Muditha Chathuranga is a Senior Technical Consultant at Infront Consulting and a Microsoft MVP in Office Apps and Services. His personal blog, The Cloud Journal, covers Azure, Exchange, O365, Security, and much more. You can follow him on Twitter at @MudithaC .
Microsoft Azure Active Directory, or AAD, is an IDaaS (Identity as a Service) offering that helps you manage corporate identities in the cloud. In this blog series, we're taking a look at the primary AAD features that you'll use to get your ID management up and running for Azure cloud services.
In Part 1 we discussed Connect, Single-Sign On, and Multifactor Authentication. You can also find a table of AAD pricing on that post. Remember, this series is not a deep dive into AAD configuration, but rather an overview of key features. Depending on your SKU you may or may not have access to all of these features.
Part 2 includes Self Service Password Resets, Identity Protection, Conditional Access, and Privileged Identity Management. These features help you control access and maintain security and compliance protocol across your enterprise cloud.
Self Service Password Reset (SSPR) in AAD offers a way to let users reset their passwords on their own. Password resets are among the top requests for the Help Desk in any organization. While many have overlooked this simple task, it is something that can add up to a significant amount of time from a Help Desk agent that could be used on more important tasks. Implementing a SSPR solution not only helps save time for the Help Desk staff, it also makes the life much easier for the end user as well.
You can enable SSPR in AAD on an organization-wide basis for all users, or to a selected set of users based on a group membership. The users will need to register for the SSPR service and set their identity verification and recovery methods. Users can set phone number, email address, and security questions and answers.
Once all of these have been recorded, whenever the user forgets or needs to reset the password, they can do by clicking the “Can’t Access Your Account?” link on the Microsoft Online Services sign-in page and following on-screen instructions.
The majority of security breaches happen due to compromised user identities. Whenever an attacker gets access to a set of compromised user credentials — even from a user with the lowest privileges — it’s relatively easy to work their way up to get to important enterprise data.
Due to this reason, organizations must protect all user accounts regardless of the privilege level and take proactive measurements to prevent compromised identities being abused. Identity protection in AAD helps you with just that.
Discovering compromised identities without specific tools and services is going to be nearly impossible. However, AAD uses adoptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents that could help identify potentially compromised identities. With these data, identity protection generates reports and alerts that can help you take necessary actions to mitigate and remediate.
Identity protection in AAD is not just a monitoring and reporting tool. You can configure risk-based policies that will automatically respond to detected issues when a specific risk level has been reached. These risk-based policies, in addition to the conditional access policies described below, can automatically block access or initiate remediation actions such as password resets and MFA enforcement.
Before the advent of the cloud, Bring Your Own Device, and mobile workers, the organization had far more control over access to corporate resources, networks, the devices used to connect, and the locations where users access corporate data. But in today’s cloud-first, mobile-first world, the modern end user can use multiple devices and work from anywhere in the world and be productive. While this helps with increased productivity, we cannot ignore the risks that come with it.
Conditional Access in AAD addresses these risks and offers automated access control decisions when end users access corporate resources. Conditions can be configured based on a variety of factors and enforce actions when conditions are either met or not met, such as the user, group(s), device state, location (IP range), the application they are trying to access, etc. Depending on if conditions are met or not, actions can be taken to allow/restrict access, or enforce multifactor authentication, etc.
Figure 2: Conditional Access Overview (Image Courtesy Microsoft)
In the conventional organization, IT administrators often have administrative privileges assigned to them perpetually. While it is convenient to have permissions assigned perpetually, it increases security risk. These can be in the form of malicious user getting access to an admin account or an administrator inadvertently changing a sensitive resource, among many others. Privileged Identity Management (PIM) in AAD offers ways to protect, control, and manage administrative access to Microsoft Online Services.
In a nutshell, whenever an administrator protected by PIM wants to perform an administrative task, he or she must first have their permissions elevated. A user protected by PIM is just a regular user if permissions aren’t elevated. This is called an “eligible admin,” or any user you might have who doesn't need constant admin access but rather occasionally requires privileges.
The eligible admin completes an activation process to receive on-demand, just-in-time administrative access to Microsoft Online Services such as Office 365, Intune, Azure Resources, etc. (Just-in-time admin access means that PIM users have limited-time access to administrative functions.)
The following features are also available under PIM:
Microsoft Azure Active Directory is a great tool to manage identities in the cloud. It won’t be a great tool if you do not know what you want from it. Therefore, you need to identify your organization’s requirements first, and then decide what features in AAD will be configured. Once the requirements are in place, you can go ahead and purchase an SKU that suits your needs and start configuring.
As with any other IT infrastructure tool or service, before applying these services across the organization, you will need to select a pilot user group and test your configuration to make sure it functions as needed. Also, you will still need to monitor the logs regularly and make changes as needed to get the best out of the service.