#AzureAD : Privileged Identity Management Part II


In Part I of this blog post, I had explained how to start with Azure AD Privileged Identity Management and assign privileged administrator role to administrators. Azure AD PIM takes the access control and monitoring to next level by providing Just in time administrator access and Access reviews. Just in time administrator access allows you to provide limited time access to perform the necessary action. To enable just in time access, you have to make administrator “eligible” for the specified role. It is a default configuration to make sure any new role assigned to the administrator shouldn’t make permanent administrator for the specified role until enabled intentionally. Once, a new role has been assigned to the administrator then an administrator can activate the new role in two ways either by himself or by approval workflow process. By default, all the administrative roles become available for an hour. This default time can be set between 30 minutes to 72 hours by changing the configuration settings.

Let see how to do it. Login to the Azure AD Portal using subscription administrator identity or by an administrator identity who has been enabled for “Privileged Role Administrator”. I am explaining these features by assigning Password Administrator role to a user to make him Password administrator for the organization.

Go to the Azure AD directory roles under Azure AD Privileged Identity Management.

Go to the Users under Manage and Click on Add.

Select “Password Administrator” role.

Now, select the user who will became a password administrator for the organization and click on OK.

Once, you have assigned this role then ask this user to login. You will observe that he can’t reset the password of any user.

As explained earlier, user will be made “eligible” for the specified role but to perform any action he must activate his role. To activate his role, he should go to “My roles” under Tasks in Azure AD PIM. Now, click on Action as highlighted in the snip.

Now, administrator has to click on “Activate” to activate this role.

Now, user has to provide “reason for role activation”. This reason will be captured in the logs for audit.

Administrator can see that his role has been activated for a specified time period.

Now, administrator should try to reset the password.

Once, task is performed then administrator can disable his role as well.

Now, let see how to change the default configuration settings for the Azure AD directory roles. Go to the settings under Azure AD directory roles and click on “Roles”.

Select the role and review the configuration parameters.

For example, I would like to enable approval process for role activation. Under require approval select “Enable” option and then select approvers.

Once selected, click on save.

Once the role configuration settings have been modified, you will observe that role status has been changed to “Request activation” from “Eligible”. Click on request activation to activate it.

Now, click on activate. Once you click on activate and specifiy the reason, a request will be sent to approver.

Now, approver has to login and go to the “Approve requests” under tasks to approve the request. Select request and click on approve.

Now, specify the reason to approve this request and click on Approve.

Once approved, ask you role administrator to verify it. Role administrator will observer that now he has access for specified time based on the configuration.

If you want to provide dedicate role to any administrator, enable him for specified role access permanently. Look at Part I for more details.

Advertisements

#AzureAD : Privileged Identity Management Part I


Digitization has changed the way of working and living. Your most of the personal and professional things have been become public and to keep all this data secure Identity plays an important role. Organizations has been disrupted as well and cloud has changed the way of doing things. In cloud, you can’t have only dedicated administrators like on-premises because of agility. At the same time privileged access can’t be given to everyone. As cloud services work in distributed environment therefore it becomes necessary to manage and monitor these access controls granularly.

To overcome these challenges, Azure Active Directory Privileged Identity Management is a next step for access control management in Microsoft cloud services. It is available to your entire organization and need Azure AD Premium P2 license for administrators. It allows you to manage, control and monitor access within your organization for Azure AD, Azure resources (Preview), Office 365, Intune and other Microsoft online services.

With the help of this feature you can assign different privileged roles to your users either permanently or on-demand “just in time” basis. It also allows you to monitor and review the users who have been enabled for privileged roles and users need to provide justification for continued membership based on your configuration.

Let see how to do it. Login to the Azure AD portal https://aad.portal.azure.com

Access Azure AD Privileged Identity Management from More services.

Select Azure AD directory roles under Manage.

You need MFA to configure PIM. If you are enabled for MFA, click on verify my identity. It will redirect to you to configure MFA.

Once MFA has been configured successfully, you can see the status as below. Now click on Sign up.

In sign up window, select yes to sign up for Privileged Identity Mangement.

Once, configuration and discovery completes you can verify your roles.

To verify all the users who have PIM roles assigned or to add any other user to manage PIM, select Roles under Manage.

By default, only subscription owner will have privileged administrator role. If you would like to provide privileged management role to global administrator or any other administrator then you must assign this role manually. Until, you provide privileged administrator role to any other administrator or user; he/she will not be able to manage any other users or their roles.

To assign privileged administrator role, login with subscription admin identity and go to the Azure AD directory roles and click on +Add user.

Now, Select “Privileged Role Administrator”

Select your global administrator or any other administrator, who should be responsible for Privileged Identity Management.

Once, it is assigned. You can see that user has “Privileged Role Administrator” enabled in Eligible mode.

If the user logins and go to the users under Azure AD directory roles, he can observe that he can activate the assigned role for the time being. By default, the access will be given for an hour. Click on highlighted message to activate the role

Before, activating the role you must verify your identity through MFA. Click on the highlighted sections to verify your identity.

