Tag Archives: Azure Active Directory

#AzureAD : Privileged Identity Management Part III


Part I and Part II of this blog posts cover how to start with Azure AD Privileged Identity Management, assign privileged administrator role to administrators, just in time access, different methods to assign just in time access and Azure AD directory role customization. This post covers Access reviews, directory roles audit history and my audit history.

Azure AD PIM Access reviews provide control to administrators to review their access roles or other administrator’s roles based on configuration. To implement access reviews, login to Azure AD portal and go to the Azure AD Privileged Identity management.

Go to the Access reviews under Azure AD directory roles. Select Add to create a new access reviews.

Fill the details based on your requirements.

In review role membership, select a role that you wish to review. In one access review, you can have only role for review. Therefore, you need to create a unique access review for each role used by your organization.

In reviewers section, select who is going to review this role either administrator himself (Members (self)) or someone else (selected users). In my case, I am selecting Members (self). Once configured everything based on requirements, select start.

Once created successfully, privilege administrators can see it on access reviews under manage while the users in case of Members (self) can see it in their review access panel under tasks.

As a privileged administrator you can stop or delete this access review and change the configuration.

As per my configuration of access reviews, password administrator has to review his access and provide the approval. User needs to login with his identity and go to the review access section under tasks.

Once you open the Access review, you can see that your identity exist in not reviewed section.

Select the user, provide the reason for approval and finally click on approve.

Once reviewed, remaining items will become 0.

Now, let see how privileged administrator can review the activity of directory roles by looking at “Directory roles audit history” under Activity in Azure AD directory roles.

Privileged administrator can scroll the page and review all the actions performed for Azure AD directory roles.

Privileged role administrators and other directory role administrators can review their tasks by going through “My audit history” under Activity in Azure AD Privileged identity Management.

Privileged role administrator can also look at the alerts section under Manage for risks and associated severity for proactive safeguards.

I have covered most of the topics related to PIM. However, you can explore more topics such as Azure resources (preview) under Manage.

I hope this series on Azure AD Privileged Identity Management helped you

#AzureAD : Privileged Identity Management Part II


In Part I of this blog post, I had explained how to start with Azure AD Privileged Identity Management and assign privileged administrator role to administrators. Azure AD PIM takes the access control and monitoring to next level by providing Just in time administrator access and Access reviews. Just in time administrator access allows you to provide limited time access to perform the necessary action. To enable just in time access, you have to make administrator “eligible” for the specified role. It is a default configuration to make sure any new role assigned to the administrator shouldn’t make permanent administrator for the specified role until enabled intentionally. Once, a new role has been assigned to the administrator then an administrator can activate the new role in two ways either by himself or by approval workflow process. By default, all the administrative roles become available for an hour. This default time can be set between 30 minutes to 72 hours by changing the configuration settings.

Let see how to do it. Login to the Azure AD Portal using subscription administrator identity or by an administrator identity who has been enabled for “Privileged Role Administrator”. I am explaining these features by assigning Password Administrator role to a user to make him Password administrator for the organization.

Go to the Azure AD directory roles under Azure AD Privileged Identity Management.

Go to the Users under Manage and Click on Add.

Select “Password Administrator” role.

Now, select the user who will became a password administrator for the organization and click on OK.

Once, you have assigned this role then ask this user to login. You will observe that he can’t reset the password of any user.

As explained earlier, user will be made “eligible” for the specified role but to perform any action he must activate his role. To activate his role, he should go to “My roles” under Tasks in Azure AD PIM. Now, click on Action as highlighted in the snip.

Now, administrator has to click on “Activate” to activate this role.

Now, user has to provide “reason for role activation”. This reason will be captured in the logs for audit.

Administrator can see that his role has been activated for a specified time period.

Now, administrator should try to reset the password.

Once, task is performed then administrator can disable his role as well.

Now, let see how to change the default configuration settings for the Azure AD directory roles. Go to the settings under Azure AD directory roles and click on “Roles”.

Select the role and review the configuration parameters.

