AD Secure Access

avatar
Created by
MelodicMeerkat56386

Subdecks (1)

Cards (105)

  • Introduction to Azure Active Directory (Azure AD):
    • Azure AD Definition and Purpose:
    • Azure AD is a cloud-based Identity and Access Management (IAM) service by Microsoft.
    • Primary purpose is to streamline employee sign-in processes and manage access to both internal and external resources.
    • Resource Types:
    • Internal Resources:
    • Applications within the corporate network.
    • External Resources:
    • Encompasses Microsoft 365, Azure portal, and other Software as a Service (SaaS) applications.
  • Setting up Azure AD:
    • Tenant Creation:
    • A tenant in Azure AD represents the organization.
    • Creation involves establishing user accounts, groups, and shared access levels.
    • Group Access Control:
    • Utilizes groups for different teams (e.g., research and legal) to manage distinct access levels for applications.
    • Administrative Control:
    • IT administrators leverage Azure AD to dictate access based on organizational requirements.
  • Azure AD Benefits for Different Users:
    • IT Administrators:
    • Utilize Azure AD to precisely determine who has access to applications based on organizational policies.
    • Enhance protection by enforcing multi-factor authentication.
    • Application Developers:
    • Leverage Azure AD for user authentication.
    • Create personalized user experiences using Azure AD APIs.
    • Security Features:
    • Conditional Access:
    • Allows setting conditions based on attributes such as user location.
    • Identity Protection:
    • Proactive action on identity-based risks.
  • Identity Secure Score:
    • Overview:
    • Represents how well the organization aligns with Microsoft's recommendations and best practices for tenant security.
    • A percentage score between one and 100.
    • Usage:
    • A tool for understanding security effectiveness and implementing improvements.
    • Accessible in the Azure portal under Security and Identity Secure Score.
  • Distinction Between Azure AD and Active Directory:
    • Purpose Difference:
    • Azure AD is a cloud-based identity solution.
    • Active Directory manages on-premises network objects like devices and users.
    • Authentication Methods:
    • Azure AD uses password hash synchronization, pass-through authentication, and federated authentication.
    • Hybrid Identity:
    • Integration of Azure AD and Active Directory for a single user identity.
    • Achieved through multiple authentication methods.
  • Storage of Identity-Related Data:
    • Data Location:
    • Depends on the address provided during the subscription process.
    • Azure AD B2B:
    • Guest user links stored in US datacenters.
    • Unsubscribed email addresses stored in US datacenters.
    • Azure AD B2C:
    • Personal data stays within Europe; policy configuration data stored in US datacenters.
    • Multi-Factor Authentication:
    • Involves various data routing through US datacenters and global providers.
  • Distinction Between Azure AD and Active Directory (Hybrid Identity):
    • Authentication Methods for Hybrid Identity:
    • Azure AD Password Hash Synchronization:
    • Description:
    • User passwords are hashed twice and synchronized between Active Directory and Azure AD.
    • Allows users to have the same credentials for accessing resources both on-premises and in the Cloud.
    • Implementation:
    • Enables a seamless user experience with a consistent set of credentials.
  • Distinction Between Azure AD and Active Directory (Hybrid Identity):
    • Authentication Methods for Hybrid Identity:
    • Azure AD Pass-Through Authentication:
    • Description:
    • An authentication method that installs an agent on on-premises servers.
    • Authentication against Active Directory is handled on-premises when an Azure AD user attempts to authenticate.
    • Implementation:
    • Enhances security by ensuring password authentication occurs within the organization's infrastructure.
  • Distinction Between Azure AD and Active Directory (Hybrid Identity):
    • Authentication Methods for Hybrid Identity:
    • Federated Authentication:
    • Description:
    • Conducted by an on-premises Active Directory Federation Services (ADFS) server.
    • Validates users' passwords and supports advanced measures like smart card-based authentication.
    • Implementation:
    • Suitable for organizations with advanced security requirements.
  • Storage of Identity-Related Data:
    • Multi-Factor Authentication (MFA):
    • Description:
    • Involves various components that may interact with different datacenters.
    • Phone calls and text messages originate from US datacenters.
    • Push notifications for the Microsoft Authenticator app come from US datacenters.
    • Implementation:
    • Global providers handle routing for MFA.
  • Azure Active Directory Free
    • You can manage users and groups in this free version of Azure AD. You get necessary reports, on-premises Active Directory synchronization, and self-service password reset for Azure AD users. You also get a single sign-on for Microsoft 365, Azure services, and many third-party SaaS applications.
    Pay-as-you-go 
    • In this license type, you can access specific Azure AD features, such as Azure AD B2C, on a pay-as-you-go basis. Azure AD B2C lets you manage identity and access for consumer users and the applications they use.
