Overview of the course
Introduction to Azure AD
Secure Access to Azure AD
Integrate Securely with Azure AD
The course is part of these learning pathsSee 4 more
Azure Active Directory Security
Azure Active Directory, commonly referred to as Azure AD, is Microsoft’s Identity and Access Management service in the Cloud. It manages users, groups, and applications along with their access to other applications and resources running in the cloud. This is exactly what we have with traditional on-premises Active Directory. Azure AD runs as a cloud service and thus can be thought of as Identity and Access Management as a Service.
This course is an introduction to Azure AD security and covers topics related to securing users, groups, devices, and applications as well as cover hybrid identity infrastructure solutions and much more!
What You'll Learn in this Course
|Lesson||What you'll learn|
|Overview of the Course||Overview of the course and the Learning Objectives|
|Introduction to Azure AD||An intro to Azure AD and Cloud Security|
|Secure Access to Azure AD||Discuss users, group, apps, and RBAC|
|Integrate Securely with Azure AD||Azure AD Connect, Identity solutions, MFA, and App Integration|
|Identity Management||Discuss Identity Management and premium features|
|Summary||Summary and Course Wrap-up|
In this final lesson of the course we’ll touch on Identity Management.
In this lesson we’ll cover what Identity Management means with Azure AD, and two features called Azure AD Identity Protection and Privileged Identity Management.
As we begin our discussion about different Identity Solutions and their corresponding business scenarios it is important that we are reminded of the traditional on-premises approach to Identity Management which uses Active Directory Domain Services, or AD DS. These servers are typically deployed as what we call Domain Controllers which actively manage Active Directory objects such as users and computers and are commonly used in an hierarchical fashion to enable organizational units or OUs, tightly controlled by Group Policy Objects, or GPOs. The Domain Controllers are used in combination with DNS to locate directory objects and we query these objects using the LDAP protocol with authentication done primarily via Kerberos. These Active Directory Domain Controllers each manage a Domain and controls how machines join the domain as well as trusts between domains.
In contrast, Azure AD as we’ve seen functions more like Identity as a Service (IDaaS), providing a flat structure, unlike OUs and GPOs, and manages both on-premises and cloud access to resources. Authentication is performed through protocols such as SAML, WS-Federation, and OAuth. Instead of using LDAP, querying Azure AD uses a REST API called the AD Graph API.
Knowing these fundamentals differences and what we have learned, Azure AD is much more than just an Windows AD DS server in the cloud. But if you wanted to, couldn’t you just deploy a Windows AD DS server on a VM in the cloud? Certainly you can and we’ll examine such scenarios as in this table.
The first option is the Do-it-Yourself AD DS server where you want to extend your identity solution from on-premises to the cloud by deploying a Windows Domain Controller on a VM in Azure. The business scenario is that you have a few Azure virtual machines which need to be managed together with the rest of your on-premises infrastructure. However you gain certain advantages such as authentication performance since these VMs may identify with the domain controller that you’ve set up in Azure. This also has the advantage that cloud applications do not need to depend on your on-premises infrastructure in order to authenticate.
The second solution is Azure AD standalone. This is a very straight-forward solution where the business scenario is that you are fully invested in the cloud and have no on-premises identity infrastructure. And of course you have a choice between Free, Basic, and Premium SKUs which brings additional features and capabilities.
The third solution is the Hybrid identity solution which we’ve covered in detail in the last lesson. The business scenario here is when you have heavy investments in your on-premises identity environment and you want to extend your capabilities to the cloud.
The final solution is the Azure AD Domain Services solution which is meant to be a cloud-based, lightweight option to meet on-premises identity requirements for network application development and testing. This isn’t meant to replace your on-premises identity solution but rather act as a mechanism to help migrate on-premises applications that require AD DS authentication methods to the cloud.
Identity Protection with Azure AD is pretty amazing. With Azure AD Identity Protection you use the same protection systems used by Microsoft to secure cloud-based identities. In the beginning of the course we talked about the “assume breached” philosophy and how we have to proactively prevent compromised identities from being abused. Therefore we have to protect all identities regardless of their privilege level in addition to discover which identities have been compromised. Azure AD uses adaptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents that indicate potentially compromised identities. Using this data, Identity Protection generates reports and alerts that enable you to evaluate the detected issues and take appropriate mitigation or remediation actions.
You can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. You may also automatically block or initiate adaptive remediation actions including password resets and multi-factor authentication enforcement.
Azure AD Identity Protection is only available for Azure AD Premium P2 edition.
Here is a screenshot showing the interface of Identity Protection. You can easily see users flagged as risks, categories organized by risk levels, risk types, vulnerabilities, etc. You can take action by clicking on different events right in the Portal itself as well as configure notifications.
Privileged Identity Management allows you to manage, control, and monitor access within your organization. This includes access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune.
A Privileged Identity is one that has access to secure information or resources in order to carry out admin operations. A subset of individuals in your organization will have privileged access to resources however this could be a security concern if one of these accounts is compromised or does something unsafe. Therefore, monitoring of these privileged accounts is desirable to help reduce risk which is exactly what Privileged Identity Management accomplishes.
It allows you to quickly see who the Azure AD administrators are, as well as get reports about their access history and changes in administrator assignments, get alerts about access to a privileged role, enforce activation approval, and a number of other options. Like Identity Protection, Privileged Identity Management requires the Azure AD Premium P2 SKU. These are two powerful and robust features for Identity Management in Azure AD to help maintain a secure environment.
Microsoft offers a downloadable playbook that explores guidelines and recommendations for several Identity and Access management scenarios at aka.ms/aad-poc.
About the Author
Chris has over 15 years of experience working with top IT Enterprise businesses. Having worked at Google helping to launch Gmail, YouTube, Maps and more and most recently at Microsoft working directly with Microsoft Azure for both Commercial and Public Sectors, Chris brings a wealth of knowledge and experience to the team in architecting complex solutions and advanced troubleshooting techniques. He holds several Microsoft Certifications including Azure Certifications.
In his spare time, Chris enjoys movies, gaming, outdoor activities, and Brazilian Jiu-Jitsu.