For example, I would like to enable approval process for role activation. Under require approval select “Enable” option and then select approvers.

Once selected, click on save.

Once the role configuration settings have been modified, you will observe that role status has been changed to “Request activation” from “Eligible”. Click on request activation to activate it.

Now, click on activate. Once you click on activate and specifiy the reason, a request will be sent to approver.

Now, approver has to login and go to the “Approve requests” under tasks to approve the request. Select request and click on approve.

Now, specify the reason to approve this request and click on Approve.

Once approved, ask you role administrator to verify it. Role administrator will observer that now he has access for specified time based on the configuration.

If you want to provide dedicate role to any administrator, enable him for specified role access permanently. Look at Part I for more details.

#AzureAD : Privileged Identity Management Part I


Digitization has changed the way of working and living. Your most of the personal and professional things have been become public and to keep all this data secure Identity plays an important role. Organizations has been disrupted as well and cloud has changed the way of doing things. In cloud, you can’t have only dedicated administrators like on-premises because of agility. At the same time privileged access can’t be given to everyone. As cloud services work in distributed environment therefore it becomes necessary to manage and monitor these access controls granularly.

To overcome these challenges, Azure Active Directory Privileged Identity Management is a next step for access control management in Microsoft cloud services. It is available to your entire organization and need Azure AD Premium P2 license for administrators. It allows you to manage, control and monitor access within your organization for Azure AD, Azure resources (Preview), Office 365, Intune and other Microsoft online services.

With the help of this feature you can assign different privileged roles to your users either permanently or on-demand “just in time” basis. It also allows you to monitor and review the users who have been enabled for privileged roles and users need to provide justification for continued membership based on your configuration.

Let see how to do it. Login to the Azure AD portal https://aad.portal.azure.com

Access Azure AD Privileged Identity Management from More services.

Select Azure AD directory roles under Manage.

You need MFA to configure PIM. If you are enabled for MFA, click on verify my identity. It will redirect to you to configure MFA.

Once MFA has been configured successfully, you can see the status as below. Now click on Sign up.

In sign up window, select yes to sign up for Privileged Identity Mangement.

Once, configuration and discovery completes you can verify your roles.

To verify all the users who have PIM roles assigned or to add any other user to manage PIM, select Roles under Manage.

By default, only subscription owner will have privileged administrator role. If you would like to provide privileged management role to global administrator or any other administrator then you must assign this role manually. Until, you provide privileged administrator role to any other administrator or user; he/she will not be able to manage any other users or their roles.

To assign privileged administrator role, login with subscription admin identity and go to the Azure AD directory roles and click on +Add user.

Now, Select “Privileged Role Administrator”

Select your global administrator or any other administrator, who should be responsible for Privileged Identity Management.

Once, it is assigned. You can see that user has “Privileged Role Administrator” enabled in Eligible mode.

If the user logins and go to the users under Azure AD directory roles, he can observe that he can activate the assigned role for the time being. By default, the access will be given for an hour. Click on highlighted message to activate the role

Before, activating the role you must verify your identity through MFA. Click on the highlighted sections to verify your identity.

Now, your identity will be verified through MFA. (Note: MFA should be configured otherwise you will be asked for setting up the MFA first for this user)

Once, Identity will be verified the you get an option to Activate it. (Note: if you don’t reach to this option by default then retry one more time with verifying my identity then by default you will reach on this prompt.) Click on Activate to enable the privilegess.

Once, you click on activate. You have to provide the reason for activation and then click on OK.

Once activated, you can use the privileges. By default, this role will be activated for an hour.

If you like to provide this role permanently to this user then go back to your existing privilege administrator or subscription administrator and click on “Privileged Role Administrator”.

Now, click on more and select “Make perm” to make this role permanent for this user.

Now, you can see that this role has been assigned permanently to this user.

Once, this user will login with his Identity then he will observer that he has been enabled permanently and there is no need to activate this role for short period of time.

