Connecting SSL certificate based login to Azure can help increased authentication security, if you maintain certificates very well. In my case I wrote few scripts and I wanted to automate Azure. As my user account is configured with MFA (My scripts scheduling was failing due to this) and I didn't want to decrease the security by disabling multi factor authentication in any case.
In this situation AzureAD App Registrations can be very handy. Here I have already created my App registrations under AAD in the article Create an Azure App registrations in Azure Active Directory using PowerShell & AzureCLI. And I will use same account here.
Next I want is one SSL Certificate. If you have your own root/enterprise certifiate authority server or third party CA, you can obtain one SSL certificate from the same server. I have written an article on how to get certificate from active directory certificate services you can check Install an SSL-TLS Certificate In Microsoft IIS web server.
But here to enable certificate-based authentication I am generating one self signed SSL certificate using few PowerShell commands with inbuilt PKI module. while working with PowerShell provide proper subject name and note down the certificate thumbprint, I will use it later in the course.
#Generate a self signed certificate (Provide proper subjectname and notedown thumbprint) ❯ New-SelfSignedCertificate -CertStoreLocation cert:\CurrentUser\my -Subject CN=CertLogin -KeySpec KeyExchange -FriendlyName CertLogin #Store the thumbprint information which can I use later for authentication ❯ $certificate = Get-ChildItem Cert:\CurrentUser\my | Where-Object {$_.Subject -eq 'CN=CertLogin'} ❯ $thumbprint = $certificate.Thumbprint ❯ $thumbprint
Next download/export certificate from current user certificate store. for this Search Manage user certificates and click Open. Expand Personal \ certificates and locate the certificate using names, verify the Details tab and match thumbprint. With below two lines of powershell you can easily download/export certificate as a file. But incase if you want to go with GUI export wizard, click on the Copy to File button.
#Download/Export certififate ❯ $certificate = Get-ChildItem -Path "cert:\CurrentUser\My\$thumbprint" ❯ Export-Certificate -Cert $certificate -FilePath c:\temp\CertLogin.cer
If you are using above Powershell steps to export certificate you can skip this step. After clicking Copy to File button. It opens Certififate Export Wizard. On the welcome page click Next, For certificate based login I do not require Private key so choose No, do not export the private key, click next to select Base-64 encoded X.509 (.CER). Browse certificate file format option and choose file and folder name for certifiate. On the last complete page, review your setting and click finish. You will receive message The export was successful.
Follow guide how to Create an Azure App registrations in Azure Active Directory using PowerShell & AzureCLI
Next Log in onto Azure portal, navigate to Azure active directory >> App registrations select Certificates & secrets. Click Upload certificate, In the right side hamburger menu browse and open exported certificate. in the last click Add button to start upload. It will list the thumbprint of certificate.
App registrations service principal is configured now, Provide it access on the Azure Resources. In my case I am providing it access on the Resource Group. Click Access control (IAM) and assign privileges to proceed, I am provisioning least permissions - Reader.
Everything is setup, next gather AzureAD app registrations service principal details applicationid, subscriptionid and tenantid. Test login to the azure and verify App registrations account has access to the resources which I assigned access control in the previous steps. I can get the information of Resource group successfully.
Create an Azure App registrations in Azure Active Directory using PowerShell & AzureCLI.
#Check the thumbprint from previous command ❯ $thumbprint #AAD App registrations information ❯ $applicationId = '61e492e8-cbc2-48e4-880a-ec39187567a5' ❯ $subscriptionId = '9e22XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' ❯ $tenantId = '3b80XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' #Connect to Azure or Azure Active directory with Service Principal with Certificate thumbprint ❯ Connect-AzAccount -ServicePrincipal -CertificateThumbprint $thumbprint -Tenant $tenantId -ApplicationId $applicationId -SubscriptionId $subscriptionId #Once login is successful verify Resources are visible to the service principal ❯ Get-AzResourcegroup
Use Key Vault secret identifier url to get the secret value using Powershell
Working With Azure Key Vault Using Azure PowerShell and AzureCLI
Create key vault and secrets with access policies in Microsoft Azure
This is a small demo of Azure Key Vault incase while accessing secrets or certificates more secretly. You will need to configure Access policies on Key vault. (If you dont configure Access policies property you might get error Get-AzKeyVaultSecret: Operation returned an invalid status code 'Forbidden')
❯ Get-AzKeyVaultSecret -VaultName vcloudkeyvault -Name test -AsPlainText
Download this script here or it is also available on github.com.
I did one more testing what happens when SSL certificate is not present in local system certificate store, tested logging from another system where certificate is not stored or present, I get below error message even though if I know thumbprint id.
Connect-AzAccount : No certificate was found in the certificate store with thumbprint 155AAA48E506FBF8CA0A29C78168F88AE2A4C5D2
At line:8 char:1
+ Connect-AzAccount -ServicePrincipal -CertificateThumbprint $thumbprin ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Connect-AzAccount], ArgumentException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand
Useful Articles
PART 1 : MICROSOFT AZURE CREATION AND CONFIGURATION OF VPN TUNNEL SERIES
PART 2 : MICROSOFT AZURE CREATING RESOURCE GROUP
PART 3 : MICROSOFT AZURE CREATING AND ADMINISTERING VIRTUAL NETWORK (VNET)
PART 3.1 : MICROSOFT AZURE POWERSHELL CREATING AND ADMINISTERING VIRTUAL NETWORK (VNET)
PART 4 : MICROSOFT AZURE CREATING AND ADMINISTRATING LOCAL NETWORK GATEWAY VPN
PART 4.1 : MICROSOFT AZURE POWERSHELL CREATING AND ADMINISTRATING LOCAL NETWORK GATEWAY
PART 5: VIRTUAL NETWORK GATEWAY DEPLOYMENT ON MICROSOFT AZURE
PART 5.1: VIRTUAL NETWORK GATEWAY DEPLOYMENT USING MICROSOFT AZURE POWERSHELL
PART 6: INSTALLING ROUTING AND REMOTE ACCESS SERVER ROLE (MICROSOFT RRAS)
PART 6.1: CONFIGURING ROUTING AND REMOTE ACCESS SERVER DEMAND-DIAL (MICROSOFT RRAS AZURE VPN)
PART 6.2: CONFIGURING ROUTING AND REMOTE ACCESS SERVER ROUTER (MICROSOFT RRAS AZURE VPN)