Posted on

Microsoft MFA : Attivato o Applicato

Multi Factor Authentication (MFA)

Microsoft raccomanda di usare la multi factor authentication per gli amministratori globali del tenant. Se non si esegue questa operazione, dopo 60 giorni dall’ultimo sollecito di Microsoft , il tenant viene disattivato.

Attenzione : non è sufficiente attivatre l’autenticazione a 2 fattori … bisogna anche usarla.

Attivato o Applicato

Il problema è che l’attivazione non è sufficiente. In effetti dopo aver attivato l’utente , questo deve anche effettuare un login con la MFA : a questo punto lo stato dell’utente passa da Attivato a d Applicato e lo stato è valido secondo Microsoft.

Non dovete avere Global Admin con MFA in stato Attivato ma esclusivamente in stato Applicato.

Posted on

Microsoft-Office365 disabiliatare l’autenticazione a 2 fattori

Quando viene creato un nuovo Tenant Microsoft365, l’autenticazione a 2 fattori è attivata a default. Per disattivarla (o attivarla), entrate sul vostro tenant tramite il portale di Azure (https://portal.azure.com).

Selezionate “Azure Active Directory”-

Selezionate “Proprietà”

In basso trovate il link “Gestisci le impostazioni predefinite per la sicurezza” da cui arrivate a disabilitare/abilitare

Posted on

Register a web application with Azure AD Portal App Registration to connect to a Microsoft 365 tenant

PowerShell Limits

Through Powershell it is possible to connect to a Microsoft 365 tenant to perform operations on users, groups and any other element of the tenant. When you use this tool, Powershell presents you with the mask for entering your account and password. You can write accounts and passwords directly in the Powershell script but it would be a serious security compromise.

Application

An alternative is to build a software that connects directly to the Tenant through customized keys present in the Tenant itself. In other words, it is necessary to communicate to the Tenant that there is a certain application that is authorized to access the Tenant. Furthermore, for each operation that you want to perform on the Tenant it is necessary to specify the appropriate permissions. To create these applications, we recommend that you follow the excellent tutorial “.Net Core console application for calling Microsoft Graph“.  This post proposes the images present in the previous tutorial only to specify how the application must be prepared on the Microsoft Tenant.

Register a web application with Azure AD Portal App Registration

Open a browser and navigate to the Azure Portal. Login using your account. Select the resource “Azure Active Directory”. On the left side menu, select “App regitstration”. Click New registration from the current page.

On the Register an application page, specify the following values:

  • Name = Name of your Application
  • Supported account types
  • Redirect URI
    • Type = Web
    • Value = https://localhost:8080   (*)

(*) The Redirect URI value must be unique within your domain. This value can be changed at a later time and does not need to point to a realy hosted URI.

It is now necessary to store 2 values that will be used in your application:

  • Application (client) ID
  • Directory (tenant) ID

Certificates & secrets

Click Certificates & secrets.

  1. Click New client secret.
  2. On the Add a client secret dialog, specify the following values:
    • Description = Your secret’s description
    • Expires = In 1 year (for example)
  3. Click Add.

After the screen has updated with the newly created client secret copy the VALUE of the client secret. This secret string is never shown again, so make sure you copy it now.

API permissions

Click API permissions.

  • Click Add a permission
  • On the Request API permissions panel select Microsoft Graph.

  • Select Application permissions.

Now you have to choose between the permissions to authorize your app. For example, to create an application to read alla information about Tenant’s users, in the “Select permissions” search box type “User”.Select User.Read.All from the filtered list. At the end, on the API permissions content blade, click Grant admin consent for the Tenant.

Summary of the data necessary for the application

Let’s see what data your application needs to connect and operate on the Microsoft Tenant.

  • applicationId = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
  • applicationSecret = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
  • tenantId = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
  • redirectUri = “https://localhost:8080”;
  • domain = “yourtenant.onmicrosoft.com”;

Permissions

  • User.Read.All : Read all users’ full profiles
  • User.ReadWrite.All : Read and write all users’ full profiles
  • Group.ReadWrite.All : Read and write all groups
  • Notes.ReadWrite.All : Read and write all OneNote notebooks

Documentation

Posted on

How to check the execution of Microsoft Agent Backup

To check the outcome of Microsoft Azure Backup execution we can take advantage of the fact that, if the backup fails, some events are generated.

