Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Get started and configure certificate-based authentication in Azure

Connecting SSL certificate based login to Azure can help increased authentication security, if you maintain certificates very well. In my case I wrote few scripts and I wanted to automate  Azure. As my user account is configured with MFA (My scripts scheduling was failing due to this) and I didn't want to decrease the security by disabling multi factor authentication in any case.

In this situation AzureAD App Registrations can be very handy. Here I have already created my App registrations under AAD in the article Create an Azure App registrations in Azure Active Directory using PowerShell & AzureCLI. And I will use same account here.

Next I want is one SSL Certificate. If you have your own root/enterprise certifiate authority server or third party CA, you can obtain one SSL certificate from the same server. I have written an article on how to get certificate from active directory certificate services you can check Install an SSL-TLS Certificate In Microsoft IIS web server.

But here to enable certificate-based authentication I am generating one self signed SSL certificate using few PowerShell commands with inbuilt PKI module. while working with PowerShell provide proper subject name and note down the certificate thumbprint, I will use it later in the course.

#Generate a self signed certificate (Provide proper subjectname and notedown thumbprint)
❯ New-SelfSignedCertificate -CertStoreLocation cert:\CurrentUser\my -Subject CN=CertLogin -KeySpec KeyExchange -FriendlyName CertLogin

#Store the thumbprint information which can I use later for authentication
❯ $certificate = Get-ChildItem Cert:\CurrentUser\my | Where-Object {$_.Subject -eq 'CN=CertLogin'}$thumbprint =  $certificate.Thumbprint$thumbprint

Microsoft Azure Certificate based ad authentication new-selfSignedCertificate get-childitem subject friendly name thumbprint portal powershell az .png

Next download/export certificate from current user certificate store. for this Search Manage user certificates and click Open. Expand Personal \ certificates and locate the certificate using names, verify the Details tab and match thumbprint. With below two lines of powershell you can easily download/export certificate as a file. But incase if you want to go with GUI export wizard, click on the Copy to File button.

#Download/Export certififate
$certificate = Get-ChildItem -Path "cert:\CurrentUser\My\$thumbprint"Export-Certificate -Cert $certificate -FilePath c:\temp\CertLogin.cer

Microsoft Azure Portal Manage user certficates login to azure active directory azuread aad powershell az module thumbprint computer certificates msc trusted root certification authority personal.png

If you are using above Powershell steps to export certificate you can skip this step. After clicking Copy to File button. It opens Certififate Export Wizard. On the welcome page click Next, For certificate based login I do not require Private key so choose No, do not export the private key, click next to select Base-64 encoded X.509 (.CER). Browse certificate file format option and choose file and folder name for certifiate. On the last complete page, review your setting and click finish. You will receive message The export was successful.

Microsoft Azure certificate Export Wizard base-64 encoded x.509 cert key vault secret certication based authentication powershell az module private key der encoded binary.png

Follow guide how to Create an Azure App registrations in Azure Active Directory using PowerShell & AzureCLI 

Next Log in onto Azure portal, navigate to Azure active directory >> App registrations select Certificates & secrets. Click Upload certificate, In the right side hamburger menu browse and open exported certificate. in the last click Add button to start upload. It will list the thumbprint of certificate.

Microsoft Azure App registrations application azure active directory azuread aad certificates & secrets upload certificate cer client secrets.png

App registrations service principal is configured now, Provide it access on the Azure Resources. In my case I am providing it access on the Resource Group. Click Access control (IAM) and assign privileges to proceed, I am provisioning least permissions - Reader

Microsoft Azure Resource Groups Access Control (IAM) Assigned new permissions AzureAD active directory app registrations aad resource group reader service principal check access.png

Everything is setup, next gather AzureAD app registrations service principal details applicationid, subscriptionid and tenantid. Test login to the azure and verify App registrations account has access to the resources which I assigned access control in the previous steps. I can get the information of Resource group successfully.