#AzureAD : Identity Protection Part III


Part I and Part II of this blog post covers basic of identity protection, how to enable and configure it. In this post, I’ll cover remaining part of Identity Protection. Once you have enabled Identity protection and configured it successfully then monitoring, investigation and reporting become crucial part of the information risk management. Azure AD portal fulfills your need through a single control panel.

To investigate the users flagged for risk, risk events and vulnerabilities can be found under “INVESTIGATE”.

You can see or download the report and can change the user risk policy configuration through “User flagged for risk” panel.

Risk events for last 90 days can be seen under risk events and the same report can be downloaded as well. If you have a list of know IP address ranges then you can define it as well so that report doesn’t reflect trusted IP ranges. To add IP address ranges, select “+ Add known IP address ranges”.

In the configure locations panel, select “+New location” and then define the name and IP ranges. You can also upload and download the IP ranges.

You can also configure MFA trusteed IPs by selecting “…More” in configure location panel.

You can check the vulnerabilities with risk in the vulnerabilities panel and fix it based on your supported organization risk level.

You can also setup the alerts and weekly digests through email.

To setup the alerts, go to alerts section under settings and configure the alerts settings based on user risk level.

To setup a weekly digest, go to the weekly digest section and enable/disable it.

If you would like to pin Azure AD Identity protection to dashboard then select “Pin to dashboard”. In Pin to dashboard panel select “Pin to dashboard” and click on create.

Now, you can see Azure AD Identity protection at dashboard for easier access.

#AzureAD : Identity Protection Part II


In Part I of this blogpost, I had explained the concept of Azure AD Identity protection and how to set it up. In this part, I’ll cover Azure AD Identity Protection configuration. There are three major sections under configure i.e. “MFA registration”, “User risk policy” and “Sign-in risk policy”.

Under all these configuration options, you will find 5 parameters.

Policy Name: Predefined

Assignments: Users and Conditions (not for MFA)

Controls: Access control

Review: Estimated impact

Enforce Policy: On/Off

Let see how to configure MFA registration.

Under assignments, select the users. You have three options to go with, (i) select all users (ii) select specific users and groups (iii) select all users and exclude the specific users.

Under controls, define access registration.

Under review, look at the estimated impact.

Now, finally enforce the policy and click on save.

In further configuration, let see how to configure users risk policy.

Under assignments, first select the users. You have three options to go with, (i) select all users (ii) select specific users and groups (iii) select all users and exclude the specific users.

Now define the conditions when the policy should apply.

Under controls, define access control by accessing user risk.

Under review, look at the estimated impact.

Now, finally enforce the policy and click on save.

Finally, let see how to configure sign-in risk policy.

Under assignments, first select the users. You have three options to go with, (i) select all users (ii) select specific users and groups (iii) select all users and exclude the specific users.

Now define the conditions when the policy should apply.

Under controls, define access control by accessing sign-in risk.

Under review, look at the estimated impact.

Now, finally enforce the policy and click on save.

I have just shown an example, how to configure these settings. You should configure these settings based on your requirements.

#AzureAD : Identity Protection Part I


Microsoft Azure Active Directory has become a backbone for many cloud services. As Identity is a key for technology landscape similarly protection is also most important for digital world. To enable this service, Microsoft Azure AD Premium P2 offers identity protection. It detects potential vulnerabilities and actions can be defined in two ways either automatic or can be taken based on suspicions incidents.

In conversations, it looks very easy when you listen explanation from Technical sales representative but it is not that easy. Microsoft Azure AD uses machine learning and heuristics to detect irregularities and suspicious incidents that helps to identify potentially compromised identities. It does not provide protection only to privileged account but covers all the identities. Therefore, a huge data can be collected to generate reports and to perform analysis that helps to identify ambiguities in the system and potential vulnerabilities. Mitigation and remediation actions can be defined based on the detected issues by using risk-based policies. These policies are add-on to the conditional access provided by Azure AD and EMS, it can take either block the suspicious identities or initiate a remediation actions including password reset and MFA enforcement.

