Azure Sentinel: Manage Identity & Access (Part 2)

By Ashwin Venugopal -


To read part 1 please click here 

Azure Active Directory Domain Service

Azure AD DS provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerbos/NTLM authentication that is fully compatible with Windows Server Active Directory. It duplicates identity information from Azure AD, so it can work with Azure AD tenants that are cloud-only, or synchronized with an on-premises AD DS environment. These exists for both environments.

  • If you have an on-premises AD DS environment, you can synchronize user account information to provide a consistent identity for users.
  • For cloud-only environment, the traditional on-premises AD DS is not needed to use the centralized identity services of Azure AD DS.  

Azure AD DS features & Benefits

Azure AD DS is fully compatible with a traditional AD DS environment for various operations. LDAP write support is available for all the objects created in Azure AD DS managed domain only not for the resources which are synchronized from Azure AD. Simplified features of Azure AD DS deployment and management operations are:
  • Simplified Deployment Experience- Azure AD DS is enabled using a single wizard in the Azure portal for your Azure AD tenant.
  • Integrated with Azure AD- The automatically available user accounts, group memberships, and credentials from your Azure AD tenant, including new users, groups, or changes to attributes all of them are automatically synchronized to Azure AD DS.
  • Use your corporate credentials/passwords- Passwords for users in Azure AD DS are the same as in your Azure AD tenant and users can use their corporate credentials to domain-join machines, sign-in interactively, or over remote desktop, and authenticate against the Azure AD DS managed domain.
  • NTLM and Kerberos authentication- With the support of NTLM and Kerberos authentication, you can easily deploy applications that rely on Windows-integrated authentication.
  • High availability- Azure AD DS have multiple domain controllers providing high availability for your managed domain which in turn ensures service uptime and resilience to failures.
Azure AD DS coordinate with Azure AD, which can easily synchronize with an on-premises AD DS environment. This helps extend central identity use cases to traditional web applications.

Azure AD User Account



In Azure AD, every user needs a user account to access the resources that is a synced AD DS object or an Azure AD user object containing all the information required to authenticate an authorize the user during the sign-on process and to build the user's access token. To view the Azure AD users, access the All users blade, access the portal, view your users, and observe the USER TYPE and SOURCE columns as the above image depicts.

Azure AD users can be defined in three ways:
  • Cloud identities- These users exist only in Azure AD. For example administrator accounts and users source is Azure AD.
  • Directory-synchronized identities- These users exist in on-premises Active Directory. A synchronization activity occurring via Azure AD Connect brings these users into Azure.
  • Guest Users-These users exist outside Azure such as accounts from other cloud providers and Microsoft accounts.
Azure AD Group Accounts

There are two different types of groups:

  1. Security groups- These are the most common groups used to manage member and computer access to shared resources for a group of users. You can easily create a security group for a particular security policy with the help of an Azure AD administrator.
  2. Microsoft 365 groups- They provide collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and whatnot. This option is open for both users as well as admins.




Different ways to assign group access rights are:

  • Assigned- It lets you add specific users to the members of this group and provide unique permissions.
  • Dynamic User- It allows you to use dynamic membership rules to automatically add and remove members.
  • Dynamic Device (security groups only)- It allows you to use dynamic group rules to add and remove devices.
Azure Multi-Factor Authentication (MFA)

It helps in safeguarding the access to data and applications while maintaining simplicity for users. Using MFA to authenticate users helps organizations to mitigate credential thefts while being compliant with industry standards.




MFA Features

  • Get more security with less complexity-  Azure MFA safeguard access to data an applications with a range of easy verification options like phone call, text message, or mobile app notification allowing customers to choose the method they prefer.
  • Mitigate threats with real-time monitoring and alerts- It helps you to protect your business with security monitoring and machine-learning-based reports that can identify inconsistent sign-in patterns.
  • Deploy on-premises or on Azure- MFA server secure VPNs, Active Directory Federation Services, IIS web applications, Remote desktop, etc. with the help of RADIUS and LDAP authentication.
  • Use with Microsoft 365, Salesforce, and more- It secures the access to Microsoft 365 applications at no additional cost.
  • Add protection for Azure administrator accounts- It adds an extra layer of security to your Azure administrator account free of cost and you only need to confirm your identity to create a virtual machine, manage storage, or use other Azure services whenever it is turned on.

Fraud Alerts

  • Block user when fraud is reported- Users can report fraud attempts through mobile app or phone which results in the blocking of their account for 90 days or until an administrator unblocks their account. The administrator can easily review the sign in reports and take proper action to prevent any future fraud.
  • Code to report fraud during initial greeting- To report a fraud, the user has to enter a code before pressing # that is always 0 by default and can be customize later.

Trusted IPs

 It is a feature that allows the IP address ranges to bypass two-step authentication consisting of two selections:

  1. Managed Tenants- IP ranges that can skip MFA can be specified.
  2. Federated Tenants- IP ranges can be specified while exempting AD FS claim users.
The trusted IPs can work only from inside of a company intranet but even if the user signs in from outside the company's intranet, then they must authenticate by two-step verification even if they presents an AD FS claim.

To read part 1 please click here 

Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more