Fundamentals of the product

All identities come somewhere together with access management. This is Azure Active Directory. It is the central cloud based service to ensure users have access to resources.

As soon as you start with Azure Active Directory, you have a tenant or a subscription. This is basically a dedicated environment that can be fully configured by you. It is important to understand that such a tenant looks and works the same for all customers all over the world. (Multi-tenancy model)

It is up to you how to set up and work with Azure Active Directory.

Azure service jungle

The most powerful advantage of Azure Active Directory (AAD) is the native integration to all other Microsoft Cloud products, applications and services. Beyond that, AAD can service as identity provider to numerous third party cloud apps. (Learn more) This is what I like to call "service jungle".

Enterprises that are fully focused on a cloud or hybrid strategy can leverage this fact to build a comprehensive cloud environment, start automation, orchestration and live in the cloud.

Costs & licensing

Azure Active Directory runs on a license model, though also offers free plans. Usually it is included in a Microsoft/Office 365 license. Although within AAD we differentiate between two license levels:

  • Premium P1 holds all basic features and some security services
  • Premium P2 includes every function of AAD

Official license plans
AAD P1 vs. P2


Hybrid capabilities

Most existing companies do have servers with Active Directory Domain Services and a Windows domain. New companies should definitely launch with Azure Active Directory and Microsoft 365. (Learn more)

-But what if I want an on-premises environment and use cloud Azure Active Directory?

This is a typicall hybrid state, which means, that you operate with on-premises resources, but also use the ability of the cloud.

Differences to on-premises Active Directory

AAD vs ADDS. Whats the difference? First of all, AAD is cloud based, that requires no servers to manage. Like I mentioned, it is a service. Furthermore AAD is constructed on an slightly other concept than ADDS. There is a difference between the logs, use, management and updating of new features.

Synchronization

To establish such a hybrid state, you should use Azure AD Connect. This is an application, installed on a server in the ADDS domain, that synchronizes identities and resources to AAD. Certainly there are more features and options to customize to fit your needs and requirements.


Security

And what about security concerns? Frankly, Microsoft defines security as key in all their cloud products. It will even allow you to have more control than ever before!

As the most valuable good in AAD are identities, MFA (mutli-factor authentication) is the first and at the same time most efficient step to take to rise the security level. Other measurements constitute of application control, access management, sign-in and user risk detection (Azure AD Identity Protection), including logs & monitoring as well as governance.

References

Due to the fact, that security is so broad and diverse, I will give some references to recommendable content on my blog:


Web portal

Let's enter the AAD portal. At the left pane you can set favorite services in the navigation. The dashboard and all services tab are always here.

Dashboard

The dashboard is individually customizable and yields some base information from your tenant.

aad-dashboard

All services

Here you can see all AAD-related services from the end of 2021. We have the following sections: General, Security and Hybrid.

aad-all-services

Azure Active Directory - operation

This is Azure Active Directory with all its components. Again divided, into the categories: Manage where all the configuration happens - Monitoring to get insights on all operations - Troubleshoot & Support get help and guides.

aad-portal


User

Let's take a look on a user in AAD. As you see, there are the same attributes like in ADDS. What's special is the profile image and the sign-in events. As action you could edit, reset password or revoke session, which will log off the user from all sessions. There are more subsections, that I will cover briefly.

aad-user-example

Assigned roles
Privileged roles from Microsoft 365 and Azure.
aad-assigned-roles

Administrative units
Privileged roles for a certain range of users.
aad-administrative-units

Groups
All assigned groups from a user.
aad-groups

Applications
All applications (Enterprise Applications) that the users signed-in to.
aad-applications

Licenses
The assigned licenses of the user.
aad-licenses

Devices
All Azure AD familiar devices, that the user was signed in.
aad-devices

Azure role assignments
Roles from the IAM of Azure subscriptions.
aad-azure-role-assignments

Authentication methods
Contact of the user for MFA and Conditional Access. (e-mail, private phone, office phone, authenticator, FIDO keys, Windows Hello for Business)
aad-authentication-methods

