Saturday, February 4, 2023

New Number matching Azure MFA feature impact Microsoft RDGW & NPS extension

Background

Are you using Microsoft Native Remote Desktop Gateway (RDGW) in combination with the NPS extension to secure your RDGW with MFA? Prepare for this change which will be enforced tenant-wide for all users starting February 27, 2023!

Number matching is a security upgrade to traditional second factor notifications in Microsoft Authenticator. Microsoft will remove the admin controls and enforce the number match experience.

This is what Microsoft recommends

"We highly recommend enabling number matching in the near term for improved sign-in security. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance."

While this adds and unlocks security capabilities and options, there is a downside if you currently use RD Gateway with the NPS Extension for Azure MFA. If you need more background information on how this works, check out this article I published back in 2017, which is still relevant: The Microsoft Platform: Securing RD Gateway with MFA using the new NPS Extension for Azure MFA!

The impact on RD Gateway + NPS Extension

The reason of the impact is that NPS does not support number matching. However, the latest NPS extension does work with One-Time Password (OTP) methods like e.g. the OTP available in Microsoft Authenticator. Generally, you need to make sure that you run the latest version of the NPS extension. For more information on supported versions and what (registry) workaround you can use and other requirements that apply, follow this guide

If your organization uses Remote Desktop Gateway and the user is registered for OTP code along with Microsoft Authenticator push notifications, the user won't be able to meet the Azure AD MFA challenge and Remote Desktop Gateway sign-in will fail.

Release notes on this change

Below is a snippet of the release notes of the NPS extension version 1.2.2131.2 that address the change that Microsoft made.

"...Changed the default value of OVERRIDE_NUMBER_MATCHING_WITH_OTP from False to a Microsoft managed value. There is no change to the current authentication experience for users. Microsoft will begin enabling number matching for all users of the Microsoft Authenticator app starting 27th of February 2023.
After this date, if your organization has not set the OVERRIDE_NUMBER_MATCHING_WITH_OTP value to False, your Microsoft Authenticator users will be required to enter an OTP code instead of the Approve/Deny push notification experience..."

Solution (more of a workaround)

What you can do to prevent failed sign-ins after February 27, 2023 is the following. Set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE.

To create the registry key that overrides push notifications on your NPS Server:

1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
2. Key: OVERRIDE_NUMBER_MATCHING_WITH_OTP,  Value = TRUE
4. Restart the NPS Service.

What this does is fall back to Approve/Deny push notifications when using Microsoft Authenticator.





Monday, January 16, 2023

ChatGPT to author Bicep templates?

I'm sure that by now many have heard about ChatGPT. If not, ChatGPT is a large language model developed by OpenAI. It is based on the GPT (Generative Pre-training Transformer) architecture, which was trained on a massive amount of text data to generate human-like text. ChatGPT is fine-tuned to perform specific language tasks such as answering questions, generating text and more. It uses the latest advances in neural network technology to understand and respond to natural language input in a way that mimics human conversation. It can be used for various applications such as chatbots, automated customer service, language translation and more.

I took ChatGPT for a spin to see how accurate and detailed it would be to write (Infra as) Code. Somehow Bicep felt like a good candidate! (in case you don't know why, follow this link 😊)

The first question I asked was to author a simple Bicep template to create a Vnet.

No alt text provided for this image

I was blown away by the initial response which came back instantly! That looks awesome for a first try! Do note that ChatGPT says Bicep is still in preview. The reason is that ChatGPT is trained on a large dataset of text data that was current as of 2021, so it may not have information that is more recent than that. The training data used to build the model is also constantly being updated, so the information available to ChatGPT may change over time.

Also note that ChatGPT gave some advise on network designs as well, how cool is that!

A best practice however would be to use a parameter instead of 'resourceGroup().location'. So lets tell ChatGPT to adapt to that and also tell it to to make resourceGroup().location the default value of the parameter.

No alt text provided for this image

That was easy! Next, we'll tell it to use a different API version when dealing with VNets.

No alt text provided for this image

There we go. Finally, lets see if it can also generate a parameters file with a couple of sample values. Of course it can!

No alt text provided for this image

And this is just scratching the surface on what ChatGPT is able to do based on a simple example, there is so much more!

ChatGPT can help with writing code by providing code snippets, examples, and templates for a specific programming language or framework. It can also help with troubleshooting errors by providing solutions to common problems. Additionally, ChatGPT can assist with understanding the proper syntax and usage of a particular command or function by providing explanations and documentation.

ChatGPT can also help with writing code by providing suggestions for code improvements and better practices and by suggesting alternative ways to implement a certain functionality. It can also help with understanding and working with complex code by providing explanations of the code's behavior and providing examples of how to use it.

It's important to note that while ChatGPT can help with writing code, it's not a replacement for human programmers. ChatGPT can provide suggestions and examples, but it can't replace the experience and understanding of the problem domain that a human developer has.

Strong advise: do not blindly trust AI generated code for production environments. Use AI to assist you, not to replace you.

And guess what...part of this article was actually written by ChatGPT itself! Did you notice that? The possibilities are endless and I'm looking forward to test driving this some more! What are your thoughts?