsoft password is still valid, and I recommend you to change it to a very complex password and keep it in a secure place. Use it only when you don’t have your USB device.