From mi-announce at u.washington.edu  Fri Sep 16 15:50:31 2022
From: mi-announce at u.washington.edu (Microsoft Infrastructure Service Announcements)
Date: Wed Mar 20 13:41:44 2024
Subject: [mi-announce] Enabling Windows Authentication via Azure AD for
	Azure SQL Managed Instances
Message-ID: <mailman.1308.1663368673.14694.mi-announce@mailman11.u.washington.edu>

When: Today, 9/16/2022

What: UW-IT has enabled Windows Authentication with Azure SQL Managed Instances via the trust-based flow.

More Info:
Azure SQL Managed Instances are a platform based solution and represent the future direction for existing Microsoft SQL Servers. Prior to this change, you could only use Azure AD or SQL based authentication with Azure SQL Managed Instances. While Azure AD authentication is modern, many existing SQL Servers include Kerberos authentication protocol dependencies such as linked servers or multi-hop Kerberos delegation. Recognizing this key blocker, Microsoft developed Azure AD Kerberos, a cloud-based Kerberos service endpoint backed by our Azure AD. Azure AD Kerberos moved to general availability last month. This allows Azure SQL Managed Instances to use traditional Kerberos based scenarios.

There are two possible authentication flows supported for this scenario and UW supports both. Both rely on Azure AD based authentication at the client, which are transformed to Kerberos tokens during the authentication flow. For more about how this works, see: https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-implementation-aad-kerberos?source=recommendations&view=azuresql. Note that because this starts with Azure AD based authentication and that your Azure SQL Managed Instance has an Azure AD application identity, you can layer 2FA or other Azure AD conditional access features on top of this solution. Adding 2FA to SQL has been a long desired goal for many at the UW, and this solution provides a path to that. See https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/authn/2fa/per-application/ for how to request a per-application 2FA conditional access policy.


  1.  Trust-based flow: For more about how to enable your Azure SQL Managed Instance to leverage this new feature using the trust-based flow, see: https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-kerberos-managed-instance?view=azuresql.
  2.  Modern flow: Most clients at the UW do not meet the minimum requirements for the modern flow, but we recommend it over the trust-based flow, if possible. For more on setting up the modern flow, see: https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-setup-modern-interactive-flow?view=azuresql

Both flows require a group policy setting. We've implemented that setting at the NETID domain level because there is no downside to doing so, and it should eliminate problems getting the correct values in place:
Default Domain GPO:
Computer\Administrative Templates\System\Kerberos\Specify KDC proxy servers for Kerberos clients policy setting=Enabled
Options:
KERBEROS.MICROSOFTONLINE.COM <https login.microsoftonline.com:443:f6b6dd5b-f02f-441a-99a0-162ac5060bd2/kerberos />

Brian Arkills
Microsoft Infrastructure service owner
UW-IT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman11.u.washington.edu/pipermail/mi-announce/attachments/20220916/556e5038/attachment.html>
From mi-announce at u.washington.edu  Fri Sep 16 16:19:35 2022
From: mi-announce at u.washington.edu (Microsoft Infrastructure Service Announcements)
Date: Wed Mar 20 13:41:44 2024
Subject: [mi-announce] Opt-in to 2FA for UW Azure AD for Admin UW NetIDs
Message-ID: <mailman.1391.1663370389.14694.mi-announce@mailman11.u.washington.edu>

When: Available now

What: Opt-in to 2FA for UW Azure AD for Admin UW NetIDs

More Info:
Admin UW NetIDs are not eligible to opt-in to 'UW Duo 2FA for the Web<https://itconnect.uw.edu/tools-services-support/access-authentication/2fa/opt-in/>'. This solution provides a self-service mechanism to require Duo 2FA for an individual Admin UW NetID for all Azure AD applications. All holders of Admin UW NetIDs are encouraged to opt-in, especially those with any use of Azure subscriptions.

See https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/authn/2fa/admin-netids/ for how to proceed.

Brian Arkills
Microsoft Infrastructure service owner
UW-IT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman11.u.washington.edu/pipermail/mi-announce/attachments/20220916/5f533762/attachment.html>
From mi-announce at u.washington.edu  Mon Sep 26 11:58:41 2022
From: mi-announce at u.washington.edu (Microsoft Infrastructure Service Announcements)
Date: Wed Mar 20 13:41:44 2024
Subject: [mi-announce] Duo and 2FA for Windows
Message-ID: <mailman.1022.1664218744.9603.mi-announce@mailman11.u.washington.edu>

I know some of you have gotten a Duo for Windows integration via https://itconnect.uw.edu/guides-by-topic/security-authentication/authn/2fa-for-systems/.

We'd like to call your attention to an analysis paper released at: https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/comm/analysis/20220926-duo-and-2fa-for-windows/.

Brian Arkills
Microsoft Infrastructure service owner
UW-IT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman11.u.washington.edu/pipermail/mi-announce/attachments/20220926/d00a92c8/attachment.html>