What is Azure Active Directory?
Azure Active Directory is Microsoft’s multi-tenant, cloud-based identity and access management service. The digital infrastructure allows your employees to sign in and access external resources held in Office 365 and an ever-growing list of other SaaS applications, as well as those held on a corporate network or intranet.
Azure AD’s strength lies in its flexibility, which is afforded by its being entirely cloud-based. This means that it can either act as an organisation’s only directory or sync with an on-premises directory via Azure AD Connect.
Either way, it enables both on-premises and cloud-based users to access the same apps and resources, benefiting from features such as single sign-on (SSO), multi-factor authentication (MFA), conditional access, and more.
More importantly, it provides a single place to manage your identity, security, and compliance controls across your entire IT estate.
Securing Your Digital Frontier
Azure AD Key features
Having all of your disparate environments united under Azure AD offers some significant functionality options and features:
Application Management
Manage both cloud and on-premises apps, single sign-on, the MyApps portal, and any SaaS apps.
Authentication
Whether providing self-service password reset, calibrating MFA requirements, or enabling smart lockout, you can get really granular with your authentication settings (especially when used with conditional access) for increased security and control. Securing Your Digital Frontier
Business-to-Business (B2B)
Manage guest users and partners, providing them with the access they need but no more than you’re willing to allow.
Business-to-Customer (B2C)
Offer custom sign-in and sign-up experiences, allowing customers to manage their profiles within your applications.
Device Management
Device management in Azure Active Directory (Azure AD) is securely managing and controlling devices that access an organization's Azure AD environment. It includes tasks like registering devices, verifying their identity through authentication, monitoring their health and compliance, and remotely managing their configuration. Azure AD device management ensures a secure and consistent environment across different types of devices, enhances data protection, and improves administrative efficiency.
Hybrid Identity
Most organisations aren’t ready to go cloud-only yet, but using Azure AD Connect allows you to take advantage of Azure AD’s features – even if you’re running some on-premises applications and some in the Cloud.
Identity Governance
To ensure that your identity ecosystem remains healthy, Azure AD has some built-in governance features that allow you to manage identity and access lifecycles and set privileged access conditions. These controls are designed to enable organisations to ensure that the correct users have the corresponding access levels and monitor what they’re doing with it. One of the key benefits of good governance is being able to audit and verify the effectiveness of the applied controls.
Identity Protection
Azure AD Identity utilises security information from across Microsoft’s digital empire to detect and remedy identity-based risks, automating a large part of identifying and addressing security concerns. These risks can then be further investigated through the Azure AD portal.
Reports and Monitoring
Azure AD also features monitoring and reporting capabilities to help you gain insights into your environment. You can run diagnostics and view logs, which can then be applied to third-party SIEM tools to examine your data more deeply.
How to create secure identity infrastructure in Microsoft Azure in 5 steps:
Implement Centralized Identity Management
Enable Single Sign-On (SSO) and Multi-Factor Authentication (MFA)
Proactively Manage User Access
Actively Monitor Your Security State
Automate the Common Monitoring and Management Task
1. Implement Centralized Identity Management
If you rely on hybrid environments (e.g., your on-premises data center is extended to Azure cloud), your first step towards Azure protection should be enabling integrated identity management. After integrating on-prem and cloud directories, you can manage all user accounts from a single place, plus provide users with a common identity for accessing both environments. This, in turn, reduces password management costs. Given that almost 50% of IT help desk costs are associated with password resets, the savings of a Single Sign-On (SSO) solution can be significant.
Best Practices:
Designate one Azure AD instance to all corporate accounts (on-prem & cloud-based).
Use Azure AD Connect to enable synchronization between your cloud and on-premises directories.
When it comes to high-privilege accounts you already have in your Active Directory instance, don’t change the default Azure AD Connect configuration fileting them out. Otherwise, such accounts might meddle in the on-premises assets.
Enable password hash synchronization, a feature that helps protect against credential stuffing attacks. This config is particularly valuable as it helps check if users have used the same email/password combo on other services (non-connected to Azure AD) and prevents them from using the same credentials if these have already been compromised.
Embed Azure AD into all your newly developed business applications for extra security.
2. Enable Single Sign-On (SSO) and Multi-Factor Authentication (MFA)
Single sign-on (SSO) reduces the reliance on multiple passwords and, thus, increases overall Azure cloud security. Instead of asking your business users to maintain multiple passwords for their Salesforce, Microsoft 365, Google apps, and other accounts, you can set up seamless and secure access to all of them via Azure AD. Considering that an average enterprise has over 900 applications , with only 28% being integrated, users are forced to store a lot of passwords (and oftentimes re-use the weak ones). This can lead to security incidents and costly data breaches.
The benefit of using Azure AD is that many business applications already have pre-integrated SSO connections with it. On top of that, you can find SSO connectors for some 3,000 applications on Azure Marketplace.