Prepare script to send email

Copy and paste the following code in a new file and modify it with your data (mail server, user, password, messages).

$SMTPServer = "YOUR SMTP SERVER"
$SMTPPort = "25"
$Username = "USERNAME TO ACCESS SERVER"
$Password = "PASSWORD"

$to = "Email recipient"
# $cc = "cc email recipient"
$subject = "Error Backup MyServer"
$body = "backup failed"
# $attachment = ""

$message = New-Object System.Net.Mail.MailMessage
$message.subject = $subject
$message.body = $body
$message.to.add($to)
# $message.cc.add($cc)
$message.from = $username
# $message.attachments.add($attachment)

$smtp = New-Object System.Net.Mail.SmtpClient($SMTPServer, $SMTPPort);
$smtp.EnableSSL = $true
$smtp.Credentials = New-Object System.Net.NetworkCredential($Username, $Password);
$smtp.send($message)
write-host "Mail Sent"

Save it as file with extension .ps1

Creating a new Task

  1. Open the Task Scheduler : Control Panel -> Administrative Tools -> Task Scheduler
  2. Right-click the “Task Scheduler Library” branch, and select the New Folder option.
  3. Type a name for the folder. For example, MyTasks.
  4. Expand the “Task Scheduler Library” branch, and select the MyTasks folder.
  5. Click the Action menu.
  6. Select the Create Task option.

Task to check Azure Backup

  1. In the Name field you can write something like “Check Micrososft Agent Backup”.
  2. Click the Triggers tab.
  3. Click the New button.
  4. Use the “Begin the task” drop-down menu to select “On a Event”
  5. Click custom option under the Settings section.

  1. Click the Edit Event Filter… button.
  2. Go the XML tab and at the bottom of the menu press the edit query manually button.
  3. Copy and paste the below XML and OK the changes.
<QueryList>
<Query Id="0" Path="CloudBackup">
<Select Path="CloudBackup">*[System[(Level=1 or Level=2) and (EventID=5 or EventID=10 or EventID=11 or EventID=12 or EventID=13 or EventID=14 or EventID=16 or EventID=18)]]</Select>
</Query>
</QueryList>
  1. Click the Actions tab.
  2. Click the New button.
  3. Browse on the previous powershel script
  4. Clicck OK to save the task

From now on, an email should be sent to you when the backup fails.

Posted on

Configure a Point-to-Site VPN connection via Openvpn on Azure

Create a virtual network

  1. Sign in to the Azure portal.
  2. In Search resources, service, and docs , type virtual network.
  3. On the Virtual Network page, select Create.
  4. On the IP Addresses tab, configure the values

Subnet: If you use the default address space, a default subnet is created automatically.

  • Subnet name: In this example, we named the subnet “FrontEnd”.
  • Subnet address range: The address range for this subnet.

On the Security tab, at this time, leave the default values:

  • DDos protection: Basic
  • Firewall: Disabled

So we will have this configuration (as example) :

  • Address space: 10.1.0.0/16
    Subnet name: FrontEnd
  • Subnet address range: 10.1.0.0/24

Create a virtual network gateway

  1. In the Search the Marketplace field, type ‘Virtual Network Gateway’

SKU: Select the gateway SKU from the dropdown. For Openvpn you need to select VpnGw1 because

Gateway subnet address range: This field only appears if your VNet doesn’t have a gateway subnet. If possible, make the range /27 or larger (/26,/25 etc.)

In this example :

GatewaySubnet: 10.1.1.0/27

Certificates

Certificates are used by Azure to authenticate clients connecting to a VNet over a Point-to-Site VPN connection. You have two options : use a root certificate that was generated with an enterprise solution (recommended), or generate a self-signed certificate.

Generate and export certificates for Point-to-Site using PowerShell

Two steps : generate root certificate; generate client certificate.

root certificate

From a computer running Windows 10 or Windows Server 2016, open a Windows PowerShell console in Admin mode.

Use the following example to create the self-signed root certificate. The following example creates a self-signed root certificate named ‘TestVPNRootCert’ that is automatically installed in ‘Certificates-Current User\Personal\Certificates’.

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=TestVPNRootCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

You can view the certificate by opening certmgr.msc, or Manage User Certificates.

client certificate

Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate.

From a computer running Windows 10 or Windows Server 2016, open a Windows PowerShell console in Admin mode. Identify the self-signed root certificate that is installed on the computer. This cmdlet returns a list of certificates that are installed on your computer.

