Azure Sentinel: Manage Identity & Access (Part 1)
To read part 2 please click here
Azure Active Directory or Azure AD
Azure AD is Microsoft's multi-talented cloud based directory and identity management service. Azure AD allows IT Admins to give an easy to use and affordable single sign-on (SSO) access to various cloud applications like Office365, Salesforce, Dropbox, Concur, etc. to employees, clients, or business partners. Whereas it allows application developers to mainly focus on building their application by making the process fast and simple to integrate with a world-class identity management solution conveniently used by millions of organizations worldwide.
Identity manage capabilities & integration
Azure AD also have identity management capabilities like multi-factor authentication, device registration, self-service password as well as group management, privileged account management, role-based access control, application usage monitoring, rich auditing and security monitoring and alerting. These capabilities can easily help in securing cloud-based applications, stream-line IT processes, cost cutting, while ensuring that the corporate compliance goals are met; Plus its ability to integrate with the existing Windows Server Active Directory enable organizations to leverage their existing on-premises identity investments to manage easy access to cloud based SaaS applications.
Azure AD Editions
Azure AD comes in following four editions:
- Azure Active Directory Free- It provides users and group management on-premises directory synchronization, basic reports, and single sign-on across Azure, Microsoft 365, and various popular SaaS apps.
- Azure Active Directory Microsoft 365 Apps- This edition is included in O365 that provides Identity and Access Management for all the Microsoft 365 apps including branding, MFA, group access management, self-service password reset, etc. for cloud users in addition to its free services.
- Azure Active Directory Premium P1- P1 allows your hybrid users access to both on-premises and cloud resources in addition to the free features. It also supports advanced administration, such as dynamic groups, self-service group management, cloud write-back capabilities, etc. which enables self-service password reset for your on-premises users.
- Azure Active Directory Premium P2- It offers free as well as all the P1 features while providing Azure Active Directory Identity Protection to help in risk-based conditional access to your apps and critical company data as well as Privileged Identity Management to discover, monitor, and restrict administrators' just-in-time access to resources as and when needed
The Premium editions are available online as well as through a Microsoft Enterprise Agreement, the Open Volume License Program, and the Cloud Solution Providers program. The free edition can accessed with an Azure subscription.
It is worth noting that if you are using Microsoft 365, Azure, or Dynamic CRM online, you are already using Azure AD without any realization. You can start using that to manage access to thousands of other cloud applications Azure AD integrates with whenever you want.
Azure AD vs AD DS
Azure AD has many similarities as well differences to AD DS. It is mandatory to understand that Azure AD is very much different from deploying an Active Directory domain controller on an Azure virtual machine and adding it to your on-premises domain. The following table depicts the differences between these two:
AZURE
ACTIVE DIRECTORY |
ACTIVE
DIRECTORY DOMAIN SERVICES |
Cloud |
On-Premises |
Designed
for HTTP & HTTPS |
Query
via LDAP |
Queried
via REST APIs |
Used
Kerberos for Authentication |
Uses
SAML, WS-Federation, or OpenID for authentication |
No
Federated Services. |
Uses
OAuth for authration |
Organizational
Units (OUs) |
Includes
federation services |
Group
Policy (GPOs) |
Flat
Structure |
|
By using Azure AD you can only manage the users, groups, and policies while deploying AD DS with virtual machines using Azure means managing the deployment, configuration, virtual machines, patching, and other backend tasks.
Azure AD Administrator Roles
With Azure Active Directory (Azure AD),limited administrators can be designatedto manage identity tasks in less-privileged roles such as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names. The default user permissions can only be changed in user settings in Azure AD. It is recommended to assign the Global administrator roleto fewer than five people in your organization to reduce the risk to your business. Even if you have more than five admins assigned to the Global Administrator role, we can reduce its use in following ways.
Available roles:
- Application Administrator- Users in this role can create and manage all aspects of an enterprise applications, application registrations, and application proxy settings.
- Application Developer- Users in this role can create application registrations when the "users canregister applications" setting is set to No.
- Authentication Administrator- In this role users can can set or reset non-password credentials for some users and can update passwords for all users.
- Azure DevOps Administrator- In this role users can manage the Azure DevOps policy to restrict new Azure DevOps organization creationto a set of configurable usersor groups.
- Azure Information Protection Administrator- In this one users have all the permissions in the Azure Information Protection sevice.
- B2C User Flow Administrator- Users with this role can create and manage B2C User Flows in the Azure portal.
- B2C User Flow Attribute Administrator-Users can add or delete custom attributes available to all user flows in the tenant in this role.
- B2C IEF Policy Administrator- Users in this role can create, read, update, and delete all custom policies in Azure AD B2C and thereforehave full control over the Identity Experience Framework in the relevant Azure AD B2C tenant.
- B2C IEF Keyset Administrator- Users can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption.
- Billing Administrator- Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
- Cloud Application Administrator- Users will have the same permissions as the Application Administrator role, excluding the ability to manage the application proxy in this role.
- Cloud Device Administrator- Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys in the Azure portal.
- Compliance Administrator- Users in this role have permissions to manage compliance-related features in the Microsoft 365 compliance center, Microsoft 365 admin center, Azure, and Microsoft 365 security and compliance center/
- Compliance Data Administrator- Users have permissions to track data in the Microsoft 365 Compliance center, admin center, within the exchange admin center and Azure.
- Conditional Access Administrator- Users with this role have the ability to manage Azure Active Directory Conditional access settings.
- Exchange Administrator- In this one users have global permissions within Microsoft Exchange Online, when the service is present.
- Directory Readers- Users can read basic directory information in this role.
- Global Administrator/Company Administrator- Users with this role have access to all administrative features, as well as services that use Azure Active Directory identities like Microsoft 365 security center, compliance center, Exchange Online, SharePoint Online, and Skype for Business Online.
- Groups Administrator- Users in this role can create or manage groups and ints settings like naming and expiration policies.
- Security Administrator- In this role users have permissions to manage security-related features in the Microsoft 365 security center, Azure Active Directory Identity Protection, azure Information Protection, and Microsoft 365 Security and Compliance Center.
Traditional approaches focusing on securing the entrance and exit points of a network as the primary security perimeter are less effective in a complex modern enterprise as compared to the authentication and authorization controls in an organization's identity layer.
Thus, Privileged administrative accounts are effectively in control of the new security perimeter and it is crucial to protect privileged access, regardless of whether the environment is on-premises, cloud, or hybrid on-premises and cloud hosted services. Protecting administrative access requires complete isolation of your organization's systems from risks.
Comments
Post a Comment