The exact error

The portal encountered an issue while attempting to retrieve access tokens. We suggest attempting to sign in again, or alternatively, continuing without access tokens, although this may result in a suboptimal user experience. Additional details: invalid_grant: AADSTS530004: AcceptCompliantDevice setting isn’t configured for this organization. The admin needs to configure this setting to allow external users access to protected resources. Trace ID: af449c59-5668-4e01-9c12-6148328d6500 Correlation ID: e0318484-7e18-4c0f-b7a9-a678a9bc8cfd Timestamp: 2024-11-27 17:58:53Z.

The post Device Restrictions using Conditional Access Policies in Azure Entra ID appeared first on Azure Security Architect.

Let in a set of Vendor Engineers into your Azure Subscription (typically with GLOBAL READER permissions)

Steps in Entra and in Azure

1. Set up SSO using the vendor’s email id as the UUID.
2. Grant them GUEST User licenses – into your Entra Tenant
3. Put all these VENDOR GUESTS into a single AAD User Group.
4. Now use RBAC to grant this user group Azure resource permissions.

The post Letting in vendors to your Entra Tenant appeared first on Azure Security Architect.

P2 licenses – Cloud Only Authentication (not federated)

The post P2 licenses – Use Case – SSO Authentication and MFA – no mailbox appeared first on Azure Security Architect.

Can be used to manage both devices as well as applications on the devices.

One can configure InTune for JUST application management (and have some other tool do the device management).

The post Devices versus Apps – Managed by Intune appeared first on Azure Security Architect.

Create a new VPN gateway in the desired region

Configure the new gateway with the same connection settings as the old one

and then update your on-premises VPN device to point to the new Azure gateway effectively switching the tunnel to the new region while maintaining connectivity

Most of this can be done through the Azure portal by modifying the VPN gateway’s location and connection details, ensuring your on-premises device is updated accordingly.

Option 2 – actually move the resources over (not preferred)

Entire VNet  (containing the gateway Subnet) needs to be migrated

Done using the Resource Manager migration

The post Migration of Azure site-to-site VPN tunnel from one region to another appeared first on Azure Security Architect.

Once you set it up this way (Gateway Subnet, Firewall Subnet, and Hub Subnet A), then, all traffic anyway goes through the Gateway-VPN-Subnet.

ROUTING so that ALL TRAFFIC goes through the Firewall?

1. All you have to do is attach a ROUTE (ROUTE-FW) with the NEXT HOP as the Firewall Subnet to the Gateway Subnet.
2. And you have another Route for Subnet B – one that also has the next hop as the Gateway Subnet  AND disables BGP routing.
3. This will ensure that traffic from Subnet B (which is a spoke PEERED with the HUB), goes through the firewall. Also, traffic from Subnet A – also goes through the Firewall.

The post Azure Hub Spoke Best Practices appeared first on Azure Security Architect.

The post Container Networking Security on Azure appeared first on Azure Security Architect.

• Auto Apply Results to Resource – ENABLE or DISABLE the resource (e.g. AD credentials)
• If reviewers don’t respond (Send a confirmation request, Take Recommendations()

The post Access Reviews in Azure AD appeared first on Azure Security Architect.

What exactly are External USers from an AD perspective?

External Users can be both your own corporate (remote) users, OR external partners. This was confusing to me at first – but even your own corporate users can be external (remote login users)..

How do you authenticate external users?

A particular ZONE of the internal network is exposed via a Web Application Proxy (Reverse Proxy). Usually, this is the DMZ zone.

What about Kerberos? Don’t internal users need to be on the network to get a Kerberos ticket?

External Corporate users still get a Kerberos Ticket, even though they are not on the internal network. This magic is done by the Web Application Proxy.

The post External Users and Active Directory appeared first on Azure Security Architect.

Azure Firewall requires it’s own empty subnet and an unused IP address space. You will need to create an address space, if one isn’t available.

Do I also need NSGs?

No. Once an Azure Firewall is in place, no NSGs are needed.

Do I also need ASGs?

No. An Application Security Group is a grouped set of azure resources that can be referenced via a common set of NSGs rules.

Do I also Azure Policy?

No. These are different from Firewalls – these are more around Governance.

The post Azure Firewall – Stateful, Packet Inspection appeared first on Azure Security Architect.