Azure Sentinel: Manage Identity & Access (Part 2)
Azure Active Directory Domain Service
Azure AD DS provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerbos/NTLM authentication that is fully compatible with Windows Server Active Directory. It duplicates identity information from Azure AD, so it can work with Azure AD tenants that are cloud-only, or synchronized with an on-premises AD DS environment. These exists for both environments.
- If you have an on-premises AD DS environment, you can synchronize user account information to provide a consistent identity for users.
- For cloud-only environment, the traditional on-premises AD DS is not needed to use the centralized identity services of Azure AD DS.
Azure AD DS is fully compatible with a traditional AD DS environment for various operations. LDAP write support is available for all the objects created in Azure AD DS managed domain only not for the resources which are synchronized from Azure AD. Simplified features of Azure AD DS deployment and management operations are:
- Simplified Deployment Experience- Azure AD DS is enabled using a single wizard in the Azure portal for your Azure AD tenant.
- Integrated with Azure AD- The automatically available user accounts, group memberships, and credentials from your Azure AD tenant, including new users, groups, or changes to attributes all of them are automatically synchronized to Azure AD DS.
- Use your corporate credentials/passwords- Passwords for users in Azure AD DS are the same as in your Azure AD tenant and users can use their corporate credentials to domain-join machines, sign-in interactively, or over remote desktop, and authenticate against the Azure AD DS managed domain.
- NTLM and Kerberos authentication- With the support of NTLM and Kerberos authentication, you can easily deploy applications that rely on Windows-integrated authentication.
- High availability- Azure AD DS have multiple domain controllers providing high availability for your managed domain which in turn ensures service uptime and resilience to failures.
Azure AD DS coordinate with Azure AD, which can easily synchronize with an on-premises AD DS environment. This helps extend central identity use cases to traditional web applications.
Azure AD User Account
In Azure AD, every user needs a user account to access the resources that is a synced AD DS object or an Azure AD user object containing all the information required to authenticate an authorize the user during the sign-on process and to build the user's access token. To view the Azure AD users, access the All users blade, access the portal, view your users, and observe the USER TYPE and SOURCE columns as the above image depicts.
Azure AD users can be defined in three ways:
- Cloud identities- These users exist only in Azure AD. For example administrator accounts and users source is Azure AD.
- Directory-synchronized identities- These users exist in on-premises Active Directory. A synchronization activity occurring via Azure AD Connect brings these users into Azure.
- Guest Users-These users exist outside Azure such as accounts from other cloud providers and Microsoft accounts.
Azure AD Group Accounts
There are two different types of groups:
- Security groups- These are the most common groups used to manage member and computer access to shared resources for a group of users. You can easily create a security group for a particular security policy with the help of an Azure AD administrator.
- Microsoft 365 groups- They provide collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and whatnot. This option is open for both users as well as admins.
Different ways to assign group access rights are:
- Assigned- It lets you add specific users to the members of this group and provide unique permissions.
- Dynamic User- It allows you to use dynamic membership rules to automatically add and remove members.
- Dynamic Device (security groups only)- It allows you to use dynamic group rules to add and remove devices.
It helps in safeguarding the access to data and applications while maintaining simplicity for users. Using MFA to authenticate users helps organizations to mitigate credential thefts while being compliant with industry standards.
MFA Features
- Get more security with less complexity- Azure MFA safeguard access to data an applications with a range of easy verification options like phone call, text message, or mobile app notification allowing customers to choose the method they prefer.
- Mitigate threats with real-time monitoring and alerts- It helps you to protect your business with security monitoring and machine-learning-based reports that can identify inconsistent sign-in patterns.
- Deploy on-premises or on Azure- MFA server secure VPNs, Active Directory Federation Services, IIS web applications, Remote desktop, etc. with the help of RADIUS and LDAP authentication.
- Use with Microsoft 365, Salesforce, and more- It secures the access to Microsoft 365 applications at no additional cost.
- Add protection for Azure administrator accounts- It adds an extra layer of security to your Azure administrator account free of cost and you only need to confirm your identity to create a virtual machine, manage storage, or use other Azure services whenever it is turned on.
Fraud Alerts
- Block user when fraud is reported- Users can report fraud attempts through mobile app or phone which results in the blocking of their account for 90 days or until an administrator unblocks their account. The administrator can easily review the sign in reports and take proper action to prevent any future fraud.
- Code to report fraud during initial greeting- To report a fraud, the user has to enter a code before pressing # that is always 0 by default and can be customize later.
Trusted IPs
It is a feature that allows the IP address ranges to bypass two-step authentication consisting of two selections:
- Managed Tenants- IP ranges that can skip MFA can be specified.
- Federated Tenants- IP ranges can be specified while exempting AD FS claim users.
The trusted IPs can work only from inside of a company intranet but even if the user signs in from outside the company's intranet, then they must authenticate by two-step verification even if they presents an AD FS claim.
To read part 1 please click here
Comments
Post a Comment