Azure Sentinel: Manage Identity & Access (Part 1)

By Ashwin Venugopal -

 


To read part 2 please click here

Azure Active Directory or Azure AD

Azure AD is  Microsoft's multi-talented cloud based directory and identity management service. Azure AD allows IT Admins to give an easy to use and affordable single sign-on (SSO) access to various cloud applications like Office365, Salesforce, Dropbox, Concur, etc. to employees, clients, or business partners. Whereas it allows application developers to mainly focus on building their application by making the process fast and simple to integrate with a world-class identity management solution conveniently used by millions of organizations worldwide.

Identity manage capabilities & integration

Azure AD also have identity management capabilities like multi-factor authentication, device registration, self-service password as well as group management, privileged account management, role-based access control, application usage monitoring, rich auditing and security monitoring and alerting. These capabilities can easily help in securing cloud-based applications, stream-line IT processes, cost cutting, while ensuring that the corporate compliance goals are met; Plus its ability to integrate with the existing Windows Server Active Directory enable organizations to leverage their existing on-premises identity investments to manage easy access to cloud based SaaS applications.

Azure AD Editions

Azure AD comes in following four editions:

  1. Azure Active Directory Free- It provides users and group management on-premises directory synchronization, basic reports, and single sign-on across Azure, Microsoft 365, and various popular SaaS apps.
  2. Azure Active Directory Microsoft 365 Apps- This edition is included in O365 that provides Identity and Access Management for all the Microsoft 365 apps including branding, MFA, group access management, self-service password reset, etc. for cloud users in addition to its free services.
  3. Azure Active Directory Premium P1- P1 allows your hybrid users access to both on-premises and cloud resources in addition to the free features. It also supports advanced administration, such as dynamic groups, self-service group management, cloud write-back capabilities, etc. which enables self-service password reset for your on-premises users.
  4. Azure Active Directory Premium P2- It offers free as well as all the P1 features while providing Azure Active Directory Identity Protection to help in risk-based conditional access to your apps and critical company data as well as Privileged Identity Management to discover, monitor, and restrict administrators' just-in-time access to resources as and when needed     

The Premium editions are available online as well as through a Microsoft Enterprise Agreement, the Open Volume License Program, and the Cloud Solution Providers program. The free edition can accessed with an Azure subscription.

It is worth noting that if you are using Microsoft 365, Azure, or Dynamic CRM online, you are already using Azure AD without any realization. You can start using that to manage access to thousands of other cloud applications Azure AD integrates with whenever you want.

Azure AD vs AD DS

Azure AD has many similarities as well differences to AD DS. It is mandatory to understand that Azure AD is very much different from deploying an Active Directory domain controller on an Azure virtual machine and adding it to your on-premises domain. The following table depicts the differences between these two:

AZURE ACTIVE DIRECTORY

ACTIVE DIRECTORY DOMAIN SERVICES

Cloud

On-Premises

Designed for HTTP & HTTPS

Query via LDAP

Queried via REST APIs

Used Kerberos for Authentication

Uses SAML, WS-Federation, or OpenID for authentication

No Federated Services.

Uses OAuth for authration

Organizational Units (OUs)

Includes federation services

Group Policy (GPOs)

Flat Structure

 

By using Azure AD you can only manage the users, groups, and policies while deploying AD DS with virtual machines using Azure means managing the deployment, configuration, virtual machines, patching, and other backend tasks.

Azure AD Administrator Roles

With Azure Active Directory (Azure AD),limited administrators can be designatedto manage identity tasks in less-privileged roles such as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names. The default user permissions can only be changed in user settings in Azure AD. It is recommended to assign the Global administrator roleto fewer than five people in your organization to reduce the risk to your business. Even if you have more than five admins assigned to the Global Administrator role, we can reduce its use in following ways.

Available roles:

  • Application Administrator- Users in this role can create and manage all aspects of an enterprise applications, application registrations, and application proxy settings.
  • Application Developer- Users in this role can create application registrations when the "users canregister applications" setting is set to No.
  • Authentication Administrator- In this role users can can set or reset non-password credentials for some users and can update passwords for all users.
  • Azure DevOps Administrator- In this role users can manage the Azure DevOps policy to restrict new Azure DevOps organization creationto a set of configurable usersor groups.
  • Azure Information Protection Administrator- In this one users have all the permissions in the Azure Information Protection sevice.
  • B2C User Flow Administrator- Users with this role can create and manage B2C User Flows in the Azure portal.
  • B2C User Flow Attribute Administrator-Users can add or delete custom attributes available to all user flows in the tenant in this role.
  • B2C IEF Policy Administrator- Users in this role can create, read, update, and delete all custom policies in Azure AD B2C and thereforehave full control over the Identity Experience Framework in the relevant Azure AD B2C tenant.
  • B2C IEF Keyset Administrator- Users can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption.
  • Billing Administrator- Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
  • Cloud Application Administrator- Users will have the same permissions as the Application Administrator role, excluding the ability to manage the application proxy in this role.
  • Cloud Device Administrator- Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys in the Azure portal.
  • Compliance Administrator- Users in this role have permissions to manage compliance-related features in the Microsoft 365 compliance center, Microsoft 365 admin center, Azure, and Microsoft 365 security and compliance center/
  • Compliance Data Administrator- Users have permissions to track data in the Microsoft 365 Compliance center, admin center, within the exchange admin center and Azure. 
  • Conditional Access Administrator- Users with this role have the ability to manage Azure Active Directory Conditional access settings.
  • Exchange Administrator- In this one users have global permissions within Microsoft Exchange Online, when the service is present.
  • Directory Readers- Users can read basic directory information in this role.
  • Global Administrator/Company Administrator- Users with this role have access to all administrative features, as well as services that use Azure Active Directory identities like Microsoft 365 security center, compliance center, Exchange Online, SharePoint Online, and Skype for Business Online.
  • Groups Administrator- Users in this role can create or manage groups and ints settings like naming and expiration policies.
  • Security Administrator- In this role users have permissions to manage security-related features in the Microsoft 365 security center, Azure Active Directory Identity Protection, azure Information Protection, and Microsoft 365 Security and Compliance Center. 

Traditional approaches focusing on securing the entrance and exit points of a network as the primary security perimeter are less effective in a complex modern enterprise as compared to the authentication and authorization controls in an organization's identity layer.

Thus, Privileged administrative accounts are effectively in control of the new security perimeter and it is crucial to protect privileged access, regardless of whether the environment is on-premises, cloud, or hybrid on-premises and cloud hosted services. Protecting administrative access requires complete isolation of your organization's systems from risks.


To read part 2 please click here

Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more