Sign-in logs
All sign-in events from the user.
aad-sign-in-logs

Audit logs
Audit activities that the user was affected of.
aad-audit-logs


B2B / Guest user

To enable collaboration with other businesses, Azure guest users is the way to go. Those can be handled alike member users, for example assigned to applications or groups to share resources. When inviting a guest user (through AzureAD>Users>new guest user), you will need to give an e-mail address where the invitation link is sent to. Subsequently authentication happens at the guest users own identity provider.

aad-guest-user

As you see, the type is marked as "guest". Additionally the UPN will be added with "#EXT#".

aad-guest-type

Guest user flow

Initially the guest user receives the invitation mail, with a link to the authentication tab.

aad-b2b-invitation

The user signs in with his own credentials and needs to consent to the origin organization.

aad-b2b-authorization

He will be forwarded to myapplications.microsoft.com.

aad-b2b-myapps

Organization settings

I'm sure that you are wondering how to control such external interactions. In AAD you will find the "External identities" tab, where you can restrict exactly these actions.
aad-external-collaboration

Also, here is the main page for configuring connections to other identity provider products. Those are the default settings:
aad-external-identites


B2C

Azure B2C is made to build customer-faced applications and create authentication flows. This is listed as an own service, just search for it at the bar. It is recommended to create a dedicated tenant for this instance to split internal and external identities and resources. At the side we also see options for apps, branding and users and roles.

aad-b2c


Groups

Groups are also found in AAD and must have one of these two types:

  • Security groups - member only group
  • Microsoft 365 group - collaboration (with Mailbox and Teams)

aad-groups-overview

Things to consider are: Self-service group management, user creation permission, expiration, naming convention (Name policy)


Roles and administrators

This is the section where all built-in and custom created privileged roles are found in Azure AD. Note that also roles of Microsoft 365 will show here.
aad-roles-administratos


Enterprise applications

So an Enterprise Application is basically a local service principal or instance of an application object (App Registration) created by another organization. You can use these in your organization and find them in the Azure AD gallery. Everytime you see a "sign in with Microsoft" button, this is where the configuration/information is found in the backend.

Read more about identity federation and application management in Azure AD.

App registrations

In difference to an Enterprise Application, app registrations are fully created and configured in your own tenant by your organization. Those are the global definition of an application.


Devices

Just as computer objects are contained in the local AD, all types of devices are found in AAD in the tab "Devices". This is OS-independent and shows more information at the same time. See the OS version and the join type which is one of:

  • Azure AD registered, personally owned, access to corporate resources with AAD credentials, authentication to device with personal credentials
  • Azure AD joined, corporate owned, both acess to corporate resources, as well as to the device through AAD
  • Hybrid Azure ad joined, same as Azure AD joined, but the device has an on-premises computer object and the source is always on-prem

aad-devices-1


Identity governance

Identity governance describes processes of user lifecycle, governance and compliance and management. Read more from Official Microsoft docs.


Application proxy

Azure AD Application Proxy can help you provide on-premises applications to the public web. It makes use of a connector service, that is installed locally and has a network connection to your webserver. So it acts as an App broker. A clear advantage is, that all the traffic and communication works over Azure and not your on-prem servers. Authentication runs through Azure AD and things like SSO are part of the implementation.

There is a blog post by me that covers a full product & implementaion guide.


Licenses

Sooner or later, you will need more licenses to use the products you desire. Under "Licenses" is a list of most common features, if you are allowed to use them and which licenses are available in your tenant.

aad-licenses-1

aad-licensed-features


Azure AD Connect

To get an overview of Azure AD Connect, sync options and generally hybrid features, I would consider a look in this section:

aad-connect-portal


Custom domain names

If you add a custom domain name, want to see where it's in use or see the current state, this is what you are looking for:

aad-custom-domain-names


MDM and MAM

Mobile device management and mobile application management authorities can be configured here. Intune is the first party product by Microsoft that is recommendable to fulfill this purpose.