Get-ChildItem -Path "Cert:\CurrentUser\My"

As output you will see a string and a name for every certificate installed on your machine.

For example :

AED812AD883826FF76B4D1D5A77B3C08EFA79F3F CN=MyOldVPNRootCert

7181AA8C1B4D34EEDB2F3D3BEC5839F3FE52D655 CN=TestVPNRootCert

Declare a variable for the root certificate using the string from the previous step:

$cert = Get-ChildItem -Path “Cert:\CurrentUser\My\7181AA8C1B4D34EEDB2F3D3BEC5839F3FE52D655”

Modify and run the example to generate a client certificate. The result of the following example is a client certificate named ‘TestVPNClientCert’

New-SelfSignedCertificate -Type Custom -DnsName TestVPNClientCert -KeySpec Signature  -Subject "CN=TestVPNClientCert" -KeyExportPolicy Exportable  -HashAlgorithm sha256 -KeyLength 2048  -CertStoreLocation "Cert:\CurrentUser\My"  -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

The client certificate that you generate is automatically installed in ‘Certificates – Current User\Personal\Certificates’ on your computer.

Export the root certificate public key (.cer)

To obtain a .cer file from the certificate, open Manage user certificates. Locate the self-signed root certificate, typically in ‘Certificates – Current User\Personal\Certificates’, and right-click. Click All Tasks, and then click Export. This opens the Certificate Export Wizard.

Select No, do not export the private key, and then click Next

On the Export File Format page, select Base-64 encoded X.509 (.CER)., and then click Next.

For File to ExportBrowse to the location to which you want to export the certificate. For File name, name the certificate file. Then, click Next.

Click Finish to export the certificate. You’ll find a file .cer in location selected.

Export the client certificate

To export a client certificate, open Manage user certificates. The client certificates that you generated are, by default, located in ‘Certificates – Current User\Personal\Certificates’. Right-click the client certificate that you want to export, click all tasks, and then click Export to open the Certificate Export Wizard.

Select Yes, export the private key, and then click Next. IMPORTANT!!!!

On the Export File Format page, leave the defaults selected. Make sure that Include all certificates in the certification path if possible is selected

On the Security page, you must protect the private key, using a password.

On the File to ExportBrowse to the location to which you want to export the certificate. For File name, name the certificate file. Then, click Next.Click Finish to export the certificate.

Add the client address pool

The client address pool is a range of private IP addresses that you specify. The clients that connect over a Point-to-Site VPN dynamically receive an IP address from this range. Use a private IP address range that does not overlap with the on-premises location that you connect from, or the VNet that you want to connect to.

Open virtual network gateway configuration page, navigate to the Settings section of the virtual network gateway page. In the Settings section, select Point-to-site configuration. Select Configure now to open the configuration page.

In the Address pool box, add the private IP address range that you want to use. VPN clients dynamically receive an IP address from the range that you specify.

For example : 172.16.0.0/24

Tunnel Type : OpenVpn

Authentication Type : Azure certificate

In root certificate section you have to put the root certificate name (in this example TestVPNRootCert).

Open the root certificate file (.cer) with a text editor, such as Notepad. Copy the text as in image and past it in “Public certificate data”

Save Point to Site Configuration.

Download vpn Client clicking on “Download vpn Client” 🙂

Install Openssl

https://slproweb.com/products/Win32OpenSSL.html

Extract the private key and the base64 thumbprint from the .pfx client certificate.

Using OpenSSL on your machine is one way. The profileinfo.txt file contains the private key and the thumbprint for the CA and the Client certificate

openssl pkcs12 -in “C:\myfolder\clientcert_vpn_test.pfx” -nodes -out “C:\myfolder\profileinfo.txt”

Configure openvpn client

Unzip the profile downloaded from virtual network point to site configuration. Next, open the vpnconfig.ovpn configuration file from the OpenVPN folder using Notepad. Open profileinfo.txt in Notepad and copy and paste in vpnconfig.ovpn the sections :

# P2S client certificate
# please fill this field with a PEM formatted cert
<cert>
$CLIENTCERTIFICATE
</cert>
# P2S client root certificate private key
# please fill this field with a PEM formatted key
<key>
$PRIVATEKEY
</key>

IMPORTANT :certificate and kay need to be insert in  openvpncon with  —- begin — and —-end —–

 


Posted on

Authentication Developing for Azure Media Services

After creation of your Azure Media Service (AMS) Account (Create a Media Services account using the Azure portal) you need to authenticate your application that your are developing , to manage your video and streaming channels.


