Tag Archives: Azure Active Directory

#AzureAD : Conditional Access

Microsoft Azure AD is truly an Identity and Access Management platform for cloud services. It is not only providing basic identity needs but at the same time it provides advanced features natively such as MFA, dynamic groups management, conditional access etc. Conditional access is like “Icing on the Cake” for cloud apps access control. Every organization runs on transactions, these transactions could be in any form and applications enables these transactions to be happen while rest of the IT works behind the scene. Appropriate access to the applications make your IT secure and reliable, and deliver the business value.

Companies uses many applications either for internal access/users or external access/users or for both. Let me explain, conditional access through an example. Company ABC is a Financial organization and provides many financial services to their customers including Banking, Financing and Share Market services, and they deal with both B2B and B2C market segments. Because of the nature of business, organization doesn’t allow their employees to access their financial transaction applications outside of their bank branches and corporate offices. Due to the employee attrition rate, organization allows their employees to work from remote locations such as home on the rotational basis without impacting any consumer services. Because of the rotation of these employees, you don’t want to provide access based on their rotation. Azure AD conditional access fulfills these requirement by enabling conditional access for cloud apps.

If you don’t know about cloud apps or my apps, read the following articles.

SSO to SaaS

Application Proxy

Access Panel/My Apps

Using My Apps, you can publish both SaaS application available through enterprise gallery and internal applications through application proxy and then you can enable conditional access on these applications. In this scenario, I need to create a policy with following conditions and controls.

Condition	Control
When a user is outside the corporate network	They can’t access the internal transactions app, even though they are connected to corporate network through VPN

Go to the Conditional access.

Select + New policy to define the conditions.

Write the name of the policy.

Now, choose either include or exclude option based on your need.

Select the specific users or groups.

Select your cloud apps.

Now, configure conditions based on your need and available specifications.

Once, you are done with conditions. Click on Done.

Now, configure the access controls based on your requirement.

Now, Enable policy and click on create.

Now, you can see that this policy has been created and enabled.

This was just an example but you can play with it and configure your policies in many permutation and combinations.

#AzureAD : Dynamic groups membership

Leave a reply

Microsoft Azure AD comes with many unique features that provides simplified identity management. One of the unique feature is dynamic group membership for users. Dynamic user membership of security group enables organizations to manage security group membership based on the attribute. Let’s take an example to understand in much better way. Many employees join and leave large organizations on the daily basis or move within the organization to take up a new role. To manage right set of access for active users and write-off the access for employees leaving the organization or moving between department/role is a challenging task but can be simplified with Azure AD. However, there are many third-party solutions are available to do the same but Azure AD provides this feature natively with Premium P1 licenses.

For example, an organization wants to provide certain security and application access to their sales employees and want to avoid human error and delay in the process. Let’s have a look how to configure it.

Go to the Users and groups.

Go to the All groups.

Select + New group to create a new security group.

Enter the group name, description and select “Dynamic User” under membership type.

Select “Dynamic user members” and define Dynamic membership rules. Define rule and click on Add query.

Now, click on create to create this dynamic user membership security group.

Note: In my example, I am using a simple rule but you have an option to write Advanced rule as well.

For example, you want to give this access to field sales employees but not to their support team then define this rule like this:

(user.department -eq “Sales”) -and -not (user.jobTitle -contains “support”)

As of now, I haven’t defined department for any users in my setup. Let me define the department properties.

After updating the department name for a user Rick M, he becomes a member of this group automatically.

Hope, this blogpost helped you to understand this topic and configure your environment.

#AzureAD : Access Panel/My Apps

1 Reply

In digital world, end-users have unspecified number of apps in their personal life as well as professional. In large enterprises, IT team doesn’t know the exact count of applications used by their organization. If counting or remembering the name of the application is quite challenging, you just imagine how someone can remember the URLs and credentials of these applications.

To simplify it, Microsoft has web based access panel called My Apps for enterprise/social applications. You can publish cloud apps available in enterprise gallery or on-premises apps through application proxy or both together seamlessly using a single access control panel. This access panel is not only meant for accessing applications but at the same time it provides few self-service capabilities as well. It also makes sure that security is not compromised at all in any scenario by using capabilities such as Multi-Factor Authentication (if enabled).

Default url of this web-based portal is https://myapps.microsoft.com but can be customized with your specific domain such as https://myapps.microsoft.com/<youscustomdomain>.com . Though, it looks attractive and ease your life but it has following dependency:

It needs Azure AD (native or synced identity)
Cloud applications need to be published through Enterprise gallery
On-premises applications need to be published through application proxy.

Look and feel of myapps:

Scenario 1: Let see how does it look for a user who doesn’t has anything published.

Scenario 2: Let see how does it look for a user who has published apps.