Here are the capabilities provided identity protection:

Detecting vulnerabilities and risky accounts Investigating risk events Risk-based conditional access policies
  • Providing custom recommendations to improve overall security posture by highlighting vulnerabilities
  • Sending notifications for risk events
  • Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges
  • Calculating sign-in risk levels
  • Investigating risk events using relevant and contextual information
  • Policy to block or secure risky user accounts
  • Calculating user risk levels
  • Providing basic workflows to track investigations
  • Policy to require users to register for multi-factor authentication
  • Providing easy access to remediation actions such as password reset
  • Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges

Courtesy: Microsoft Azure Documentation

In many organizations, identity protection comes under security or risk management team. Therefore, it is more practical to have role based access control to manage these kinds of services. However, if identity management team itself take care of identity protection, still to define RBAC make sense because it makes administrators accountable and responsible. Azure AD identity protection provides three types of role to manage it.

Role Can do Cannot do
Global administrator Full access to Identity Protection, Onboard Identity Protection
Security administrator Full access to Identity Protection Onboard Identity Protection, reset passwords for a user
Security reader Read-only access to Identity Protection Onboard Identity Protection, remidiate users, configure policies, reset passwords

Courtesy: Microsoft Azure Documentation

Let see how to enable it. Before proceeding it further, make sure you have Azure AD Premium P2 enabled for your tenant.

Login to the https://aad.portal.azure.com and go to the More services.

In more services, select Azure AD Identity Protection.

In Azure AD Identity Protection – Getting started page, select “Onboard”

In this panel, make sure you have right directory selected and then click on create.

Once it is enable, you can see the analysis.

If you want to explore more to review the permanent admin roles, go to the overview and click on “Identify users who are assigned to permanent admin role” to configure Privileged identity management.

In the configure premium extensions panel, select “Configure PIM”

You need MFA to configure PIM. If you are enabled for MFA, click on verify my identity. It will redirect to you to configure MFA.

Once MFA has been configured successfully, you can see the status as below. Now click on Sign up.

In sign up window, select yes to sign up for Privileged Identity Mangement.

Once, configuration and discovery completes you can verify your roles.

To verify all the users who have PIM roles assigned or to add any other user to manage PIM, select Roles under Manage.

#AzureAD : Group-based licensing


Microsoft Azure AD simplifies the licensing management of Microsoft cloud services such as O365, Enterprise Mobility + Security, Dynamics CRM etc. by providing group-based licensing. A user could be part of the multiple groups and multiple licenses can be assigned through a single group or through multiple groups. However, a license can be assigned directly to the user if group based assignment is not needed. As Azure AD is a backbone for all identity needs of any Microsoft cloud services. Therefore, this group-based licensing can be managed through Azure AD. While assigning licenses to multiple users via group-based licensing, you may observe multiple permutation and combination of services enablement and license assignment. Let’s take an example to understand this scenario.

Inside Microsoft Technology is a company that deals in technical content writing and has two major teams. One team deals in writing and another teams deals in marketing. Company has O365 for business productivity and marketing team uses all the features that comes under E3 licenses and at the same time writing team also uses all the E3 features except Yammer because all the team members of writing team, don’t interact with others through corporate social networking. Rest of the teams have specific set of features enable to complete their jobs. Therefore, administrator can make two action plans for these groups for.

Plan1: Create a single group for both the teams and disable Yammer for the employees who don’t need it.

Plan2: Create one group for Marketing team and assign E3 licenses and create another group for writing team and assign E3 licenses but enable Yammer for only those users who need it.

Let see how to do it.

Go to the https://aad.portal.azure.com

Go to the Azure Active Directory and select Licenses

Under licenses, select all products.

Under all products, select specific products and click on Assign.

Go to the Licensed Groups under general, select “+ Assign”.

Select the specific group, which you want to license.

Go to the Assignment options, select specific products and then click on Ok.

Finally, click on Assign and you are done.

