Azure Active Directory Conditional Access and VM Management Perks Released
Microsoft on Wednesday announced Azure Active Directory management enhancements for the Azure AD Conditional Access service, as well as authentication perks for managing Azure virtual machines (VMs).
The improvements were released at the preview stage and at the “general availability” (GA) commercial-release stage. Mostly, they’re bringing security enhancements for IT departments using the Azure AD service.
The announcements are security news coming before the RSA security conference, which starts Monday, May 17.
General Availability Features
Features at GA include support for policy searches when using the Azure AD Conditional Access service, plus IPv6 support for the “Named Locations” control. Additionally, IT pros can now use their Azure AD credentials to manage Windows-based VMs that are hosted on Azure datacenters.
Conditional Access Policy Search: Users of the Azure AD Conditional Access service, a service that lets IT pros set policies for network access by devices, can now search, sort and filter those policies within the Azure Portal. Policies can be filtered by name or creation date, for instance. This capability is at GA, but Microsoft is “gradually rolling out the feature to Government clouds.”
Named Locations IPv6 Support: Azure AD Conditional Access users also now can set up named network locations based on IPv6 address ranges, such as identifying an organization’s headquarters with such an address range. This Named Locations support for IPv6 is now at the GA stage. Previously, just IPv4 address ranges were supported. Also, the Named Locations limit is now expanded to 195 locations (up from 90 locations) and ranges are expanded to 2,000 addresses (up from 1,200 addresses).
Azure AD Credentials for Windows VMs: On the Azure VM management front, IT pros can now use their corporate Azure AD credentials to authenticate to, and manage, their Windows Server 2019 Datacenter edition-based Azure VMs. Azure AD also works for accessing Azure VMs running Windows 10 versions 1809 or later. This capability, which uses Remote Desktop Protocol to access the VMs, is at the GA stage now for Azure Global and Government subscribers, according to a Microsoft document. Moreover, IT pros can leverage Azure Role-Based Access Control plus Conditional Access policies to add further protections to VM management. The ability to leverage Azure AD credentials for VM management also extends to organizations using federation services (on-premises AD linked to Azure AD).
Azure AD Credentials for Linux VMs: The ability to use Azure AD credentials to manage Azure VMs also is extended to Linux. This capability is at the preview stage for Azure Global users now and will be available as a preview in June for Azure Government users, according to this document.
Azure AD access to these Azure Linux-based VMs happens via a Secure Shell (SSH) cryptographic network protocol connection. However, under this Azure AD scheme, IT pros are relieved of having to provision the SSH public keys. Moreover, IT pros get the ability to set Azure AD Role-Based Access Control and Conditional Access policies for added safeguards.
Named Locations via GPS: Also at the preview stage is the ability to use the Global Positioning System (GPS) to more precisely define Named Locations. This approach is seen as a compliance assurance because exact user locations sometimes get obscured by virtual private networks or other circumstances. Microsoft is planning to preview GPS use with its Azure AD Conditional Access policies, too, sometime “later this month.”
Filters for Devices: Microsoft is previewing a “Filters for Devices” capability that permits Azure AD Conditional Access policies to get set based on device attributes. This capability can be used to restrict device access to privileged resources, for instance. Microsoft suggested it will be familiar to IT pros using “Azure AD dynamic device groups.” Filters for Devices for Azure AD Conditional Access is also said to be consistent with “the new filters capability in Microsoft Endpoint Manager.”