Azure: connect to VM using an Azure AD account (WAAD) - authentication

How can I RDP to an Azure box using an account I created in Azure? I don't want to go down the route of syncing directories or anything. Just simply want to be able to create accounts in Azure that can be used to access Azure servers.
This is a basic centralised authentication model and I am sure I am just missing something. Surely Microsoft can't expect us to add a bunch of users and service accounts on EACH server we create and manage passwords etc as entirely separate entities.

By "Azure Box" I assume you mean an Azure VM running Windows. There's nothing "magical" about these VMs. If you want central user management instead of relying on local user accounts you need to add it to an Active Directory domain. And if you want sync between this Active Directory domain and the Azure Active Directory for your tenant, you need to set up Directory Sync.

One cannot do this (without resorting to directory synchronisation). A Configuration Management tool such as SaltStack/Chef/Puppet seems a leaner fit than creating a traditional AD infrastructure.

Related

AZURE SQL Database User

I created SQL account for an application but how do I restrict or deny the same account not to connect the database using SSMS or Azure data studio by the developers since the developers can view the user information in web.config file.
Thanks,
Sandeep
You can use Azure Active Directory to authenticate your app, so that you don't need to write the username and password in config file.
With Azure AD authentication, you can centrally manage the identities of database users and other Microsoft services in one central location.
Benefits:
It provides an alternative to SQL Server authentication.
It helps stop the proliferation of user identities across servers.
It allows password rotation in a single place.
You can read more details from this document.
Basically the answer to your question is... You can't...
There is no way to identify the client of a certain connection in Azure SQL. What you can do, for example, is restrict access to a certain server using s firewall. But if your dev env is on the same machine as your SSMS that won't work because you're then blocking the dev env as well.
In that case, the best practice is to create a dev database to which all devs have access. In that case, it doesn't matter for you everyone knows the password because it's the dev database.
For production environments, you need to treat database credentials as secrets and thus make sure they are stored in a safe place. When you're using Azure, the KeyVault may be a good place to store the password. This KeyVault has a fine grained way of allowing access to secrets for individuals as well as IT systems.

Does Azure SQL Database firewall automatically allow VM's in the same Resource Group?

Using Azure Resource Manager.
I have an Azure SQL Database resource, and even when I delete all "allow" firewall (on the sql server's blade) rules, my VM is still able to query the SQL DB.
EVEN when I set "Allow Access" to no for the ip address of the VM, I can still query the DB. How??
Is this because Azure automatically allows resources in the same Resource Group to access it? Even without explicit Firewall allow rules?
Under the Firewall section of the SQL Server blade, there's a switch called "Allow access to Azure services". Having this on will allow any Azure resource to access get through the firewall (they will still need your username and password of course to actually access the server). This includes Azure resources on other people's subscriptions. See this answer.
I had this turned on and that's why my firewall settings made no difference for my VM's.
Not exactly sure what's happening with your specific situation, security-wise, but Resource Groups have nothing to do with it. Resource Groups help organize resources within a single container, where you can manage those resources better (e.g. add users to the Resource Group without adding them to the rest of your subscription). They don't play a role in communication between Azure services.

How to authenticate users in a commercial environment without on-premises Windows Server equipment?

So what I need is a remote/cloud Windows Server that I can connect to using RDP (or another remote connection program) where I can create users, groups, basically everything I could do with an on-premises Server instance. What I need though is to be able to setup all the office computers to authenticate through the cloud AD. I have no clue how to do this. I cannot have a Server running on-premises, period. Just need something where I can connect each computer to the remote domain/forest, hopefully using an IP to the server, and then have the employees be able to logon to any domain-connected PC using their credentials. Thank you for any and all answers! -Scott
You need Azure Active Directory. You can control everything with remote management in the way you have described. Per the provided link, "Azure Active Directory (Azure AD) provides an easy way for businesses to manage identity and access, both in the cloud and on-premises."

Reporting Services Authentication advice sought

I have been allocated the responsibility at work of revising the current reporting services authentication process. The aim is to maintain the necessary level of security and also simplify the maintenance/configuration of granting access to the individual reports.
I do NOT have access to the domain controllers to be able to modify or create new AD groups. I have to work with the groups/users that currently exist.
In terms of authentication, it seems that I have the option of using either:
Windows authentication
SQL Server authentication.
Both the report server and the report database will reside on the same server. With this in mind, I understand that Windows authentication is probably a better solution as there is no need to maintain a separate SQL Server table of Users (and their passwords). Granting access to a report once it has been deployed on the report server, would simply involve adding the user/group to the report (load the report in a browser and access the Properties\Security option).
Using the second option of SQL Server authentication does not seem as appropriate as using Windows authentication for the reason the report server and report database are on the same box.
I am using SQL Server 2000 databases. The version of reporting services I have installed is Microsoft SQL Server 2008.
Please could someone let me know if my thinking is correct (i.e. I should go for Windows authentication). Cheers.
Jimmy
Sql Server authentication is not an option for users connecting to SSRS. It is an option for SSRS connecting to databases where it will get its data.
So bottom line, yes, you need to use Windows Authentication for user connections to SSRS. You can use special user names such as "Authenticated Users" or "Everyone" in SSRS to allow broad access.
I understand that you don't have access to AD, but managing the user accounts' membership in AD groups would be much easier than tracking and managing individual access in SSRS.
But without the AD access you can still add Windows/AD accounts to the report permissions and use those. You just create a more complex system, since you need to manage permissions for every individual separately. You can group the reports in folders and secure the folders: the reports can inherit that security.

Cannot access WSS 3.0 sites after movind Content and Config DBs

Problem:
No access to internal sites after new Instance of SQL was installed on MS SQL Server
Description:
I've got a WSS 3.0 installed on the W2K3 Sever.
Originally, there was only one Instance of MS SQL (MSDE) for Backupexec (bkupexec). Later, we installed WSS 3.0 and instead of installing the new instance of SQL we installed on the same instance (bkupexec). So, at some point all the DBs from Backupexec and DBs from WSS were all together within the same SQL instance.
After we noticed this we wanted to split those two into two separate instances: bcupexec and sharepoint. First, I have done a backup of all DBs within backupexec instance. Then, I installed new SQL Instance and called it Sharepoint and tried to restore all WSS DBs into the new SQL instance. Once that was done I check references in IIS so Content and Config would point into the new instance. But since then no go.
I can access Admin site from within IIS and from the browser. I cannot access any internal WSS sites. It asks for the authentication. All I am using is Windows authentication. Account is in AD.
As I am new to WSS I will be greateful for all suggestions and possible fixes.
If you have changed where the content DB's are located for your site collections you will need to detach and re-attach them using the SharePoint Central Admin.
Navigate to Application Management and switch to the application you're concerned about. Click "Content Databases" under the heading SharePoint Web Application Management. From here you can click "Remove content databse" and hit OK.
This will not remove the physical database from SQL, it will simply disassociate the database with that web application. You can then Add a content database from within the manage content databases screen and type the name of the database you wish to associate the application with.
If the permissions issues persist, ensure that Anonymous access is enabled for the application and that appropriate service account permissions are enabled for the DB's from within SQL and SharePoint.
Not sure this will help, but give this a try...
In central administration make sure you check on the site collection administrator for your site collections and make sure you are using that user.
In IIS Manager, check to make sure that user has access to the IIS web site.