- Different than Active Directory, it's flat: no domains, objects, forests etc.
- Identity management solution: multi-factor authentication, device registration, self-service password management, self-service group management, privileged account management, RBAC, application usage monitoring, auditing & security monitoring & alerting.
- Tenant in Azure = AAD instance
- Each subscription trusts an AAD tenant, multiple subscriptions can trust a single tenant.
- Add custom domain
- All AD accounts come with
domainname.onmicrosoft.com
- Go to AD -> Custom Domain Names -> Add domain -> Verify domain name with a TXT record
- All AD accounts come with
- Add custom domain
- Used by (can be shared with) other Microsoft cloud services:
- Microsoft 365
- Microsoft Dynamics CRM
- Microsoft Intune
- Each subscription trusts an AAD tenant, multiple subscriptions can trust a single tenant.
- List of users + groups
- Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD directory includes the tenant's users, groups, and apps
- HTTP/HTTPS based:
- Queried via REST using Microsoft Graph API
- Uses protocols like SAML, WS, OpenID and OAuth 2 for authorization
- Other benefits
- Single sign-on to any cloud (Microsoft 365, salesforce, dropbox, custom ..) or on-premises web app.
- Self-service tools (means tasks not requires an admin):
- Self-service password management: Users can reset heir passwords
- Authentication methods:
- Email, mobile phone, office phone, security questions.
- At least one must be selected, better with multiple
- Self-service group management: Users can create groups
- Enabled in Portal -> AD -> Self-Service Password Reset
- Authentication methods:
- Self-service password management: Users can reset heir passwords
- Can be integrated with Windows Server Active Directory
- Conditional access policies
- When this happens, Then do this
- (Occurences) e.g. unknown device, e-mail user
- (Actions) Risk-based policies: E.g. risk is high that user is a bad actor, enable MFA (multi factor authentication)
- Configure through Portal: AD -> Conditional Access -> New Policy
- When this happens, Then do this
- Device Management:
- Register a device (can be combined with mobile device management)
- It's cloud only solution for personal devices
- Join a device = extend registered device, add corporate network so people can log-in from there.
- For devices that are owned by your organization, can be hybrid
- No additional authentication prompts
- Enterprise State Roaming (ESR)
- Sync Windows 10 devices with Azure AD.
- Provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device
- Register a device (can be combined with mobile device management)
- Can be activated it from Azure Marketplace.
- Features:
- Get view of flagged users & risk events detected by ML algorithms.
- Set risk-based Conditional Access policies to automatically protect your users.
- Improve security posture by acting on vulnerabilities.
- It works by creating an access review with defining who'll review it, what'll be reviewed (resource roles, groups, apps, directories, user(s)), and when it'll be reviewed (frequency or deadline) then assign it to a reviewer. The reviewer will then get a deadline and notification for the review.
- Good when:
- Too many users in privileged roles
- When a group is used for a new purpose
- Business critical data access
- To maintain a policy's exception list
- Ask group owners to confirm they still need guests in their groups
- Each role is a set of properties defined in a JSON file per API.
- Includes name, id, desc + allowable permissions (Actions), denied permissions (NotActions), and scope (read access etc.) for the role.
- Built-in roles:
- Owner has full access to all resources including the right to delegate access to others.
- Contributor can create and manage all types of Azure resources but can't grant access to others.
- Reader can view existing Azure resources.
- Roles tab you can see and manage what the roles are and how many users/groups are assigned to the role.
- It can be on subscription/resource or Azure level.
- Assignments are inherited down resource hierarchy: Azure > Resource Group > App
- Role assignment: Grant access by assigning a Security Principal, a Role at a Scope
- Security principal: User, group or service principal (resources e.g. VM, web app).
- Service principals are assigned to a Managed Identity.
- Roles and permissions can be delegated to service principals by modifying value of their Managed Identities.
- Service principals are assigned to a Managed Identity.
- Role : Built-in or custom role
- Roles are specific to level, app type (VM, storage)
- Scope : Subscription, resource group or resource
- Security principal: User, group or service principal (resources e.g. VM, web app).
- Basic: cloud centric application access
- self-service identity management, group-based access management, self-service password, basic reports, object limitations, smart lockout (not configurable risk level).
- Premium P1
- Better hybrid support, seamless sign on, company branding
- Premium P2
- Advanced reports, write-back
- Identity protection: Uses ML in background scores the risk of authentication.
- Privileged identity management
- Allows users to elevate their privilege to a higher level to perform a particular task.
- Users elevate their account to admin to perform a task and then de-elevate the account.
- Require Multi-Factor Authentication
- Access reviews
- Schedule activations for a specific date
- Receive notifications when users are assigned
- Configure and resolve alerts for privileged roles
- Allows users to elevate their privilege to a higher level to perform a particular task.