Now, your identity will be verified through MFA. (Note: MFA should be configured otherwise you will be asked for setting up the MFA first for this user)

Once, Identity will be verified the you get an option to Activate it. (Note: if you don’t reach to this option by default then retry one more time with verifying my identity then by default you will reach on this prompt.) Click on Activate to enable the privilegess.

Once, you click on activate. You have to provide the reason for activation and then click on OK.

Once activated, you can use the privileges. By default, this role will be activated for an hour.

If you like to provide this role permanently to this user then go back to your existing privilege administrator or subscription administrator and click on “Privileged Role Administrator”.

Now, click on more and select “Make perm” to make this role permanent for this user.

Now, you can see that this role has been assigned permanently to this user.

Once, this user will login with his Identity then he will observer that he has been enabled permanently and there is no need to activate this role for short period of time.

#AzureAD : Identity Protection Part III


Part I and Part II of this blog post covers basic of identity protection, how to enable and configure it. In this post, I’ll cover remaining part of Identity Protection. Once you have enabled Identity protection and configured it successfully then monitoring, investigation and reporting become crucial part of the information risk management. Azure AD portal fulfills your need through a single control panel.

To investigate the users flagged for risk, risk events and vulnerabilities can be found under “INVESTIGATE”.

You can see or download the report and can change the user risk policy configuration through “User flagged for risk” panel.

Risk events for last 90 days can be seen under risk events and the same report can be downloaded as well. If you have a list of know IP address ranges then you can define it as well so that report doesn’t reflect trusted IP ranges. To add IP address ranges, select “+ Add known IP address ranges”.

In the configure locations panel, select “+New location” and then define the name and IP ranges. You can also upload and download the IP ranges.

You can also configure MFA trusteed IPs by selecting “…More” in configure location panel.

You can check the vulnerabilities with risk in the vulnerabilities panel and fix it based on your supported organization risk level.

You can also setup the alerts and weekly digests through email.

To setup the alerts, go to alerts section under settings and configure the alerts settings based on user risk level.

To setup a weekly digest, go to the weekly digest section and enable/disable it.

If you would like to pin Azure AD Identity protection to dashboard then select “Pin to dashboard”. In Pin to dashboard panel select “Pin to dashboard” and click on create.

Now, you can see Azure AD Identity protection at dashboard for easier access.

#AzureAD : Identity Protection Part II


In Part I of this blogpost, I had explained the concept of Azure AD Identity protection and how to set it up. In this part, I’ll cover Azure AD Identity Protection configuration. There are three major sections under configure i.e. “MFA registration”, “User risk policy” and “Sign-in risk policy”.

Under all these configuration options, you will find 5 parameters.

Policy Name: Predefined

Assignments: Users and Conditions (not for MFA)

Controls: Access control

Review: Estimated impact

Enforce Policy: On/Off

Let see how to configure MFA registration.

Under assignments, select the users. You have three options to go with, (i) select all users (ii) select specific users and groups (iii) select all users and exclude the specific users.

Under controls, define access registration.

Under review, look at the estimated impact.

Now, finally enforce the policy and click on save.

In further configuration, let see how to configure users risk policy.

Under assignments, first select the users. You have three options to go with, (i) select all users (ii) select specific users and groups (iii) select all users and exclude the specific users.

Now define the conditions when the policy should apply.

Under controls, define access control by accessing user risk.

Under review, look at the estimated impact.

Now, finally enforce the policy and click on save.

Finally, let see how to configure sign-in risk policy.

Under assignments, first select the users. You have three options to go with, (i) select all users (ii) select specific users and groups (iii) select all users and exclude the specific users.

Now define the conditions when the policy should apply.

Under controls, define access control by accessing sign-in risk.

Under review, look at the estimated impact.

Now, finally enforce the policy and click on save.

I have just shown an example, how to configure these settings. You should configure these settings based on your requirements.

#AzureAD : Identity Protection Part I


Microsoft Azure Active Directory has become a backbone for many cloud services. As Identity is a key for technology landscape similarly protection is also most important for digital world. To enable this service, Microsoft Azure AD Premium P2 offers identity protection. It detects potential vulnerabilities and actions can be defined in two ways either automatic or can be taken based on suspicions incidents.

In conversations, it looks very easy when you listen explanation from Technical sales representative but it is not that easy. Microsoft Azure AD uses machine learning and heuristics to detect irregularities and suspicious incidents that helps to identify potentially compromised identities. It does not provide protection only to privileged account but covers all the identities. Therefore, a huge data can be collected to generate reports and to perform analysis that helps to identify ambiguities in the system and potential vulnerabilities. Mitigation and remediation actions can be defined based on the detected issues by using risk-based policies. These policies are add-on to the conditional access provided by Azure AD and EMS, it can take either block the suspicious identities or initiate a remediation actions including password reset and MFA enforcement.

