Into Azure Active Directory
Fundamentals of the product
All identities come somewhere together with access management. This is Azure Active Directory. It is the central cloud based service to ensure users have access to resources.
As soon as you start with Azure Active Directory, you have a tenant or a subscription. This is basically a dedicated environment that can be fully configured by you. It is important to understand that such a tenant looks and works the same for all customers all over the world. (Multi-tenancy model)
It is up to you how to set up and work with Azure Active Directory.
Azure service jungle
The most powerful advantage of Azure Active Directory (AAD) is the native integration to all other Microsoft Cloud products, applications and services. Beyond that, AAD can service as identity provider to numerous third party cloud apps. (Learn more) This is what I like to call "service jungle".
Enterprises that are fully focused on a cloud or hybrid strategy can leverage this fact to build a comprehensive cloud environment, start automation, orchestration and live in the cloud.
Costs & licensing
Azure Active Directory runs on a license model, though also offers free plans. Usually it is included in a Microsoft/Office 365 license. Although within AAD we differentiate between two license levels:
- Premium P1 holds all basic features and some security services
- Premium P2 includes every function of AAD
Most existing companies do have servers with Active Directory Domain Services and a Windows domain. New companies should definitely launch with Azure Active Directory and Microsoft 365. (Learn more)
-But what if I want an on-premises environment and use cloud Azure Active Directory?
This is a typicall hybrid state, which means, that you operate with on-premises resources, but also use the ability of the cloud.
Differences to on-premises Active Directory
AAD vs ADDS. Whats the difference? First of all, AAD is cloud based, that requires no servers to manage. Like I mentioned, it is a service. Furthermore AAD is constructed on an slightly other concept than ADDS. There is a difference between the logs, use, management and updating of new features.
To establish such a hybrid state, you should use Azure AD Connect. This is an application, installed on a server in the ADDS domain, that synchronizes identities and resources to AAD. Certainly there are more features and options to customize to fit your needs and requirements.
And what about security concerns? Frankly, Microsoft defines security as key in all their cloud products. It will even allow you to have more control than ever before!
As the most valuable good in AAD are identities, MFA (mutli-factor authentication) is the first and at the same time most efficient step to take to rise the security level. Other measurements constitute of application control, access management, sign-in and user risk detection (Azure AD Identity Protection), including logs & monitoring as well as governance.
Due to the fact, that security is so broad and diverse, I will give some references to recommendable content on my blog:
- Whole security path on Microsoft cloud
- Microsoft security concepts
- Microsoft 365 security landscape (product information)
- Logs and monitoring in Azure AD
- Conditional Access, the must-have base security in every AAD tenant
Let's enter the AAD portal. At the left pane you can set favorite services in the navigation. The dashboard and all services tab are always here.
The dashboard is individually customizable and yields some base information from your tenant.
Here you can see all AAD-related services from the end of 2021. We have the following sections: General, Security and Hybrid.
Azure Active Directory - operation
This is Azure Active Directory with all its components. Again divided, into the categories: Manage where all the configuration happens - Monitoring to get insights on all operations - Troubleshoot & Support get help and guides.
Let's take a look on a user in AAD. As you see, there are the same attributes like in ADDS. What's special is the profile image and the sign-in events. As action you could edit, reset password or revoke session, which will log off the user from all sessions. There are more subsections, that I will cover briefly.
Privileged roles from Microsoft 365 and Azure.
Privileged roles for a certain range of users.
All assigned groups from a user.
All applications (Enterprise Applications) that the users signed-in to.
The assigned licenses of the user.
All Azure AD familiar devices, that the user was signed in.
Azure role assignments
Roles from the IAM of Azure subscriptions.
Contact of the user for MFA and Conditional Access. (e-mail, private phone, office phone, authenticator, FIDO keys, Windows Hello for Business)
All sign-in events from the user.
Audit activities that the user was affected of.
B2B / Guest user
To enable collaboration with other businesses, Azure guest users is the way to go. Those can be handled alike member users, for example assigned to applications or groups to share resources. When inviting a guest user (through AzureAD>Users>new guest user), you will need to give an e-mail address where the invitation link is sent to. Subsequently authentication happens at the guest users own identity provider.
As you see, the type is marked as "guest". Additionally the UPN will be added with "#EXT#".
Guest user flow
Initially the guest user receives the invitation mail, with a link to the authentication tab.
The user signs in with his own credentials and needs to consent to the origin organization.
He will be forwarded to myapplications.microsoft.com.
I'm sure that you are wondering how to control such external interactions. In AAD you will find the "External identities" tab, where you can restrict exactly these actions.
Also, here is the main page for configuring connections to other identity provider products. Those are the default settings:
Azure B2C is made to build customer-faced applications and create authentication flows. This is listed as an own service, just search for it at the bar. It is recommended to create a dedicated tenant for this instance to split internal and external identities and resources. At the side we also see options for apps, branding and users and roles.
Groups are also found in AAD and must have one of these two types:
- Security groups - member only group
- Microsoft 365 group - collaboration (with Mailbox and Teams)
Things to consider are: Self-service group management, user creation permission, expiration, naming convention (Name policy)
Roles and administrators
This is the section where all built-in and custom created privileged roles are found in Azure AD. Note that also roles of Microsoft 365 will show here.
