英文:
How can i restrict login to an Azure VM using Active Directory?
问题
我已在Azure中创建了一个虚拟机,并在管理部分设置了“使用Azure AD登录”。
但我仍然可以使用用户名和密码使用rdp登录到该机器。
如何限制用户只能连接到Active Directory用户?
此外,用户可以通过以下链接连接到运行在该机器上的服务:
http://<vm_ip>/<port_number>
如何将此限制仅适用于AD用户?
英文:
I have created a VM in Azure and set "Login with Azure AD" under the Management Section.
But i can still use rdp to login to the machine with username and password.
How can i restrict that so that a user can only connect if they are and Active Directory user ?
Also users can connect to a service running on the machine via a link
http://<vm_ip>/<port_number>
How can i restrict this to AD users as well ?
答案1
得分: 0
为了限制仅允许 Azure Active Directory 用户连接到 Azure 虚拟机并使用 RDP 访问,您可以按照以下步骤操作:
- 使用管理员用户凭据登录到 Azure 虚拟机。
- 禁用网络级别身份验证。
- 使用以下命令将用户分配给远程桌面组和管理员组。
net localgroup "Remote Desktop Users" /add "AzureAD\xxxxxx.onmicrosoft.com"
net localgroup "Administrator" /add "AzureAD\xxxxxx.onmicrosoft.com"
例如:用户 VPN:Theja@xxxx.onmicrosoft.com
Get-LocalGroupMember -Name "Remote Desktop Users"
- 为用户分配 RBAC 角色,以使用 Azure AD 凭据登录到 VM。
为用户分配任何角色。
虚拟机管理员登录 - 分配给此角色的用户可以使用 Azure AD 管理员权限登录。
虚拟机用户登录 - 分配给此角色的用户可以以普通用户权限登录。
- 使用以下值修改已下载的 RDP 文件并保存该文件。
enablecredsspsupport:i:0
authentication level:i:2
username:s:Theja@Testdemo.onmicrosoft.com(在此处添加您的用户名)
domain:s:AzureAD
-
使用 Azure AD 凭据登录到 VM。
-
按照以下步骤禁用本地管理员帐户。
计算机配置 >> Windows 设置 >> 安全设置 >> 本地策略 >> 安全选项 >> "帐户:管理员帐户状态" 设置为 "禁用"。
- 在 "计算机管理" 中禁用 "Administrator" 用户。
一旦 "本地管理员" 用户被禁用,当尝试使用相同用户登录时,您将收到以下错误消息。
另外,要限制 Azure AD 用户通过链接连接到机器上运行的服务,您可以在应用程序级别或服务器级别实施限制。
英文:
> How can i restrict that so that a user can only connect if they are and Active Directory user?
To restrict RDP
access to an Azure virtual machine
only to users authenticated with Azure Active Directory
, you can follow these steps.
- Login to Azure VM with Admin user credentials.
- Disable the Network Level Authentication.
- Assign user to Remote Desktop Group and
Administrator
using below command.
net localgroup "Remote Desktop Users" /add "AzureAD\xxxxxx.onmicrosoft.com"
net localgroup "Administrator" /add "AzureAD\xxxxxx.onmicrosoft.com"
Ex: user VPN:Theja@xxxx.onmicrosoft.com
Get-LocalGroupMember -Name "Remote Desktop users"
- Assign the RBAC role to user for login to
VM
withAzure AD
credentials.
Assign any role to users.
Virtual Machine Administrator Login- User assigned to this role,Can log in to Azure AD Admin privileges.
Virtual Machine User Login -User assigned this role,Can login in to normal user privileges.
- Modify the downloaded RDP File with below Values and save the file.
enablecredsspsupport:i:0
authentication level:i:2
username:s:Theja@Testdemo.onmicrosoft.com (Add your username here)
domain:s:AzureAD
-
Login to VM with Azure AD Credentials.
-
Disable the Local Administrator by following the steps.
Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Administrator account status" to "Disabled".
- Disable the
Administrator
user inComputer Managment
.
8.Once the 'Local Admin'
user is disabled, when I try to log in with the same user, I receive the following error.
> Also users can connect to a service running on the machine via a link
To restrict the Azure AD
user for the service inside the machine, you can implement restrictions at either the application level or the server level.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论