 Hi, welcome back to another episode of Azure Unblog. Today, we're going to discuss identity and access management for Azure VMware Solution Center with Javier Elizondo, a Senior Cloud Architect here at Microsoft. So stay tuned. Hey, Javier, thanks for joining. Hi, Amy. How are you doing? Thanks for having me. I'm excited to be here with you and share a little bit more or ADS. I should be more solution. Definitely. So yeah, tell me about identity and Azure VMware Solution. How does it work? Sure. Let me share my screen real quick just to give you a little high-level overview. So you and people that are watching us may be aware or know that we have Azure landing zones, and in particular, we have accelerators for different solutions. This that I'm displaying on my screen is the accelerator or Azure landing zone for ADS. So some people may be familiar with it, and we have different critical design areas. The one that we're going to discuss today is about identity and access management for ADS, which is one of the areas that some customers or people sometimes forget about, but it's very important to talk and discuss about access controls, RBAC, least privilege access, which is very important for deployments that people are doing and more and more customers are embracing this technology. So it is very important to discuss about this because this is something that people will want to implement almost on day two. Yeah. So this is a landing zone where they can help get them started in their environment? Is that? Correct. Azure landing zones and accelerators is a way for in this case, Microsoft to help customers to get up to a speed and deploy faster to the solution. Great. Okay, Javier. So you mentioned about role-based access controlled or RBAC and least privilege access. So what account would I use to log in and do all that fun stuff in AVS? Yeah. So when ADS Private Cloud gets deployed, there is a special role that gets created. As you are aware, the ADS is a managed VMware service. So people will not have the full permissions that they are used to with their own prime VMware instances. So this VMware instance in Azure, it will be limited access and there is a cloud having role that gets created with every private cloud. This is going to have a set of permissions that is going to be a slim down permission. So it's very important to know this Cloud Admin role because there is going to be a Cloud Admin, a local account Cloud Admin that is going to be also going to get created with it. It's this Cloud Admin account slash role. It's not really meant for day-to-day activities like most VMware admins may be familiar with. In fact, we do not want people using this Cloud Admin. On a day-to-day basis, we want that to be like your emergency break-class account, and we do want to establish our back controls in the area of the Azure portal. ADS is like any other Azure resource. It has the management control plane, and then it has the actual service plane, which is in this case a vSphere environment, and we want to protect from the Azure control plane with proper RBAC and other mechanisms that we have, for example, just in time access with privileged identity management and these other features to protect the access control plane into the private Cloud, and then finally establish RBAC permissions to normally like we would do with the vSphere environment. Okay. It makes sense. You have your administrator.vSphere local that you log in with all privileges, but you don't want to use Cloud Admin, which is similar to access, let's say, like to use HCX, right? I mean, if something happens and you have to change the password, you're going to break your connection, so. Yeah, that's a good point. HCX is another component in the ABS platform, and for now, ABS, it is the administrator we provide with NSX-T. It is full admin, but we do make caution on the use of this admin, particularly with the password, because in case the password changes, that may break some things related to the HCX. In fact, we do not support right now self-service, password changes, and the only way to change or rotate the password for the admin in HCX Manager is through a support, creating a support ticket, so a support case. So this is something important to note, versus the Cloud Admin account, which is still a break-class account. We do support changing the password via cell service in the Azure portal, but those are the main differentiators. Okay. So in a nutshell, try to not use any of these privileged accounts in a day-to-day basis. We have other means, and now what other means are these? It is we do have a wrong command feature in ADS, and this wrong command is a feature set that it is basically a subset of PowerShell commands that enable certain features, enable different features in AVS. But one of those features is the ability to add identity sources for identity, sorry, identity sources in vSphere. In this way, we can join or make integration of your Active Directory domain to the vSphere, like most of the VMware admins are used to, in that way, when we add the AD domain into vSphere, people can start leveraging that identity that are already used with a on-prem Active Directory. The same that they would do in their normal vSphere, they can do it in AVS vSphere. In that way, they can use their custom roles and they can use a set of roles to different areas of the vSphere hierarchy. Well, that's great. So the run command is kind of like when, like you said, it's PowerShell commands and you're just running it elevated so you can do some items that maybe you normally couldn't do and then you can add the Active Directory domain. That's right. Actually, let me do a little quick show until I can show you the high levels to add your external social identity and the vSphere ADS. So it is basic five steps, having proper connectivity and a resolution. We do require a certificate for the in, if we are gonna do LDAP, secure LDAP, we need to upload a certificate to a storage account that the ADS environment is gonna access and we finally use the run command to add the identity of ADS as a source. And lastly, the assignment of roles or permissions. So as I mentioned earlier, customers or you wouldn't be able to have permissions to the typical identity sources, so you would not be able to do it this way. So instead, we want to use a run command feature. One of the main gatchas here in requirements is to have proper connectivity because your ADS solution, assuming it's already plumb, connected to your network, which there was another episode about that. Now we want to make sure we also have proper connectivity, DNS resolution as well because the ADS domain needs to know where your domain is. In this case, we need to accommodate that via