So an Enterprise Application is basically a local service principal or instance of an application object (App Registration) created by another organization. You can use these in your organization and find them in the Azure AD gallery. Everytime you see a "sign in with Microsoft" button, this is where the configuration/information is found in the backend.
Read more about identity federation and application management in Azure AD.
In difference to an Enterprise Application, app registrations are fully created and configured in your own tenant by your organization. Those are the global definition of an application.
Just as computer objects are contained in the local AD, all types of devices are found in AAD in the tab "Devices". This is OS-independent and shows more information at the same time. See the OS version and the join type which is one of:
- Azure AD registered, personally owned, access to corporate resources with AAD credentials, authentication to device with personal credentials
- Azure AD joined, corporate owned, both acess to corporate resources, as well as to the device through AAD
- Hybrid Azure ad joined, same as Azure AD joined, but the device has an on-premises computer object and the source is always on-prem
Identity governance describes processes of user lifecycle, governance and compliance and management. Read more from Official Microsoft docs.
Azure AD Application Proxy can help you provide on-premises applications to the public web. It makes use of a connector service, that is installed locally and has a network connection to your webserver. So it acts as an App broker. A clear advantage is, that all the traffic and communication works over Azure and not your on-prem servers. Authentication runs through Azure AD and things like SSO are part of the implementation.
There is a blog post by me that covers a full product & implementaion guide.
Sooner or later, you will need more licenses to use the products you desire. Under "Licenses" is a list of most common features, if you are allowed to use them and which licenses are available in your tenant.
Azure AD Connect
To get an overview of Azure AD Connect, sync options and generally hybrid features, I would consider a look in this section:
Custom domain names
If you add a custom domain name, want to see where it's in use or see the current state, this is what you are looking for:
MDM and MAM
Mobile device management and mobile application management authorities can be configured here. Intune is the first party product by Microsoft that is recommendable to fulfill this purpose.
Want to learn more? See my full path on Intune Endpoint Management
AAD has the feature for self-service password reset. Users can reset their password by validating their identity with a second factor. This is super useful and is really recommend to implement. It even works in a hybrid scenario.
Company branding includes uploading company logos and adjusting the colors of all Office online components.
The only "real" global configuration options in AAD are found here. This consitutes of some general settings and also the feature settings.
Then we have the tenant properties, that are usually just entered once, when creating a new tenant.
Last but definitely not least, we have the security tab. When clicking on it, you will be forwarded to a separate tab, where all the security products and features are shown. Note that basically all of them require P1 or P2 licenses:
- Conditional access - the most important feature to enforce MFA based on conditions, P1 feature
- Identity protection - detecting user- & sign-in risks with a set of detection methods and machine learning, P2 feature
- Security center - your main overview for managing security
- Verifiable credentials - service for proofing identities with cryptographic keys
- Identity secure score - shows recommendations to improve your identity posture (security)
- Named locations - are IP- & location ranges used for Conditional Access
- Authentication methods - are all available authentication methods to enable in your tenant for sign-in
- MFA - Multi-factor authentication service settings
In new tenants, security defaults are enabled by design. This basically means, that Microsoft manages some of the fundamental security settings for your tenant. Although you can't configure Conditional Access policies, when this is enabled. This setting is found in AAD>Properties then all at the bottom:
CA is the first security measure to implement. It allows, blocks or require further actions when a sign-in matches a set of conditions, which you define. Example: a sign-in from a foreign country should always need MFA.Learn more about it
Microsoft has a few Conditional Access policy templates that usually should be enabled for every organization. Navigate to AAD Conditional Access, then create a new policy from templates and select identity as category.
In Identity protection, you configure a user risk policy, a sign-in risk policy and a MFA registration policy. One thing to point out, is the MFA registration policy. When it's enabled, user will get prompted to register their personal security info (phone number, Microsoft Authenticator) for MFA and CA. Definitely enable it! This policies look like this:
Identity secure score
Microsoft secure scores are available in many products. This is a built-in recommendation summary, that helps you to rise your security posture. An example:
Named locations can be used in Conditional Access policies to either allow or block them. Like I already mentioned, those include IP- or country ranges.
A username + password is never enough. And MFA is diverse, it isn't always a text code. This is what Microsoft currently offers as options:
- FIDO2, fast identity online 2, is a global standard for authentication solutions. The widest application for this are security keys, which work via usb and are used in Windows Hello, for example.
- Microsoft Authenticator, is in my opinion the easiest method for MFA. It is available for iOS and Android and shows temporary access codes or sends a notification, when a sign-in is attempted.
- Text message
- Temporary access pass, is the option (for an IT admin) to generate time limited or one-time use credentials.
The feature of password protection, that allows to set custom banned keywords in password, is also located here. Read my blog post about Password protection (hybrid).
Then we have MFA settings. If you are looking for (in my experience) hidden configurations like fraud alert or blocked users, this is where it is.
Monitoring is the last topic to talk about. You can find a variety of solutions in this section, including graphical log overviews, audit data and even full access to all collected data through Azure log analytics workspace.
At this point I would suggest you to take a look about my full post on Monitoring Azure AD.
Let's get some insight on some monitoring capabilities.
Log analytics sample querry
Thank you very much for reading until here! I hope the gathered information was useful and are applicable for your future Azure Active Directory operations!