Overview of the course
Introduction to Azure AD
Secure Access to Azure AD
Integrate Securely with Azure AD
Azure Active Directory, commonly referred to as Azure AD, is Microsoft’s Identity and Access Management service in the Cloud. It manages users, groups, and applications along with their access to other applications and resources running in the cloud. This is exactly what we have with traditional on-premises Active Directory. Azure AD runs as a cloud service and thus can be thought of as Identity and Access Management as a Service.
This course is an introduction to Azure AD security and covers topics related to securing users, groups, devices, and applications as well as cover hybrid identity infrastructure solutions and much more!
What You'll Learn in this Course
|Lesson||What you'll learn|
|Overview of the Course||Overview of the course and the Learning Objectives|
|Introduction to Azure AD||An intro to Azure AD and Cloud Security|
|Secure Access to Azure AD||Discuss users, group, apps, and RBAC|
|Integrate Securely with Azure AD||Azure AD Connect, Identity solutions, MFA, and App Integration|
|Identity Management||Discuss Identity Management and premium features|
|Summary||Summary and Course Wrap-up|
In this lesson, we are going to learn how to secure access to Azure AD.
The objectives for this lesson include:
Learning to securely manage access to Azure for users, groups and applications
Discuss Role-Based Access and Control
Learn about Conditional Access
And learn how to gain access to Reporting
Let’s start off with a demo. Here we are at the Azure Portal. At the top in the search box we can type Active Directory and click on Azure Active Directory. This takes us to the overview screen of Azure AD where we can begin to manage our environment. You can see that we can easily see our Users and Groups as well as search for users, groups, and applications.
On the left hand-side we have options for managing Users and Groups, applications, the Azure AD Connect tool which we’ll talk about, domain names, Mobile Device Management, Self-Service Password Reset, Company branding, etc. We even have this quickstart guide which provides great documentation to help you get started.
If we go into Users and Groups you can see we have many options tailored toward management users and groups. Let’s have a quick look at each of the settings.
Under User Settings we can control User access to Enterprise applications and app registrations as well as access to the Azure AD administration portal.
Under Group settings we can enable Self-service group management in addition to restrictions on managing Security Groups.
Finally, looking at Device Settings, we can easily select if users may join their devices to Azure AD, require Multi-Factor Authentication for devices, etc.
Members of your organization will need access to Azure AD. Directory Roles is how we manage the different levels of access. There are three main roles.
Most users will simply be Users. In this directory role users can access assigned resources but cannot manage most directory resources.
The second Directory Role is Global Administrator. Now because I have full access to my own Azure subscription, my user account is a Global Administrator which have full control over all directory resources.
Finally we have the Limited Administrator Role. Like Global Administrators, these administrators will have full access to only their specific limited role. An example would be a “Security administrator” which allows the ability to read and manage security configurations and reports. Another example is a User Administrator which has access to perform common user management related tasks. You can assign to Limited Administrators multiple sub-roles here.
Azure AD has multiple editions. When you sign-up for a Microsoft subscription you’ll have a trial account which has common or free access to basic things such as basic user management and security reports. But for paid subscriptions there are the Basic and Premium SKUs.
With the Basic Azure AD Edition you’ll have access to group-based access management and provisioning, self-service password reset for cloud users, company branding, Application Proxy, etc in addition to the 99.9% SLA as in the trial edition.
The Premium SKU has two tiers. Premium P1 includes everything in Basic in addition to features such as Multi-Factor Authentication, Cloud App Discovery, the Azure AD Connect Health tool, etc. The Premium P2 SKUs also adds on the Identity Protection feature as well as Privileged Identity Management , or PIM as we discuss later in the course.
When reviewing your IT organization’s security requirement be sure you have a good understanding of which Azure AD edition best suits or organizational needs as new features are constantly being added or modified.
Role-Based Access and Control is how Microsoft allows administrators to limit user access to Azure resources. These resources can be anything from Virtual Machines, VNets, even entire Resource Groups. Example Roles include Owner (which has full control over the resource) and Network Contributor which can manage Network based resources. Each Role is comprised of a set of permissions. For example, the Network Contributor role has permissions to read, write and delete all resources in the Microsoft.Network/*. Other Built-in roles include Contributor and the Reader Role which provides read-only access.
It’s important to note that each subscription can grant up to 2000 role assignments. In addition to the Portal, RBAC can be controlled via PowerShell, the Azure CLI, and the REST API. Not only are there built-in roles, but you can also create custom roles and tweak the permissions as you see fit. You may then assign the role directly to users or you may assign the role to a custom Azure AD Group you’ve created which are comprises of specific users.
Here is a screenshot from the Microsoft documentation showing RBAC for a particular resource group. As you can see each Azure resource will have an “Access control (IAM)” menu that allows you to add and remove Role assignments for the resource.
