Azure AD Join lab

Overview

Generating an Azure AD Join lab with aadjoin.py. This generator can be used to create a lab with Windows 10 Pro systems that automatically join to Azure Active Directory as managed devices showing in Azure AD. This can be used for security research into specific certificates for managed device registration and SSO tokens (PRT) that are used. Or general use cases such as exploring InTune and VDI deployments. The script allows you to pass parameters specifying how many Windows 10 systems to create. It requires a minimum of 1 endpoint in order to run. It also creates Azure AD users that can be used to login to the VM. Ten (10) Azure AD users are randomly generated by default but you can specify more. The role of Virtual Machine Administrator Login and Virtual Machine User Login is attached to all users. This is the classic use case and benefit of Windows 10/11 managed devices, using hybrid Identity and a single set of credentials in Azure AD to log into the VM. A System Assigned identity is automatically attached to all VMs, but you can also specify a User Assigned Identity with a specific role that you desire.

Minimum Parameters Required

You must pass two parameters to run the script. The domain or UPN suffix and the number of VMs to build.

--upn <upn_suffix_domain>

--endpoints <vm_count>

Important Note

This generator lives in the generators/aadjoin directory. Navigate into this directory first.

cd generators/aadjoin

Usage Examples

Example 1: Basic Azure AD Join lab

python3 aadjoin.py --upn rtcfingroup.com --endpoints 1

Description: This will generate a single Windows 10 system that is joined to the Azure Active Directory domain based on the tenant authenticated with the Service Principal. Ten (10) Azure AD users will be created in the Azure AD tenant specified by the UPN (--upn). In this example the users will be created with rtcfingroup.com as their UPN suffix. The following resources will be created, including terraform files and user output files. The default roles will be assigned to all Azure AD Users: Virtual Machine Administrator Login, Virtual Machine User Login. These can be customized in the roles.tf output file or in the python script.

main_aadjoin.tf: Terraform file with resource group and location.
network_aadjoin.tf: Terraform file with VNet and subnets.
nsg_aadjoin.tf: Terraform file with Network Security Groups.
providers.tf: Terraform file containing terraform providers.
sysmon.tf: Terraform file containing sysmon configuration.
win10-1.tf: Terraform file with Windows 10 Pro configuration.
users.tf: Terraform file that will build the Azure AD users.
roles.tf: Terraform file that will assign the role to all Azure AD users.
azure_users.csv: A csv including the Azure AD user's full name, username, and email address.
azure_usernames.txt: A file including just the usernames.
azure_emails.txt: A file including just the email addresses.

Example 2: Azure AD Join lab with 30 users and 3 VMs

python3 aadjoin.py --upn rtcfingroup.com --endpoints 3 --count 30

Description: Same as above, except generate 30 users in Azure AD and create three (3) Windows 10 Virtual Machines that will perform an Azure AD Join. Running terraform apply will generate a random password shared by all users. The password applied to all users will be displayed at the end of terraform apply. To display the passwor again, run terraform output.

Example 3: Azure AD Join lab with a User Assigned Identity

python3 aadjoin.py --upn rtcfingroup.com --endpoints 3 --count 30 --user_identity reader

Description: Same as above, except add a User Assigned Identity on all VMs with a role of Reader on the subscription. Possible values for the role are reader, contributor, and owner.

Details

RDP Access & Cheat Sheet for VM Remote Access

All of the VMs can be accessed over RDP. The Azure NSGs should already be white listed to only allow a connection from your IP address. You can run terraform apply to update this. Here is a sample output on the RDP Cheat Sheet that gives you the exact commands from a standard Ubuntu Linux to RDP to each VM with the Azure AD credentials:

RDP Cheatsheet for Azure AD Login
---------------------------------

xfreerdp --no-nla -u "AzureAD\chasemiller@rtcfingroup.com" -p "cosmic-stingray-96W-r" --ignore-certificate 20.124.129.181
xfreerdp --no-nla -u "AzureAD\arielparsons@rtcfingroup.com" -p "cosmic-stingray-96W-r" --ignore-certificate 20.124.129.181
xfreerdp --no-nla -u "AzureAD\michaelbarnett@rtcfingroup.com" -p "cosmic-stingray-96W-r" --ignore-certificate 20.124.129.181
xfreerdp --no-nla -u "AzureAD\brandongonzalez@rtcfingroup.com" -p "cosmic-stingray-96W-r" --ignore-certificate 20.124.129.181
xfreerdp --no-nla -u "AzureAD\jessicafields@rtcfingroup.com" -p "cosmic-stingray-96W-r" --ignore-certificate 20.124.129.181
xfreerdp --no-nla -u "AzureAD\brittanyriddle@rtcfingroup.com" -p "cosmic-stingray-96W-r" --ignore-certificate 20.124.129.181
xfreerdp --no-nla -u "AzureAD\rebeccaperry@rtcfingroup.com" -p "cosmic-stingray-96W-r" --ignore-certificate 20.124.129.181
xfreerdp --no-nla -u "AzureAD\josephedwards@rtcfingroup.com" -p "cosmic-stingray-96W-r" --ignore-certificate 20.124.129.181
xfreerdp --no-nla -u "AzureAD\christopherandersen@rtcfingroup.com" -p "cosmic-stingray-96W-r" --ignore-certificate 20.124.129.181
xfreerdp --no-nla -u "AzureAD\kevinmiller@rtcfingroup.com" -p "cosmic-stingray-96W-r" --ignore-certificate 20.124.129.181

Advanced Command Line

--count <num_of_aad_users>: The number of Azure AD users to automatically build (Default: 10)

--upn: The upn suffix or domain name used to create Azure AD users (Default: Disabled)

--endpoints <num_of_endpoints>: Number of Windows 10 Professional systems to build (Default: 0)

--resource_group <rg_name>: Name of the Azure resource group to automatically create (Default: PurpleCloud)

--location <location>: The Azure location to use (Default: eastus)

--admin <admin_username>: The Local Administrator account (Default: RTCAdmin)

--password <password>: The local Administrator password and default AD user password (Default: auto generate a strong password)

--user_identity: The User Assigned Identity to assign to each VM. The scope will be on the subscription. Possible values are reader, contributor, owner (Default: false)

Other Details:

ranges.log: The ranges.log file writes out important information as the range is built, such as VM details. You can use it to track things.
Logging Passwords: By default, all passwords are randomly generated. So if you are not aware of this, it might be easy to lose track of a password. For this reason we have added a logging feature that captures all passwords created. The ad.py script will automatically log all output to a logfile called ranges.log. This is for the specific purpose of being able to track the ranges created and the passwords that are auto-generated for AD users and local Administrator accounts. You can also type terraform output as a secondary way to get the password and details for each virtual machine.
Azure Network Security Groups: By default, a terraform data http resource will auto-detect your public IP address using a request to http://ifconfig.me. Your public IP address will be used to white list the Azure NSG source prefix setting. If you change locations and your IP address changes, simply type terraform apply and the NSG white-listed public IP address should update through terraform.

locals {
  src_ip = chomp(data.http.firewall_allowed.response_body)
  #src_ip = "0.0.0.0/0"
}

Outputs: After the terraform resources are applied and build, you can type terraform output to get some important information such as the public IP address of VMs in addition to local Administrator credentials and Azure AD Login over RDP.

Terraform Outputs

You can get the details of each Virtual Machine, including passwords, by typing terraform output. The RDP connection cheat sheet will also show how to login to each VM using Azure AD credentials.

Demo

A video demonstration of Azure AD Join lab with options and illustrations.