Developing with .net

In this article we are using .net framework to develop an app, but the information should be valid for all languages.

To develop an application with .net frameeork, you need to install, via nuget , the package windowsazure.mediaservices.extensions with its derived packages.


You can authenticate in one of two ways :

User authentication

Authenticates a person who is using the app to interact with Azure Media Services resources. The interactive application should first prompt the user for credentials.

For this authentication your app needs two strings :

Azure AD tenant  (“tenant” in example) :  In Azure portal, select your AMS and  select, on the left menu, api page. In the table at the bottom of the page one of the fields is “Domain Tenant ADD”.

Endpoint API REST (“endpoint” in example) : you can read this information directly in main page of your AMS on the right at the top of the page. Should be something like this :

https://yourams.restv2.yourlocation.media.azure.net/api/

In your application you have to write this code :

var tokenCredentials = new AzureAdTokenCredentials(tenant, AzureEnvironments.AzureCloudEnvironment);
var tokenProvider = new AzureAdTokenProvider(tokenCredentials);
_context = new CloudMediaContext(new Uri(endpoint), tokenProvider);

Running the application you should automatically see the Microsoft user credentials form

 

Service principal authentication

Authenticates a service, a specific app, without user interaction. To use this authenticaton in your app, you need four strings :

Azure AD tenant  (“tenant” in example) : As above

Endpoint API REST (“endpoint” in example) : As above

Client ID (“clientid” in example) : Enter in azure portal and look for “applications”. Add new application. After creation, in properties, at the top of the page, you can find the “application ID”.

Client Secret (“secretid” in example): in your AMS select the API page. In the middle of page you can find a little form with two fields. In the first field you ha to select the application created before. Use the second field to create the client secret.

In your application you have to write this code :

AzureAdTokenCredentials tokenCredentials =
new AzureAdTokenCredentials(tenant,
new AzureAdClientSymmetricKey(_clientid, _secreteid),
AzureEnvironments.AzureCloudEnvironment);

var tokenProvider = new AzureAdTokenProvider(tokenCredentials);

_context = new CloudMediaContext(new Uri(endpoint), tokenProvider);

 

Posted on

Creare un sito web statico su Microsoft Azure

Azure offre numerosi web server : .net, asp.net, php, node.

Ma se dovete semplicemente creare una pagina web statica ? Vediamo cosa possiamo fare con Azure.

Il nostro obbiettivo è creare una pagina web statica per il sito www.miosito.com.

La creazione di un sito web statico su Azure si fa attraverso l’account di archiviazione, in particolare con la tipologia Blob.

Creare un account di archiviazione

Il primo passo consiste nel collegarvi alla vostra sottoscrizione Azure e creare un nuovo account di archiviazione.Createlo di tipo Storage V2. Avrete quindi un nuovo Account di archiviazione con il nome, per esempio “mystoragemiosito”.

Creare il sito web statico

Nell’account di archiviazione che avete creato, nella sezione Impostazioni, spingete su “Sito Web Statico”.

Selezionare Abilitato per abilitare l’hosting di siti Web statici per l’account di archiviazione.

Nel campo Nome del documento di indice specificare una pagina di indice predefinita denominata index.html.

Nel campo Percorso del documento di errore specificare una pagina di errore predefinita denominata 404.html (opzionale)

Salvando vi viene proposto l’indirizzo web del vostro sito web statico, qualcosa del tipo :

https://mystoragemiosito.z22.web.core.windows.net/

Create la vostra pagina web index.html con un qualsiasi editor.

Sempre nell’account di archiviazione, spostatevi nella sezione BLOB. L’operazione precedente, cioè la creazione del sito web statico sul Blob, ha creato in automatico il contenitore $web. Entrate dentro il contenitore e caricate il file index.html (pulsante “Carica” in alto).

Ora provate a vedere se tutto funziona : visualizzate l’indirizzo https://mystoragemiosito.z22.web.core.windows.net/ nel vostro browser; vedrete il file index.html.

Creare il collegamento con il sito web esterno (endpoint)

Rimaniamo nella pagina dell’account di Archiviazione. Selezionate “Rete CDN di Azure”. Create un nuovo endpoint.