You can choose one of two approaches to enable SSO on Azure:
Federated SSO. In this case, Azure AD authenticates users with their Azure AD account. This method is available for all applications, supporting the following protocols – SAML 2.0, WS-Federation, or OpenID Connect.
Password-based SSO. When using this type of authentication, users are asked to provide a username/password combo to the application during their first access. For all the subsequent logins, Azure AD will supply the login credentials to the connected app.
More information on the benefits of each SSO method can be found in this Microsoft guide.
Multi-factor authentication (MFA)is another strong security facet we always recommend implementing as part of the cloud security strategy.
MFA is an intermediary measure that can help stop unsolicited login attempts, especially from compromised accounts, by asking the user to provide a second form of authentication for accessing their accounts. Azure provides an array of user-friendly authentication methods, such as:
One-time text or voice passwords
Software token OTPs
Microsoft authenticator
Windows Hello
FIDO2 security keys (in preview).
According to Microsoft, corporate accounts are 99.9% less likely to get hacked with MFA enabled.
Conditional Access in Azure Active Directory
Source
With SSO and MFA enabled you reduce your company’s reliance on passwords and, subsequently, the risks of brute-force breaches due to weak passwords.
3. Proactively Manage User Access
Having complete visibility into different user roles and permissions is essential to implementing proper security controls. Azure role-based access control (Azure RBAC) is an authorization service that is designated to implement granular access management of Azure resources.
Consider implementing this service for all staff members.
When it comes to line-of-business leaders, Azure AD Identity Governance is a service we recommend implementing. A comprehensive solution for managing roles, data, and resource access, Azure AD Identity Governance enables a single pane of glass view into all your employees’ activity and permissions for easy audit and monitoring without placing a strain on their productivity. Running in the background, the app allows you to perform the following tasks across all users, services, and applications, running on-premises and in the cloud:
Govern the identity lifecycle
Govern access lifecycle
Secure privileged access for administration
Through one convenient interface, your security team can monitor which users have access to which resources and how they are using that access.
Privileged Identity Management (PIM) is another facet of Azure identity protection worth leveraging to safeguard the most sensitive data within your company. The service lets you smartly manage access to certain resources and operations in Azure AD, Azure, Microsoft 365, and other SaaS apps. The role of this service is to act as a controller for providing just-in-time privileged access to restricted resources to LOBs who need it, along with monitoring that access usage and automatically terminating it.
Some of the main PIM features include:
Provisioning of time-bound access to certain Azure AD and Azure resources;
Approval management for activating privileged roles;
Auto-MFA initiation for activating any role;
Convenient access reviews for managing roles access;
Quick history download for audits.
PIM is especially important for larger Azure instances, as was the case with our client, Metinvest Group. As part of a large-scale digital transformation project implemented together with Metinvest Digital, it embraced the migration of two on-premises data centers (with 680 servers) and some 80,000+ business users.
Bonus tip: Azure Information Protection (AIP) is a handy cloud-based labelling service for discovering, classifying, and protecting various documents and business communication. It further extends the labelling functionality offered by Microsoft 365, enables the support of additional file types, and protects File Explorer and PowerShell.
4. Actively Monitor Your Security State
After you have completed the initial setup, check your Azure AD identity secure score—a measure between 1 and 223 that indicates how well your infrastructure complies with Microsoft’s security recommendations.
Source
The dashboard shows how well you have coped with various tasks and lets you plan further by filtering them by cost and user impact.
As the next step of your Microsoft Azure information protection plan, enable identity risk monitoring using Azure AD Identity Protection. This ML-based tool helps you automate the detection and mitigation of common identity-based risks and capture relevant data around them for further investigation. Microsoft Intelligent Security Graph analyzes over 6.5 trillion signals per day to identify suspicious behavior patterns, and these findings are then translated into alerts and mitigation suggestions for Microsoft Identity Protection users.
Some of the common risks the tool can detect are as follows:
Common Risks to Detect with Azure AD Identity Protection
Source
Finally, ensure that you continuously audit accesses provided to various SaaS apps so that no third-party product attempts to overstep the granted permissions.
5. Automate the Common Monitoring and Management Task
Effective identity management and security automation are solid ways for larger enterprises to realize further TCO savings from Azure Migration.
As already mentioned, Azure AD Identity Protection is a stellar service for automating risk monitoring and using Microsoft’s state-of-the-art machine learning algorithms, powering threat detection within this tool. With the help of this service, you can set up automated threat responses to common attack vectors. For example:
Roll out new user risk policies in real time to remedy compromised accounts.
Implement SSO policies in real time to stall suspicious sign-in attempts.
Also, to reduce the volume of menial work your IT service desk has to deal with, you can integrate Microsoft Graph with Azure AD identity management and other services. This will help you to automate workflows such as:
Employee onboarding/termination
Profile Maintenance
Licenses deployment.
Lastly, the Azure Automation service can also automate many common identity management workflows.
Comments