2.2. Governance - Azure AD.md

Azure AD

Azure Active Directory overview

• Characteristics
  • AD is cloud-based and geo-distributed
    • Your tenant is distributed amongst many servers in Azure.
    • Provides high level of availability and scalability.
  • AD is multi-tenant.
    • You're running a shared platform.
    • Each tenant is segmented off on its own.
    • Provides ability to give permissions from one tenant to another for certain accounts.
  • Identity & Access
    • Can be identity/access provider for Microsoft accounts for e.g. Office 365 1 .
    • In-house & third party developed applications can also leverage this service.
  • Integrates with local AD
  • Provides SSO
    • For third party or in-house applications.
• Global administrator = Root
• Can be managed by Azure Portal, Powershell/CLI, Microsoft Graph and API
  • Microsoft Graph: API product trying to creating single way of interacting with all Microsoft APIs.

Role Based Access Control

• Roles defines actions that role is capable of doing.
• 💡 Roles are assigned to users and users only.
• ❗ Pre-built roles only.
  • No custom roles.
  • You can create custom that are application specific and are outside of the direct administration of Azure AD
• Roles are assigned at tenant level.
  • If you need separation of roles, you can create a new tenant and assign roles and permissions on that account.

Custom Domains

• You initially get tenantname.onmicrosoft.com
• Custom names must be fully qualified: Not a local name but an online name.
• Ownership must be verified
  • Microsoft gives text records (TXT or MX)
  • You put text record in DNS to get verified
• You can verify multiple domains
• Possible to register subdomains but you register parent domain.
• In Portal: Active Directory → Custom domain names → Add custom domain

Multiple Directories

• Resource independence
  • Resource in one directory does not have access to resource in other directory
  • No forests, trusts etc.
• Administrative independencies
  • ❗ If you're global admin in one directory doesn't mean you have any access in other directory.
• Synchronization independence
  • You can synchronize to specific directory and it does not impact other directories.
• Switch directory
  • In Portal → Active Directory → Overview → Switch directory

Conditional Access

• Can be applied on users, locations, devices, applications.
• Policies allow you to have
  • One application with multiple rules
  • One rule with multiple applications
• ❗ Only available in Azure AD Premium
• Condition (if something) → Control (do something)
  • Conditions
    • Users and groups
      • • Groups • User ID • Locations (IP)
    • Cloud apps
    • Device platform and state
      • • Domain Joined • Compliant • Lost or Stolen
    • Locations (IP)
    • Client apps
  • Control: Allow, Deny, MFA
    • Multi-factor authentication
    • Compliant device
    • Approved client app
    • Terms of use
    • Custom and session controls
• Manage in AD - Conditional Access
• Example policy: "Marketing app from US only"
  • Assigments
    • Users and groups: All users
    • Cloud apps: Marketing app (registered in Azure AD)
    • Conditions
      • Locations: Include any location but exclude Contoso location
        • Contoso locations is a named location
          • Set US locations in portal: Active Directory → Conditional Access → Named locations
      • Client apps: Apply policy with access from Browser but not from mobile apps and desktop clients.
  • Access controls: Block access

Access Reviews

• Access review is created for an identified reviewer.
  • Duration can be set
  • Usually created by administrators.
  • Reviewers can approve or deny.
• Access review can be a member of programs.
  • A program groups reviews together.
• Managed in Access Reviews (separate view, not included in AD)

Administrative Units

• Container of resources
• Used for
  • Delegating administrative permissions over subsets of users
  • Applying policies to a subset of users
• Useful in organizations with independent (autonomous) divisions
• An administrative unit is a directory object that can be created and populated with resources/users.
• AD Premium feature
• E.g. a central administrator can
  • Create an administrative unit for a particular school (Business school)
  • Populate it with only the Business school users
  • Central administrator can add the Business school IT staff to a scoped role
    • Grants the IT staff of Business school administrative permissions only over the Business school administrative unit

Identity Protection

• Detection
  • Vulnerabilities
    • E.g. MFA not configured, Unmanaged cloud apps, priviliged identity management (only grant identity to user for a set period of time).
  • Risk events (e.g. user signin in from unknown detection)
    • E.g. leaked credentials on internet, anonymous IP addresses (VPNs etc.), suspicious IP addresses, impossible travel (superman event, user logs in from NY and after 5 minutes logs in from Hong Kong), Unknown locations, Infected devices.
• Investigations
  • Recieve notifications
  • Workflows (when, who, what happened)
  • Analysis: How can you apply policies to prevent such future events?
• Policies
  • User risk policy: E.g. if user risk event is high, allow access but require password change
  • Sign-in risk: E.g. if sign-in risk is medium, allow access but require MFA.

Auditing and Monitoring

• Active Directory → Activity
  • Sign-in: See, filter, search log-on statuses
  • Audit logs: See, filter, search activity logs for Azure AD
• Active Directory → Users and groups
  • You can see user sign-in risks
• Active Directory → Azure AD Connect
  • Install Azure AD Connect health from here
  • Shows how health your Azure AD Connections