Look and feel of self-service feature in myapps:

Note: You can see few options here (Change password, Set up self service password reset and Additional security verification), it is because of self-service password configuration for this user in his organization. You may not see this options if it is not configured in your environment.

Different applications may have different set “single sign-on mode” methods for authentication and authorization and every method has different configuration. Here is a list of single sign-on modes that cover most of the options:

Azure AD single sign-on disabled

Single sign-on disabled means that you do not want this application to be integrated into Azure Active Directory for single sign-on. This means that when a user signs in to the application, that user must manually enter their username and password. If you had previously enabled an application for Azure Active Directory single sign-on integration and then change back to the single sign-on disabled mode, this will result in users needing to enter their username and password every time they launch this application.

SAML-based Sign-on

Federated single sign-on enables rich and secure authentication to applications using the SAML protocol. Follow the steps below to connect Salesforce to Azure AD using SAML.

Password-based Sign-on

Password-based single sign-on enables secure application password storage and replay using a web browser extension or mobile app. This leverages the existing sign-in process provided by the application, but enables an administrator to manage the passwords and does not require the user to know the password.

Linked Sign-on

Linked sign-on allows you to add a link to an application in the Azure Active Directory Access Panel and/or Office 365 application launcher for selected users. This option does not add single sign-on to the application, however the application may already have single sign-on implemented using another service such as Active Directory Federation Services.

Integrated Windows Authentication

Integrated Windows Authentication (IWA) provides a single sign on experience by allowing the Application Proxy Connectors permission in Active Directory to impersonate users to the published application, using Kerberos constrained delegation.

Header-based Sign-on

Microsoft and Ping Identity have partnered to extend Azure AD Application Proxy to support single sign-on (SSO) for header-based authentication to web applications running on-premises.

Note: These are sign-on methods and few of them need additional configuration based on application. Therefore, please make sure that you have all required information to configure any one of these sign-on methods.

Web browser requirements: Browser used to access myapps application should have minimum JavaScript and CSS enabled. Following browsers are supported for myapps:

Edge on Windows 10 Anniversary Edition or later

Chrome — on Windows 7 or later, and on MacOS X or later

Firefox 26.0 or later — on Windows XP SP2 or later, and on Mac OS X 10.6 or later

Internet Explorer 8, 9, 10, 11 — on Windows 7 or later (limited support)

Extension required for my apps secure sign-in: You need to install an extension to use my apps secure sign-in. Make sure you are not trying to install it in incognito window or private mode.

Mobile Apps for Android and iOS: My apps is also available through mobile app. You can use it either on android device or an iOS device

Min Android version: 4.1 and above

Min iOS version: 7 and above

#AzureAD : Self-service group management

Leave a reply

Azure AD simplifies the security group management process by providing self-service capability. By default, administrator manages the requests to add/remove someone from a group or bunch of groups but it is a repeated job that doesn’t create any value for the organization. Azure AD provides two ways to manage these groups, delegated group management and self-service group management.

Delegated group management: It allows administrator to delegate the group management task to the people who can take care of it. If administrator delegates group management task to user A and User A starts managing these groups membership and in the future Manager extends his team with new team members and wants to delegate the membership of new team members to another user B from extended team, administrator delegates user B to manage this group as well. Now, user A and user B both can manage the membership of their team members / peers independently but will not be able to vice-versa.

Self-service group management: It allows a user to create a new security group and manage its membership. This group owner can assign ownership to other users or can ask administrator to do same as well. In this scenario if one security group is being used by two different teams to assign access on one of the application and administrator wants to push a new application through the gallery, then it can be easily done by just adding to this group. Therefore, if any a new user will be added going forward then it will have access on new application as well.

Now, let’s have a look how to do it.

First, allow administrator to enable this feature. Login to https://portal.azure.com or https://aad.portal.azure.com . In my case, I am using https://aad.portal.azure.com

Go to the Users and groups.

Go to the Group settings.

In the General section of this window, enable self-service group management. You can also specify either security groups can be created or not and who can manage security groups. In my scenario, only members of SSGM group can manage the security groups.

Now, ask users to login to https://aad.portal.azure.com and allow them to manage their security groups.

Once login, go to the Users and groups.

Go to the All groups and click on +New group to create a new security group.

Fill the required details and add members.

Once, group is created then you can add members to this group any point in time.

You will notice if another user who has privilege to manage security groups and try to manage this group, he can’t add members or remove any one from this security group.

Once, owner of this security group or administrator allow this privilege user to manage this security group by adding him under owners.

Now, you can see that he can manage the membership of this security group.

You can do many more things gently with the capability of self-service group management. Therefore, play with it and share your experiences/queries through the comment box.