DNS servers in the DNS zone in your ADS cloud so that your ADS solution can know where to write that domain. Okay. After this, we do require the certificate to be exporting a CER format into an storage account. We do want to create a SAS URL from that certificate that is stored in the storage account in a blob as a blob storage versus regular share folder like Azure Files has to be in a blob storage flavor. We generate that SAS token and we're going to use this SAS token in the run command feature in ADS. This would be the LDAP-S identity source which is this particular one that we are using here. We would input several items. Some of them is what group name is going to be the one that you want to integrate from on-prem, the SSL URL that we generated previously. This is the group that we will want to add into or target into our ADS. The credentials that have access to your domain, some of the Bayesian groups that this is standard, some being where admins already are familiar with this process. Finally, how we want to identify this name once it is properly added into the vSphere environment in ADS. After that, we just click run. This is going to be a task that runs as any other task in Azure portal. It's going to be running there. It succeeds and luckily, it succeeds. Most people have a little bit of issue here and there. So for that, we know that some people may not be looking off to get it on the first try. So there are some ways to get you a little bit more information in case you don't have a look and do it in the first attempt. When you click in that task, there's going to be areas where you can diagnose what is going on with that task, particularly for the integration or the adding the identity in ADS. And you can see here at my first attempt, I failed to download the certificate. And if I click an information, it's telling me a little more additional details on what potentially could be going wrong. Now assuming that person's failed. Yeah, person just failed, right? And you're scratching your head. So assuming that task completed and the identity was actually added, one main difference that most VMware people in the premises environments, they used to add memberships or the groups in some area and VMware vSphere administration here. We are here, we're going to actually do it through the actual hierarchy in the vSphere environment versus the administration side, which we don't have access to. And we will want to choose the folder or hierarchy in vSphere where we want to add the permissions. We will click in the permissions tab and then finally click the plus button. In case where we are going to target the domain that we want to pull from identities, in this case is the ADS demo that X, Y, C. That is the one that I named in the previous step when adding the identity as a source. We want to look for in this case ADS demo admin, which it is a user. And finally, assign the role that we want in the vSphere environment, which in this case, would be a virtual machine console user. Finally, we click OK. And then that role assignment gets recorded and that's how we map the identity from on-prem into the vSphere environment. And at this point, people that can use their credentials to access the vSphere environment and properly have access depending on the functions of your functions that you have in the vSphere environment. Right, so if you're part of this Active Directory group, maybe you're a desktop engineer and you have certain access to different VMs or a certain cluster. Right, so this is a chicken and the egg, right? I was doing it right now as a cloud admin role, so that me as a cloud admin role, I'm starting to provision all those permissions and then once this is done, then I pretty much leave that role. Now with the combination of all the features, like I said with PIM and just in time access, it's also probably a suggestion and recommendation that we also have here is to use some of that feature so that I can elevate my permissions in the Azure portal side to be able to enter into the vSphere environment as a cloud admin, perform these duties. That probably would be the first week and after I added all my permissions, pretty much leave the cloud admin alone and then go into the vSphere environment, not even touch anything in the Azure portal and just consume the VMware service. Yeah, that sounds perfect, definitely for keeping everything controlled and locked down and... Right, and lastly, we sometimes have feedback from customers, hey, I having some or something here is not making sense or hey, would you be able to add something into the guidance that you guys are providing? I just want to take 20 seconds to show you how. So every part on the... We're back to the landing zone page, right? Yeah, we're going back to the landing zone page. Thanks for the reminder here. This is back to the documentation and the DAX section. If anybody wants to submit feedback to the team that is working on updating this, there is this little message button here. When you click into it, then you can submit feedback to this page and it's just going to authenticate it to the GitHub, which this is where we enter the feedback and then you can enter here the feedback you have, put submit issue and this get recording is going to get assigned to somebody to review that feedback. So this is great. We're receiving a lot of feedback from the customer field and also partners and different parties that are helping us improve this for you guys. Yeah, that's really great. I love having feedback into a product or if I have an issue too, please help me. Right. That's great that we can share that with people and yeah, just go to the landing page, submit feedback and maybe it'll get incorporated into the product or you'll get a reach up from someone to help you with your issue. Yeah, and basically this is it. Amy, it is Gatchez is a used least privileged access try to leverage areas or features that we have in the portal to protect some of that access to the control plane in the Azure side, use our box in the vSphere environment and try to not abuse from the admin accounts that we have provided use as much as you can least privilege our back. That's great. Yeah, it's easy to like, well, I know the admin password. I'll just go in really quick, but that can be, you can't track it. So if you want to maintain governance and full our back, it's yeah, highly recommended. So I thank you so much for sharing your knowledge on identity and showing how to add that LDAP server securely for authentication. And then we'll have all the links for everyone below this video, but please submit feedback, whether it's on YouTube or through that landing zone and I appreciate it so much, Javier. Thanks so much. Thank you, bye. Bye.