#AzureAD : Cloud App Discovery


Microsoft Azure Active Directory Cloud App Discovery enables discovery of the cloud application that are being used by the organization. It helps administrators to perform an app discovery and unveils the uses of SaaS applications, access patterns, volume of data, count, web requests and user details etc. Earlier, it was an agent based discovery and now that has been changed to agent less discovery. To use this service, you need Azure AD Premium P1 license.

To enable Cloud App discovery, login to Azure portal https://portal.azure.com. The user should have global administrator rights.

Click on New and search for Cloud App Discovery.

In Azure AD Cloud App Discovery panel, click on create.

In cloud app discovery panel, select directory and license, and then click on create.

To configure this service, go to Azure AD https://aad.portal.azure.com.

Go to the more services and select “Azure AD Cloud App Discovery”.

Click on settings to configure it.

In settings panel, configure each settings one by one.

First click on User consent option.

Select User Consent based on your organization need.

Configure rest of the user consent settings based on your requirement.

Now configure Data collection settings based on your organization requirements.

Now, configure Store Data settings based on your organization need.

Configure Manage Access settings. Here, you can provide administrative access to cloud app discovery administration.

Finally, configure Notifications settings.

Once you are done with the configuration, you can apply filter to generate reports.

Please let me know if you are facing any issue while configuring Cloud App Discovery. Hope, it worked for you.

#AzureAD : Company branding


Microsoft Azure Active Directory provides sign-in page customization for organization specific branding. Every organization wants to have their unique brand page so that the user can have a same look and feel of their organization through the sign-in page appearance at the time of accessing cloud applications/services.

Let me show you, how does it look like before any customization.

To look at it, access your portal through either Azure portal https://portal.azure.com/<yourdomainname> or AAD portal https://aad.portal.azure.com/<yourdomainname>

For customization, go to the Azure AD portal https://aad.portal.azure.com and login.

Go to the Azure Active Directory.

Now, go to the Company branding.

In the company branding page, select configure.

Fill the needed information.

Now, upload the background image that will appear in your sign-in page and upload the logo of your organization as well. You can also fill the rest of the details based on your need such as sign-in page text.

In, advanced settings define the background color for your sign-in page using RGB hex code format. This background color will be used, when background image couldn’t be uploaded. Configure rest of the information based on your need and finally save the configuration.

Now, go to your sign-in page and enjoy new look and feel.

To show this demo, I have used a basic image and configuration but in your environment, you can really get an amazing look by configuring the company branding.

#AzureAD : Custom domain names


Microsoft Azure AD provides extensive set of features and many organization looking at it as an opportunity for IAM solutions. However, organizations are leveraging it with Microsoft cloud offerings and syncing their on-premises identities with Microsoft Azure AD. (Note: If you want to know more about “how to sync on-premises AD with Azure AD”, look at #AzureAD : Azure AD Connect.)

When any organization does this kind of implementation, they always try to make sure that end-user will not have any affect. When you sync your on-premises AD with Azure AD, you observe that the username (original UPN) changes to username@<uniquedomainname>.onmicrosoft.com but this change impact the user behavior.

Look at the “Initial domain name” that becomes <initialdomainname.onmicrosoft.com>

Because of this change, your user has to remember one more UPN (user principle name). To avoid these complexity, you can use custom domain name features in Azure AD.

Login to Azure AD Portal https://aad.portal.azure.com

Go to the Azure Active Directory.

Go to the Custom domain names.

Now, you can observe that there are two domain names. First one is your on-premises domain name (in my scenario: insidemstech.local) and another one your Azure AD custom domain name (in my case: insidemstechaad.onmicrosoft.com). If you can recall your hybrid configuration, you had observer “Not Verified” status in Azure AD sign-in configuration wizard.

Look, how does it appears in Azure AD Connect configuration.

Now, if it is your public domain name and DNS records exist for this domain, then you can just click on your on-premises domain name and can verify this domain by using TXT record.

Once, you are done with the verification then status of your on-premises domain name will change from unverified to verified and now your users can use the same on-premises UPN to login to the cloud services.