  • Office 365 Apps 
    • In this licensing option, you get all the free tier features, but you can also have custom login and logout pages, self-service password reset for cloud users, and device write-back.
  • Azure Active Directory Premium P1
    • With this premium license, you get all the features from the free tier, but you can also let users access on-premises and cloud-based services and resources. You can use self-service group management or dynamic groups, where users are added and removed automatically based on your criteria. This tier supports on-premises identity-management suites such as Microsoft Identity Manager. It also supports self-service password reset for users who are based on-premises.
  • Azure Active Directory Premium P2
    • In this license, you get all the features of the previous two tiers, Free and Premium P1, along with Active Directory Identity Protection. The Identity Protection feature helps you configure risk-based Conditional Access to protect applications from identity risks. You can also use privileged identity management, which lets you monitor and put detailed restrictions on administrators.
  • Viewing active license plans
    • How will you find out your active license plan? You can do this in the Azure portal by selecting Azure Active Directory > Licenses > All products. You can also buy or try new licenses on this page.
  • Default user permissions
    • Azure AD gives all the users in your tenant a default set of permissions. These permissions are based on whether a user is a member of an external organization or a natural member of the tenant, such as an internal employee. A member of an external organization is considered a guest. An example of a guest would be a vendor performing work for you but not an official employee of the organization. You invite guest users to the tenant through an Azure AD feature called Azure Active Directory B2B.
  • Default user permissions
    • Member users can do many things guest users cannot. For example, member users manage their profile details, such as phone numbers and photos. Guest users typically have more restrictions. Guest users can, for instance, view their display photos but cannot change them. 
  • Azure AD terminology
    Account
    • An account is an identity and its associated data. An account cannot exist without an identity.
    Azure AD account 
    • An Azure AD account is an identity created in Azure AD or services such as Microsoft 365. For example, internal staff members might use Azure AD accounts daily. An Azure AD account of an employee might store details such as name, address, and a unique identifier such as the company email. 
  • Azure AD directory 
    • Let us now understand what an Azure AD directory is. When you subscribe to Azure, an Azure resource called the Azure AD directory is automatically created for you. You can create many Azure AD directories. Each of these directories represents a tenant. For example, you may have an Azure AD directory for your organization, which would contain all the digital identities of the organization.
  • Azure subscription 
    • A subscription denotes your level of access to use Azure and its services. You can choose from several types of Azure subscriptions based on your needs. Examples are pay-as-you-go and Azure Enterprise Agreement subscriptions. You may use your credit card to set up an Azure subscription.
    • An account can use many subscriptions.
  • Custom domain 
    • When you create an Azure AD directory, Azure automatically assigns it a default domain like <your-organization>.onmicrosoft.com. However, you can customize domain names. Your users could then have accounts like joesmith@contoso.com instead of joesmith@contoso.onmicrosoft.com. A domain that you customize for your Azure AD directory is called a custom domain.
  • Global administrator 
    • Do you know what a global administrator role is? A global administrator is a role that gives you access to all administrative capabilities in Azure AD. For example, this role allows you to reset passwords for all users and administrators. When you create a tenant, you automatically have the role of a global administrator for the tenant. 
    Identity 
    • Identity refers to something that must be identified and authenticated. Identity is typically a user with a username and password credentials, but the term can also apply to applications or services.
  • Multi-tenant 
    • This term refers to multiple tenants accessing the same applications and services in a shared environment. These tenants represent various organizations.
    Owner role 
    • You will use an owner role to manage Azure resources, including the access levels users need for resources.
  • Azure AD licenses
    Let us look at the various Azure AD licenses. These are:
    • Azure Active Directory Free
    • Pay-as-you-go
    • Office 365 Apps
    • Azure Active Directory Premium P1
    • Azure Active Directory Premium P2
  • Azure AD as a Cloud-Based Solution for App Access:
    • Azure AD serves as a cloud-based solution for managing user access to various apps, including Microsoft 365, Azure portal, and other SaaS applications.
    • Enables access to internal resources such as apps on the corporate intranet and cloud-based apps developed for the organization.
  • Azure AD: Conditional Access Policies
    • Allows the organization to implement Conditional Access policies, requiring additional authentication challenges before accessing apps.
    • Example: Configuring a policy for doctors to complete multi-factor authentication challenges.
    • A Feature for P1 and P2 premium license tiers
  • Reporting and Monitoring:
    • Azure AD provides reporting capabilities covering sign-in dates, user details, app usage, risk detection, and location.
    • Reports can be accessed through the Azure portal or specific APIs for programmatic usage.
