Identity Services (part 2)

By Ashwin Venugopal -

Azure Active Directory (Azure AD)

Azure AD is the Microsoft-managed, cloud-based, identity as well as access management solution which is capable of providing secure access for organizations and individuals to a variety of cloud-resident services, including Azure, Office 365, Microsoft Dynamics CRM online, and Microsoft Intune. It also offers multitenancy and scalability:
  • Multitenancy- Azure AD is multitenant by design, which ensures isolation between its individual directory instances. From a technical point of view, the term tenant represents an individual Azure AD instance and as an Azure customer, you can create multiple Azure AD tenants. This approach is more useful if you want to test Azure AD functionality in one without affecting the others and each Azure AD tenant serves as a security boundary as well as a container for Azure AD objects such as users, groups, and applications. 

  • Scalability- Azure AD is the world's largest multitenant directory, hosting over a million directory services instances, with billions of authentications request per week.

 You can also add paid capabilities to enhance your Azure AD implementation, by upgrading to Azure AD Basic, Premium P1, or Premium P2 licenses:
  • Azure AD Free- It provides user and group management, on-premises directory synchronization, basic reports, and single sign-on across Azure, Office 365, and many popular SaaS apps. 

  • Azure AD Basic- Besides the Free features, Basic also provides cloud-centric app access, group-based access management, self-service password reset for cloud apps, and Azure AD Application Proxy, which lets you publish on-premises web apps using Azure AD.

  • Azure AD Premium P1- Along with the Free and Basic features, P1 alos allows the hybrid users access both on-premises and cloud resources while readily supporting the advanced administration, as well as cloud write-back capabilities, which allow self-service password reset for your on-premises users.

  • Azure AD Premium P2- In addition to the Free, Basic, and P1 features, P2 also offers AD Identity Protection to help provide risk-based Conditional access to your apps and critical company data as well as Privileged Identity Management (PIM) to help discover, restrict, and monitor administrators as well as their access to resources and to provide just-in-time access when needed.  

Note- You can associate the same Azure AD tenant with multiple Azure subscription allowing you to use the same users, groups, and service principles to access as well as manage resources across multiple Azure subscriptions. 

Organizations that uses AD DS can easily synchronize users and groups from their AD domains with Azure AD to enable an SSO experience for their users accessing both on-premises as well as cloud-based applications. 

Azure Active Directory Domain Services (Azure AD DS)

Azure AD DS is known as the Microsoft-managed service that provides the standard AD features like Group Policy, domain join, and support for protocols such as Kerberos, NTLM, and LDAP. The managed AD DS can automatically synchronizes its users as well as groups from the Azure AD tenant associated with the Azure subscription hosting the virtual network which provides the following capabilities:

  • You can join Azure VMs to the managed AD DS domain if they reside on the same virtual network or another virtual network connected to it.
  • Azure AD users can use their existing credentials to sign in to these Azure VMs. 

If you have an on-premises AD DS domain that synchronizes with the same Azure AD tenant, your on-premises users will automatically become capable of signing into Azure AD domain by using their existing credentials. Azure AD DS can also migrate applications that depends on AD DS to Azure VMs without any need to deploy and maintain additional domain controllers or establish connectivity with an on-premises infrastructure.

Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more