question

bcb44-4548 avatar image
0 Votes"
bcb44-4548 asked singhh-msft edited

Whitelisted URL to enable user sign-in to Windows using Azure AD account?

I'm designing a device that operates a kiosk. I'd like to have of the accounts authenticate through our Azure AD tenant so an engineer can log in and perform service updates (we need in-person updates and can't use a MDM like Intune for updates). This account would be used for login and not for allowing access to other resources. Our device operates behind a restrictive firewall with only other device. What URLs do we need to whitelist in the firewall to allow Windows to authenticate users?

The only article I've been able to find for this is about Azure Key Vault (here) which says login.microsoftonline.com:443 but I'm assuming that's the same? All other articles talk about hybrid stuff which doesn't apply in our case

Thanks


azure-ad-device-management
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@bcb44-4548 , thank you for reaching out to us. There is no direct documentation which is available for this as of now. But, after research, I found a similar setup's link. Since, you are looking for login using Azure AD, whitelisting login.microsoftonline.com:443 shall work and for safe-side, you can add *.login.microsoftonline.com:443 and *.login.microsoft.com:443 as well. Check out similar issue here. The right thing to do is to ensure these and all the endpoints your applications needs, are allowed through the firewall. Let me know if this helps you.



0 Votes 0 ·

@bcb44-4548 , just checking in to see if you got a chance to check my response.

0 Votes 0 ·

@bcb44-4548 , just checking in to see if you got a chance to check my response.

0 Votes 0 ·

Yeah this works for me. Sorry for the late response. Just out of curiosity, what's the difference between login.microsoftonline.com and login.microsoft.com?

0 Votes 0 ·

http://login.microsoftonline.com is generally used by applications such as the Windows Azure Active Directory synchronization tool (to synchronize with Microsoft's online Azure AD service) to authenticate against those services while you can find differences documented by PG here with all the wildcard URLs that are being used under MS org.


1 Vote 1 ·

1 Answer

singhh-msft avatar image
1 Vote"
singhh-msft answered singhh-msft edited

@bcb44-4548 , thank you for reaching out to us. There is no direct documentation which is available for this as of now. But, after research, I found a similar setup's link. Since, you are looking for login using Azure AD, whitelisting login.microsoftonline.com:443 shall work and for safe-side, you can add *.login.microsoftonline.com:443 to allow all the matching URLs as well.

Check out similar issue here. The right thing to do is to ensure these and all the endpoints your applications needs, are allowed through the firewall.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.




· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@bcb44-4548 , do share your valuable feedback with us!

0 Votes 0 ·

@bcb44-4548 , just checking in to see if you got a chance to provide your feedback. It will be helpful.


0 Votes 0 ·

Yeah this was very helpful. Thanks for the quick responses! Where can I find that feedback form? The link you shared only goes to an answer about what the forms are

0 Votes 0 ·

@bcb44-4548, when you return to view this answer, you will see a pop-up window on the right like below, where you can tell us about your experience with us:

103515-microsoftteams-image-14.png

Please let me know if you see any issues.



1 Vote 1 ·