Conditional Access is a mechanism in Azure that allows you to restrict access to devices and applications based on predefined rules. The two main goals are to allow your end users to be productive wherever they may be with whatever device they are using and second, to protect corporate resources and data at any time.
Conditional Access uses rules that follow a “when this happens” (the condition) -> “then do this” (the control) pattern. In other words, you define what should happen when a condition has been met. The “what happens” is a Block or Allow access policy. Block access is self-explanatory, but for Allowing access, you can define further requirements such as require multi-factor authentication which uses Active Directory Federation Services, or AD FS. You can also require that devices be compliant which can mean that computers are up-to-date or the mobile device is enrolled in mobile device management. For instance, the Microsoft documentation gives the example that you can use Microsoft Intune to check device compliance, and then report it to Azure AD for enforcement when the user attempts to access an application. Finally you may require the device to be domain joined and can be applied to desktops, laptops, and enterprise tablets. Just remember that Conditional Access requires Azure AD Premium.
Earlier in the course I stressed the importance of Monitoring and Reporting in your Cloud environment. Azure AD has tools to help you monitor both your Cloud and On-premises environments. Azure AD provides basic activity information such as sign-ins and audit logs for Azure AD Services.
Microsoft offers a tool called Azure AD Connect Health which provides readily available insights into your on-premises identity infrastructure environment and synchronization services. If you recall, many environments are setup such that you have your on-premises environment connect to Azure. Part of the identity infrastructure you have includes Active Directory Domain Services, Active Directory Federation Services, etc.
The way Azure AD Connect Health works is by deploying health agents. For example you would deploy to your on-premises Active Directory Domain Controllers an AD DS Health agent which reports back to the Azure AD Connect Health tool which is easily visible directly from the Azure Portal. You can see things like Domain Controller health, replication status, and graphs for various performance counters. You may also setup alerts and email notifications.
In addition to monitoring your identity infrastructure, Azure AD Connect Health can also monitor the Azure AD Connect sync that happens when synchronizing your on-premises data with Azure AD.
To wrap up this lesson I’d like to also introduce you to the Azure AD PowerShell Module. Unlike all the rest of the Azure PowerShell commands located in the Azure Resource Manager modules, Azure AD uses a separate module that you have to download separately. You can also just use Azure PowerShell to issue the “Install-Module AzureAD” command to install the Azure AD module.
You connect to your subscription using the Connect-AzureAD command similar to the Add-AzureRmAccount command when connecting to your subscription. Your subscription login name and password will be the same. Use the Get-Module command to check if the Module is installed and imported as well as show version information. Finally use “Get-command -Module AzureAD” to get a list of commands available in the Azure AD module.
Let’s do a quick demo to see some of the things we can do with the Azure AD PowerShell module. Here I am in the Windows PowerShell IDE. This is a brand new session so let’s first import the module. Now let’s check the version info with Get-Module. As you can see I have version 220.127.116.11 installed.
Let’s connection to AzureAD. Here you see I’m prompted for my credentials. I’ll be right back as I put in my information. Now let’s see all the commands that begin with the verb ‘New’.
Here you we see there are commands to add new AzureAD Applications, Devices, Groups, Service Principles, Users, etc. What you don’t see here are the Azure AD Role definitions we discussed such as the Network Contributor role used in Role-Based Access and Control. That’s because these commands are located in the AzureRM module. So not all Azure AD functions are in the AzureAD module.
Let’s take a look at the Network Contributor role. First let’s store the actual Role definition in a variable called $role and call Get-AzureRmRoleDefinition “Network Contributor Role”. Let’s inspect the $role variable. You’ll notice that ‘IsCustom’ is set to false because this is a built-in role. And we get a nice description of the role. We also have a list of Actions and NotActions and the assignable scope. In our case, the scope is the current subscription. You may enumerate subscriptions for which this role applies when creating custom roles. Let’s take a look at this role’s actions in more detail via the Actions property. The main point here is that this role has full access to all Microsoft.Network operations. Finally, let’s take a look at exactly what the Provider operations are for Microsoft.Network by running the Get-AzureRmProviderOperation command. As you can see here, there are tons of operations with several actions including read, write, delete and other actions. This concludes this demo.
If you haven’t already, you can learn more and get a few additional details on some of the things we covered here by going to the Microsoft Azure Security Solutions course right here on Cloud Academy.
Chris has over 15 years of experience working with top IT Enterprise businesses. Having worked at Google helping to launch Gmail, YouTube, Maps and more and most recently at Microsoft working directly with Microsoft Azure for both Commercial and Public Sectors, Chris brings a wealth of knowledge and experience to the team in architecting complex solutions and advanced troubleshooting techniques. He holds several Microsoft Certifications including Azure Certifications.
In his spare time, Chris enjoys movies, gaming, outdoor activities, and Brazilian Jiu-Jitsu.