Here are the capabilities provided identity protection:

Detecting vulnerabilities and risky accounts Investigating risk events Risk-based conditional access policies
  • Providing custom recommendations to improve overall security posture by highlighting vulnerabilities
  • Sending notifications for risk events
  • Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges
  • Calculating sign-in risk levels
  • Investigating risk events using relevant and contextual information
  • Policy to block or secure risky user accounts
  • Calculating user risk levels
  • Providing basic workflows to track investigations
  • Policy to require users to register for multi-factor authentication
  • Providing easy access to remediation actions such as password reset
  • Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges

Courtesy: Microsoft Azure Documentation

In many organizations, identity protection comes under security or risk management team. Therefore, it is more practical to have role based access control to manage these kinds of services. However, if identity management team itself take care of identity protection, still to define RBAC make sense because it makes administrators accountable and responsible. Azure AD identity protection provides three types of role to manage it.

Role Can do Cannot do
Global administrator Full access to Identity Protection, Onboard Identity Protection
Security administrator Full access to Identity Protection Onboard Identity Protection, reset passwords for a user
Security reader Read-only access to Identity Protection Onboard Identity Protection, remidiate users, configure policies, reset passwords

Courtesy: Microsoft Azure Documentation

Let see how to enable it. Before proceeding it further, make sure you have Azure AD Premium P2 enabled for your tenant.

Login to the https://aad.portal.azure.com and go to the More services.

In more services, select Azure AD Identity Protection.

In Azure AD Identity Protection – Getting started page, select “Onboard”

In this panel, make sure you have right directory selected and then click on create.

Once it is enable, you can see the analysis.

If you want to explore more to review the permanent admin roles, go to the overview and click on “Identify users who are assigned to permanent admin role” to configure Privileged identity management.

In the configure premium extensions panel, select “Configure PIM”

You need MFA to configure PIM. If you are enabled for MFA, click on verify my identity. It will redirect to you to configure MFA.

Once MFA has been configured successfully, you can see the status as below. Now click on Sign up.

In sign up window, select yes to sign up for Privileged Identity Mangement.

Once, configuration and discovery completes you can verify your roles.

To verify all the users who have PIM roles assigned or to add any other user to manage PIM, select Roles under Manage.

#AzureAD : Group-based licensing


Microsoft Azure AD simplifies the licensing management of Microsoft cloud services such as O365, Enterprise Mobility + Security, Dynamics CRM etc. by providing group-based licensing. A user could be part of the multiple groups and multiple licenses can be assigned through a single group or through multiple groups. However, a license can be assigned directly to the user if group based assignment is not needed. As Azure AD is a backbone for all identity needs of any Microsoft cloud services. Therefore, this group-based licensing can be managed through Azure AD. While assigning licenses to multiple users via group-based licensing, you may observe multiple permutation and combination of services enablement and license assignment. Let’s take an example to understand this scenario.

Inside Microsoft Technology is a company that deals in technical content writing and has two major teams. One team deals in writing and another teams deals in marketing. Company has O365 for business productivity and marketing team uses all the features that comes under E3 licenses and at the same time writing team also uses all the E3 features except Yammer because all the team members of writing team, don’t interact with others through corporate social networking. Rest of the teams have specific set of features enable to complete their jobs. Therefore, administrator can make two action plans for these groups for.

Plan1: Create a single group for both the teams and disable Yammer for the employees who don’t need it.

Plan2: Create one group for Marketing team and assign E3 licenses and create another group for writing team and assign E3 licenses but enable Yammer for only those users who need it.

Let see how to do it.

Go to the https://aad.portal.azure.com

Go to the Azure Active Directory and select Licenses

Under licenses, select all products.

Under all products, select specific products and click on Assign.

Go to the Licensed Groups under general, select “+ Assign”.

Select the specific group, which you want to license.

Go to the Assignment options, select specific products and then click on Ok.

Finally, click on Assign and you are done.

#AzureAD : Cloud App Discovery


Microsoft Azure Active Directory Cloud App Discovery enables discovery of the cloud application that are being used by the organization. It helps administrators to perform an app discovery and unveils the uses of SaaS applications, access patterns, volume of data, count, web requests and user details etc. Earlier, it was an agent based discovery and now that has been changed to agent less discovery. To use this service, you need Azure AD Premium P1 license.

To enable Cloud App discovery, login to Azure portal https://portal.azure.com. The user should have global administrator rights.

Click on New and search for Cloud App Discovery.

In Azure AD Cloud App Discovery panel, click on create.

In cloud app discovery panel, select directory and license, and then click on create.

To configure this service, go to Azure AD https://aad.portal.azure.com.

Go to the more services and select “Azure AD Cloud App Discovery”.

Click on settings to configure it.

In settings panel, configure each settings one by one.

First click on User consent option.

Select User Consent based on your organization need.

Configure rest of the user consent settings based on your requirement.

Now configure Data collection settings based on your organization requirements.

Now, configure Store Data settings based on your organization need.

Configure Manage Access settings. Here, you can provide administrative access to cloud app discovery administration.

Finally, configure Notifications settings.

Once you are done with the configuration, you can apply filter to generate reports.

Please let me know if you are facing any issue while configuring Cloud App Discovery. Hope, it worked for you.