Problem with remote session using Azure AD credentials

Welcome Forums General PowerShell Q&A Problem with remote session using Azure AD credentials

Viewing 2 reply threads
  • Author
    Posts
    • #179907
      Participant
      Topics: 1
      Replies: 0
      Points: -9
      Rank: Member

      Hi!

      I'm trying to execute commands on a remote machine.
      Both host and remote machine are AzureAD-joined to the same domain, and the user, e.g. AzureAD\TestUser, has admin rights on the remote machine, i.e. AzureAD\TestUser shows up when I do a net localgroup Administrators on the remote machine. There is no local domain or DC or anything, only AzureAD.

      Remoting itself seems to work correctly, as I can successfully execute
      Invoke-Command -ScriptBlock {Get-EventLog system -Newest 10} -ComputerName -Authentication Negotiate -Credential local_admin
      where local_admin is a local admin account on the remote machine (for testing purposes).

      However, trying the same command with -Credential AzureAD\TestUser gives me an "Access is denied".

      I even added (with some extra effort) the AzureAD\TestUser to the PSSessionConfiguration, i.e.
      Get-PSSessionConfiguration -Name Microsoft.Powershell on the remote machine gives
      Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
      Management Users AccessAllowed, AzureAD\TestUser AccessAllowed
      ,
      but this should be redundant as the AzureAD user is already in the Admin group.

      There also exists a user profile for AzureAD\TestUser on the remote machine (as well as the host machine), so this user has successfully physically logged into both machines prior to attempting the remoting.

      There must be something I'm missing. Thanks for any pointers.

    • #185333
      Participant
      Topics: 10
      Replies: 118
      Points: 508
      Helping Hand
      Rank: Major Contributor

      I encountered something similar some time ago, but the project took a turn so I wasn't able to end in success. However, I did speak with Microsoft at the time, and for this scenario to work with AzureAD accounts and joined systems, Conditional Access is required (https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview).

      If you have a subscription, it's worth involving the Azure team.

    • #187945
      Participant
      Topics: 0
      Replies: 11
      Points: 55
      Helping Hand
      Rank: Member

      Do you have the modules installed?  AzureAD requires commands from the MSOnline module and the AzureAD module.  If you run...

      gcm "*msol*"

      and

      gcm "*AzureAD*"

      And you don't see a lot of commands returning, you need to install the modules.

      install-module msonline

      and

      install-module azuread

      After that, you need to use...

      connect-msonline

      and

      connect-azuread

      to connect into your instances.  If your machine is a member, it will prompt you for creds if your logged in creds aren't elevated.

Viewing 2 reply threads
  • You must be logged in to reply to this topic.