As an Azure Security Architect, getting a firm grasp of Identity Management in Azure is key. Not only is IAM in Azure very different from that on AWS and GCP, it’s console interface can be a bit confusing for some. There are several  similar sounding terms and services – and often, even experienced Azure architects are found clicking in the wrong section of the console. This post will elucidate some of the first tasks you would need to undertake on a new Azure Architect assignment – a task that revolves around evaluation the current set of Azure users, their roles, their access privileges and other aspects of Azure Identity.

Identity Compliance Score in Azure

Overview and Azure Active Directory

When you sign up for an azure subscription, you get an Azure Active Directory tenant (whether you want one or not). AAD is central to Azure’s management of both users as well as access to different parts of the Azure portal. This post walks you through some of the more common tasks you would start addressing as an Azure IAM Architect and Azure Security Architect.

What is an AAD Tenant? What does multi tenant mean?

  • An AAD tenant is simply your own instance of the Azure Active Directory. It comes with a (flat) directory. Multi tenant means you can own multiple directories in your subscription.
  • Since you can have multiple directories, each directory has it’s own Administration (Admin PER directory)
  • Also, with multiple directories, when you synchronize on premises users, the synchronization of users also is PER directory. i.e. If you want the same set of users in 2 different directories, you will need to set up two separate syncs.

How do I add a Custom DNS Zone?

Your default AAD tenant is the onmicrosoft.com directory. This is, of course, confusing for your regular AD users. The first thing you would like to do is use your corporate AD emails as valid logins for Azure. To do this, you will need to add a custom domain name (e.g. yourcustomdomain.com)

  • Custom DNS is part of AAD
  • It needs a FQDN

Step 1 – Register your FQDN with AAD (Custom DNS Requires a FQDN)

Step 2 – Verify your domain using a TXT record that AAD will create and provide you with. You will need to simply enter that TXT record on your on premises DNS host. This will allow AAD to validate that TXT record.

Step 3 – Now that you have multiple domains (onmicrosoft.com and yourcustomdomain.com), PICK a primary domain.

As an azure IAM architect, one of your first tasks would be to identify the custom DNS needs of your client and create a custom DNS entry in Azure AD.

How do I manage Access for Users? – Enter Roles – and RBAC on Azure

  • Users only (not for groups)
  • Find all Company Admins (this is a role – and find all users with this role)
  • Role Templates

Users and Groups in AAD

  • Security Groups vs. O365 Groups –> Usually ‘Security Groups’.
  • Owners vs. Members –> Not necessary that a GROUP has an OWNER. Owner is not a member – Owner has IAM privileges on the GROUP.
  • Assigned Membership Groups vs. Dynamic Membership Groups –> Manually Assign Members or Dynamically based on a search pattern (e.g. ‘department’=’IT’)
  • Dynamic Queries –>
  • Synced Users, Members vs. Guests –> Synced users have their SOURCE set to the Local AD

Create a new user

Assign a Usage Location –> Assign a License (e.g. AAD Premium License) –> Auto gets a User Principal (based on custom domain or onmicrosoft.com)

Self Service Password Reset

  • Apply the policy to a restricted subset of users (e.g. create  a GROUP called ResetPilot)
  • Pick one or two REQUIRED
  • Email, SMS, Security Questions

External (Guest) Users

  • AAD not required
  • Guest Accounts
  • Collaborate on docs
  • Access internal apps
  • Condtional access policies

Adding Applications

Adding Devices (Use intune for master device management, not AAD)

Devices added can benefit from ‘pushed’ org policies in AAD organization.

Access Panel – myapps.microsoft.com

Access Management – Auditing Access Changes

Access Management – Identity Protection

Sign In Activity (Monitoring on AAD Menu) vs. User Activity (Audit Logs for the User)

Access Reviews –> Under  Identity Governance

  1. Review who all are still Admins for your org
  2. Review who all still have guest access (either to an application or across the board)

Log Analytics for AAD (Monitoring Menu)

Log Analytics gives you the power to query huge amounts of your Azure AD data to find events, analyze trends, and create rich visualizations within minutes.

Privileged Identity

Conditional Access Policy  (can create ‘report only’ before policy takes effect)

  • Require MFA on all unmanaged devices (not managed  by intune) –> Cloud Apps –> Microsoft Azure Management
  • Block based on location
  • Block / Grant based on Device Compliance
  • Grant based on Application

Manage Devices in Powershell

Log Analytics

TWO Built In Apps

built in apps azure
built in apps azure

Azure Security and Compliance – Two Built in Apps

azure security score

azure compliance score
azure compliance score

Installing Azure Powershell (from windows ps)

Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi'; rm .\AzureCLI.msiInvoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi

Run the az login cmd from regular dos cmd prompt or from powershell

Storage Account Security in Azure

  • Storage Key Rollovers – encryption key rollovers
  • Shared Access Signatures – SAS – short term access to storage resources
  • Shared (Storage) Access Policies – Reuse of SAS

Summary

A firm grasp of Azure Identity and Access Management is a key component of becoming an Azure security architect. There’s a lot more to Azure Security than RBAC (for users and groups. RBAC applies to apps as well as users  and groups.

In addition to RBAC, a security architect needs to think about data at rest encryption. This entails storage keys and azure key vault. Shared Access Signatures provide short term access to azure storage resources. Also see Auditing AWS Account Security.

Set up a 1 on 1 appointment with Anuj to assist with your cloud journey.

 

 

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

 Twitter Linkedin