  • Selezionare come piano tariffario “Akamai standard” (consigliato da microsoft).
  • Come nome Endpoint inserite quello che volete (nel nostro esempio mettiamo miosito).
  • Come nome di host di origine (cancellate quello che vi viene proposto) dovete mettere, l’indirizzo della cartella del blob in cui è il sito web (senza http o https).In pratica è l’indirizzo che prima avete provato con il browser : nel nostro caso “mystoragemiosito.z22.web.core.windows.net”.

Una volta creato il cdn (ci vuole un po di tempo) vi troverete un nuovo indirizzo per poter vedere la vostra pagina index.html: https://miosito.azureedge.net.

Provate anche questo indirizzo con il vostro browser per vedere la pagina index.html

Dentro l’archiviazione da cui siamo partiti per creare la cdn, non vi troverete più la cdn creata e il relativo endpoint : trovate tutto nelle risorse di Azure. Selezionate l’endpoint; nella sezione impostazioni selezionate “Origine”. Se avete fato tutto bene, l’endpoint di tipo “origine personalizzata” (“custom origin”). Il nome host dell’origine dell’archiviazione e l’intestazione dell’origine dell’archiviazione saranno uguali e saranno il nostro sito web sul blob.

Ora dovete fare in modo che il vostro sito web, www.miosito.com, punti a questo endpoint di azure. Per prima cosa dovete lavorare sul DNS nel pannello di controllo di gestione del vostro sito web. Dovete inserire un record di tipo CNAME con nome www che punta a miosito.azureedge.net.

In Azure, cercate nelle risorse il vostro endpoint e spingete sul pulsante per aggiungere il dominio personalizzato :

  • Nome host dell’endpoint : vi viene proposto quello dell’endpoint :  miosito.azureedge.net
  • Nome host personalizzato mettete il vostro indirizzo web. Nel nostro caso www.miosito.com

Fatto questo, dopo un pò di tempo vi si attiverà l’HTTPS.

Ora potete finalmente provare il vostro sito web, digitando nel browser https://www.miosito.com. Vedrete la solita pagina index.html

Attivare HTTP

Se avete seguito il percorso fino a qui forse avete provato che, scrivendo http://www.miosito.com , invece che https, ho un errore. Questo perché l’account di archiviazione di Azure, nasce con il “trasferimento sicuro obbligatorio” attivato. Andate quindi nel vostro account di archiviazione, nella sezione Impostazioni, selezionate “Configurazione”. Nella pagina dovrete disabilitare il “trasferimento sicuro obbligatorio” e salvare. Ora funzionerà anche http://www.miosito.com

Problemi di cache

Questo sistema ha un problema. Se aggiornate la pagina index.html, e visualizzate sul browser l’endpoint di azure oppure il vostro indirizzo esterno, vedrete il contenuto della vecchia pagina index.html. La pagina sarà invece visualizzata nel sua nuova versione se richiamate sul browser il percorso dell’account ai archiviazione web del Blob.

Per ovviare a questo problema ci sono 2 modi. Il primo modo è quello di ripulire la cache dell’endpoint dalla risorsa. Per farlo, nell’endpoint c’è un pulsante “Ripulisci” : questo pulsante vi chiede esattamente la pagina (o la risorsa, immagine,..) che volete “ripulire” e quindi aggiornare.

Un altro modo è fare un aggiornamento delle risorsa cambiandole nome. Nel nostro caso, la mi pagina principale è index.html; carico nel contenitore $web del mio blob una pagina index2.html con il contenuto modificato; vado nella gestione del sito web del blob e modifico la pagina base in index2.html.


Per approfondire

  • Ospitare un sito web statico in archiviazione di Azure : https://docs.microsoft.com/it-it/azure/storage/blobs/storage-blob-static-website-how-to
  • Usare la rete CDN di Azure per abilitare un dominio personalizzato con SSL per un sito Web statico : https://docs.microsoft.com/it-it/azure/storage/blobs/storage-blob-static-website-custom-domain
  • Configurare HTTPS in un dominio personalizzato della rete CDN di Azure : https://docs.microsoft.com/it-it/azure/cdn/cdn-custom-ssl?tabs=option-1-default-enable-https-with-a-cdn-managed-certificate
  • The account being accessed does not support http.with blob sas url in Azure : https://www.itexperience.net/2019/04/20/the-account-being-accessed-does-not-support-http-with-blob-sas-url-in-azure/