Want to learn more? See my full path on Intune Endpoint Management

aad-mdm-mam


Password reset

AAD has the feature for self-service password reset. Users can reset their password by validating their identity with a second factor. This is super useful and is really recommend to implement. It even works in a hybrid scenario.

Official Microsoft docs

aad-sspr


Company branding

Company branding includes uploading company logos and adjusting the colors of all Office online components.

aad-company-branding


User settings

The only "real" global configuration options in AAD are found here. This consitutes of some general settings and also the feature settings.

aad-user-settings

aad-feature-settings2


Properties

Then we have the tenant properties, that are usually just entered once, when creating a new tenant.

aad-properties


Security

Last but definitely not least, we have the security tab. When clicking on it, you will be forwarded to a separate tab, where all the security products and features are shown. Note that basically all of them require P1 or P2 licenses:

  • Conditional access - the most important feature to enforce MFA based on conditions, P1 feature
  • Identity protection - detecting user- & sign-in risks with a set of detection methods and machine learning, P2 feature
  • Security center - your main overview for managing security
  • Verifiable credentials - service for proofing identities with cryptographic keys
  • Identity secure score - shows recommendations to improve your identity posture (security)
  • Named locations - are IP- & location ranges used for Conditional Access
  • Authentication methods - are all available authentication methods to enable in your tenant for sign-in
  • MFA - Multi-factor authentication service settings

aad-security

Security defaults

In new tenants, security defaults are enabled by design. This basically means, that Microsoft manages some of the fundamental security settings for your tenant. Although you can't configure Conditional Access policies, when this is enabled. This setting is found in AAD>Properties then all at the bottom:

aad-security-defaults

Conditional Access

CA is the first security measure to implement. It allows, blocks or require further actions when a sign-in matches a set of conditions, which you define. Example: a sign-in from a foreign country should always need MFA.Learn more about it

Easy implementation

Microsoft has a few Conditional Access policy templates that usually should be enabled for every organization. Navigate to AAD Conditional Access, then create a new policy from templates and select identity as category.

aad-ca-templates

Identity protection

In Identity protection, you configure a user risk policy, a sign-in risk policy and a MFA registration policy. One thing to point out, is the MFA registration policy. When it's enabled, user will get prompted to register their personal security info (phone number, Microsoft Authenticator) for MFA and CA. Definitely enable it! This policies look like this:

aad-identity-protection-policy

Identity secure score

Microsoft secure scores are available in many products. This is a built-in recommendation summary, that helps you to rise your security posture. An example:

aad-identity-secure-score

Named locations

Named locations can be used in Conditional Access policies to either allow or block them. Like I already mentioned, those include IP- or country ranges.

aad-named-locations

Authentication methods

A username + password is never enough. And MFA is diverse, it isn't always a text code. This is what Microsoft currently offers as options:

  • FIDO2, fast identity online 2, is a global standard for authentication solutions. The widest application for this are security keys, which work via usb and are used in Windows Hello, for example.
  • Microsoft Authenticator, is in my opinion the easiest method for MFA. It is available for iOS and Android and shows temporary access codes or sends a notification, when a sign-in is attempted.
  • Text message
  • Temporary access pass, is the option (for an IT admin) to generate time limited or one-time use credentials.

aad-authentication-methods-1

Password protection
The feature of password protection, that allows to set custom banned keywords in password, is also located here. Read my blog post about Password protection (hybrid).

aad-password-protection

MFA

Then we have MFA settings. If you are looking for (in my experience) hidden configurations like fraud alert or blocked users, this is where it is.

aad-mfa-settings


Monitoring

Monitoring is the last topic to talk about. You can find a variety of solutions in this section, including graphical log overviews, audit data and even full access to all collected data through Azure log analytics workspace.

At this point I would suggest you to take a look about my full post on Monitoring Azure AD.

Some samples

Let's get some insight on some monitoring capabilities.

Sign-in logs
aad-sign-in-logs-1

Sign-in analysis
aad-sign-in-analysis

Log analytics sample querry
aad-log-analytics

Thank you very much for reading until here! I hope the gathered information was useful and are applicable for your future Azure Active Directory operations!

You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.