Create an Azure App registrations in Azure Active Directory using PowerShell & AzureCLI.

#Check the thumbprint from previous command$thumbprint

#AAD App registrations information$applicationId = '61e492e8-cbc2-48e4-880a-ec39187567a5'$subscriptionId = '9e22XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'$tenantId = '3b80XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'

#Connect to Azure or Azure Active directory with Service Principal with Certificate thumbprintConnect-AzAccount -ServicePrincipal -CertificateThumbprint $thumbprint -Tenant $tenantId -ApplicationId $applicationId -SubscriptionId $subscriptionId

#Once login is successful verify Resources are visible to the service principalGet-AzResourcegroup 

Microsoft Azure Powershell az module thumbprint application id subscription id tenant id connect-azaccount serviceprincipal certificate thumbprint account azure cloud get-azresourcegroup tags key vault.png

Use Key Vault secret identifier url to get the secret value using Powershell
Working With Azure Key Vault Using Azure PowerShell and AzureCLI
Create key vault and secrets with access policies in Microsoft Azure

This is a small demo of Azure Key Vault incase while accessing secrets or certificates more secretly. You will need to configure Access policies on Key vault. (If you dont configure Access policies property you might get error Get-AzKeyVaultSecret: Operation returned an invalid status code 'Forbidden')

Get-AzKeyVaultSecret -VaultName vcloudkeyvault  -Name test -AsPlainText

Microsoft Azure Get-AzKeyVaultSecret -vaultname portal key vault access policies add networking powershell az module secrets certificates application app registrations microsoft azure active directory azuread aad.png

Download this script here or it is also available on github.com.

I did one more testing what happens when SSL certificate is not present in local system certificate store, tested logging from another system where certificate is not stored or present, I get below error message even though if I know thumbprint id.

Connect-AzAccount : No certificate was found in the certificate store with thumbprint 155AAA48E506FBF8CA0A29C78168F88AE2A4C5D2
At line:8 char:1
+ Connect-AzAccount -ServicePrincipal -CertificateThumbprint $thumbprin ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Connect-AzAccount], ArgumentException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand

Microsoft Azure portal powershell az module connect-azaccount -serviceprincipal -certificatethumbprint tenant subscriptionid application id certificate app registration.png

Useful Articles
PART 1 : MICROSOFT AZURE CREATION AND CONFIGURATION OF VPN TUNNEL SERIES
PART 2 : MICROSOFT AZURE CREATING RESOURCE GROUP 
PART 3 : MICROSOFT AZURE CREATING AND ADMINISTERING VIRTUAL NETWORK (VNET) 
PART 3.1 : MICROSOFT AZURE POWERSHELL CREATING AND ADMINISTERING VIRTUAL NETWORK (VNET)
PART 4 : MICROSOFT AZURE CREATING AND ADMINISTRATING LOCAL NETWORK GATEWAY VPN
PART 4.1 : MICROSOFT AZURE POWERSHELL CREATING AND ADMINISTRATING LOCAL NETWORK GATEWAY 

Microsoft azure virtual network vnet creation in resource group designing gateway

PART 5: VIRTUAL NETWORK GATEWAY DEPLOYMENT ON MICROSOFT AZURE 
PART 5.1: VIRTUAL NETWORK GATEWAY DEPLOYMENT USING MICROSOFT AZURE POWERSHELL
PART 6: INSTALLING ROUTING AND REMOTE ACCESS SERVER ROLE (MICROSOFT RRAS)
PART 6.1: CONFIGURING ROUTING AND REMOTE ACCESS SERVER DEMAND-DIAL (MICROSOFT RRAS AZURE VPN)
PART 6.2: CONFIGURING ROUTING AND REMOTE ACCESS SERVER ROUTER (MICROSOFT RRAS AZURE VPN)

Go Back

Comment

Blog Search

Page Views

12278767

Follow me on Blogarama