You may want to control what machines are allowed to run the SMT Gateway service, or you may require Multifactor Authentication (MFA) logon to the Azure portal for security or compliance.
To enable this, we've designed the SMT Gateway service to check for the existence of registry keys. If you are not yet familiar with the initial deployment & setup of SMT see this blog post.
The SMT Gateway Service will look for keys named "AllowGateway" and "RequireMFA" in [HKLM|HKCU]\Software\Policies\Microsoft\ServerManagementTools-Gateway. If the keys exist in both paths, HKLM takes precedence.
Here are the full details on each key:
- Type: DWORD
- Data: 0 (Disallow) or 1 (Allow)
- Default: No value (Allow)
- Description: If AllowGateway is set to 0, any SMT gateway software which gets installed will not process any commands from its queue. This setting allows an admin to lock down an environment by default, and only allow SMT gateways on authorized servers.
- Type: DWORD
- Data: 0 (Don’t require MFA) or 1 (Require MFA)
- Default: No value (Don’t require MFA)
- Description: If RequireMFA is set to 1, the SMT gateway will only process requests which have a header indicating MFA compliance. The user will be required to log in to the Azure portal using Multi-Factor Authentication for Azure to send the required header.
You can download the ADMX files necessary to manage these keys through Group Policy here. For more information on ADMX files please read Managing Group Policy ADMX Files Step-by-Step Guide.
For one-off testing, here are some PowerShell cmdlets to set the regkey values on the gateway machine:
|Create registry key|
|New-Item -Path HKLM:\Software\Policies\Microsoft\ServerManagementTools-Gateway|
|Add registry key property for AllowGateway (0 = disabled, 1=enabled)|
|New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\ServerManagementTools-Gateway -PropertyType DWORD -Name AllowGateway -Value 0|
|Add registry key property for MFA (0 = disabled, 1=enabled):|
|New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\ServerManagementTools-Gateway -PropertyType DWORD -Name RequireMfa -Value 1|