  • Azure AD Identity Protection:
    • Utilizes risk policies for automated detection and response to identity threats.
    • Admin configures risk policies, and when a risk is detected, measures are enforced (e.g., password reset).
    • Allows you to export risk info/data collected to third-party solutions and tools
    • Premium P2 licensing tier is required.
  • Integration with On-Premises Active Directory:
    • Allows integration with existing Windows Server Active Directory.
    • Leverages on-premises identity investments to manage access to cloud-based SaaS applications.
    Azure AD B2B Collaboration:
    • Enables collaboration with external healthcare partners' staff members.
    • Access can be revoked when collaboration is completed, enhancing security.
  • Azure AD B2C:
    • Manages customer identities and access.
    • Supports authentication through preferred identity providers for customers (e.g., doctors using official email ID).
    • Also allows for monitoring threats and risks of user accounts
    Azure AD Domain Services (Azure AD DS):
    • Facilitates the migration of legacy apps from on-premises to a managed domain without the need to manage the environment in the cloud.
    • Reduces the complexity of migrating on-premises apps to Azure.
  • Azure Domain Services: Simplified Infrastructure Management:
    • Azure AD DS allows for the addition of virtual machines to a domain without the need for domain controllers.
    • Internal staff users can access virtual machines using their organization Azure AD credentials.
  • Stages of deploying Azure AD
    You deploy Azure AD in four stages:
    1. Building a secure foundation
    2. Adding users, managing devices, and configuring synchronization
    3. Managing your applications
    4. Monitoring your administrators, doing access reviews, and automating user life cycles
  • Stages of deploying Azure AD
    Building a secure foundation
    • Global administrators play a crucial role in managing identities and access to resources in your organization. It is recommended to give the global administrator role to at least two Azure AD accounts. Also, it is a good practice to protect these accounts with long and complicated passwords and avoid using them daily unless you need to. You must use the regular administrator accounts where possible. These regular administrators should never have more permissions than they need.
  • Stages of deploying Azure AD
    Building a secure foundation:
    • Configuring and using Privileged Identity Management (PIM) is an excellent way to monitor how your admin roles are used. Doing this will help improve your governance and compliance. 
    • Setting policies around credentials and passwords is another aspect of building a secure foundation. You can let internal users reset their passwords by providing a self-service password reset option. This will also help you reduce helpdesk tickets. You can configure policies around self-service password reset.
  • Stages of deploying Azure AD
    Building a secure foundation:
    • It is a good practice to educate your users by providing them with a list of banned passwords—for example, everyday words in your organization, such as the company name or location. Also, you should warn your users to refrain from using their credentials across platforms. If any platform is compromised, attackers can use the credentials to access all platforms. 
  • Stages of deploying Azure AD
    Building a secure foundation:
    • Users tend to use similar passwords when forced to reset passwords regularly. This increases the risk of someone gaining access to the user account. For cloud-based user accounts, you can set passwords to never expire. You can also configure Conditional Access policies and enforce multi-factor authentication.
    • You can configure Azure Active Directory Identity Protection (AADIP) to automatically trigger multi-factor authentication or a password reset, depending on the severity of the detected risks
  • Stages of deploying Azure AD Adding users, managing devices, and configuring synchronization
    • Use Azure AD Connect to synchronize users from your on-premises instance of Active Directory to Azure. You can synchronize password changes and fix bad passwords using password hash synchronization. You also get reports about leaked user credentials. You have the option to configure password writeback so any changes to passwords in Azure are written to your on-premises instance of Active Directory.
  • Stages of deploying Azure AD Adding users, managing devices, and configuring synchronization
    • It is a good practice to use Azure AD Connect Health to monitor the health statistics for your Azure AD Connect environment.
    • User licensing is an important aspect that you should consider. It is recommended that you give users the licenses they need at a group level, for example, Accounts Department. When you assign licenses at a group level, you control licensing for many users simultaneously. This action saves your organization time and reduces complexity.
  • Stages of deploying Azure AD Adding users, managing devices, and configuring synchronization
    • You can provide access to guest users using Azure AD B2B Collaboration. This way, guest users can use their work or social identities to access your applications and services.
    • Users access resources from multiple devices. It is essential to prepare a device-management strategy. You can put together a plan based on which devices your company allows. For example, will you permit Bring Your Own Device (BYOD), or will the company accept only devices it has given to users?
  • Stages of deploying Azure AD Adding users, managing devices, and configuring synchronization
    • It is an excellent practice to make authentication more convenient for users by providing authentication methods that do not require passwords. For example, users who have installed Microsoft Authenticator on their phones can receive a notification with a code to enter at sign-in, along with a PIN or a biometric attribute like their fingerprint.