#Azure AD : Self-service Password Management

Leave a reply

Azure AD provides self-service capabilities for Password management. This built-in capability of Azure AD not only reduce the number of helpdesk tickets but at the same time it enhances the productivity of the user by saving time and efforts put in requesting for the password reset or account unlock. Azure AD self-service password reset capability also known as SSPR. Azure AD SSPR provides different set of capabilities with different edition of Azure AD.

Azure AD Free: Supports SSPR for Cloud-only administrators.

Azure AD Basic: Supports SSPR for Cloud-only users.

Azure AD Premium: Supports SSPS for all the users including cloud users, on-premises users with password sync and federated users but the password write-back must be enabled for on-premises users.

Azure AD SSPR simplifies the password management in following scenarios:

Forgot Password: This is a common issue among the users. If user forgot his password and wants to rest the password then he must go through one of the validates authentication methods:

By phone call to validated mobile phone
By text message to validated mobile phone
By email to validated secondary email account
By answering security questions

Change password: If any time users wants to change his/her password for any reason, they can change their password but they should remember their current password.

Unlock account: This is another common issue among the users. If your account has been locked and you are unable to login, use this method to unlock your account with valid authentication methods.

Now, let’s have a look how to do it.

First, login to Azure AD to configure Azure AD for SSPR.

Go to the Password reset and select the appropriate SSPR option. Either you can select the group for SSPR or select all for all the users.

If you want to SSPR for all the users then select All and then save the configuration.

In my scenario, I am selecting Selected for specific groups.

I have selected a group called SSPR here to provide SSPR capability to the users.

Now select the Authentication method.

I am selecting all the methods. If you select “security questions” option then you need to set the security question. Click on “Select security questions”

You can select the security question from Predefined and Custom options.

In my case, I am selecting 5 predefined security questions.

Select all the questions and click on OK.

Once configured all the authentication methods, click on Save.

Now, it is time to configure the end user setting.

Ask your users to login to the https://portal.azure.com and configure their accounts with additional security.

Select the required options and set them now.

Select the questions from drop down menu.

Answer these questions and click on save answers.

Once done, click on finish.

Login to your Azure services. I am trying to login to the https://myapps.microsoft.com . Enter your user name and click on Next.

Click on “Forgot my password”

Fill the details and click on Next

Answer your security questions for verification and click on Next.

Now, enter your new password and click on Finish.

Your password has been reset, Now, login with your new password and enjoy!

#AzureAD : Multi-factor Authentication

Leave a reply

Multi-factor authentication mostly refers to two-factor authentication that provides enhanced security to user sign-ins and transactions. There are many solutions available in the market and Azure MFA is one of them. Azure MFA is a cloud access control service offering, and quite simple to use and configure. However, MFA for Office 365 and Azure AD admins available at no extra cost but Azure Multi-Factor authentication full version license can be configured through Azure Active Directory Premium or Enterprise Mobility + Security.

With the third-party partnership offerings, Microsoft makes this service a real multi factor authentication by adding one more layer of authentication mechanism. Therefore, now you can call it three-factor authentication. Third-party MFA partners are:

Azure MFA native verification process can be achieved by three options.

Authentication Phone
Office Phone
Mobile App

Let’s see how to set it up:

Go to the Users and groups, and go to the All users.

Click on Multi-Factor Authentication.

MFA console will open in new tab.

Select a user and click on Enable.

Click on enable multi-factor auth.

Once, updated successfully. Click on Close. Now, MFA has been enabled successfully for the selected user.

Once as an administrator, you have enabled any user for MFA then user has to follow the following steps to complete the process.

Now, user should go to the browser try to login to the Azure services. In my scenario, I am trying to login to the https://myapps.microsoft.com

Once user has entered his/her credential, he/she will be redirected to the new page to setup his/her MFA. Click on set it up now.

Now, user can see; there are three options available for additional security verification.

Option 1: Authentication phone

Option 2 : Office phone

Option 3 : Mobile app

In my scenario, I have selected option 1 with “call me” method. Enter required details and click on Next

Now, user will receive a call for verification.

Once, verification will be completed successfully then user will be redirected to step 3. Read the information and click on Done.

Next time, whenever user will try to login; he/she will receive a phone call for verification.

Hope, this blog post helped you to understand Microsoft Azure MFA. However, you can try different verification methods and post your queries in comment section.

#AzureAD : Application Proxy

Leave a reply

I believe many of you have heard about reverse proxy multiple times in your IT career. If anytime you had published any web application through reverse proxy, you can easily understand the complexity and pain behind it. To publish a web application, you would have been worked with multiple teams for fulfilling security, network and DMZ requirements. Azure AD makes it quite simple for us, you just need to enable, download and install application proxy, and finally publish your internal web application. To use this application proxy server, you need a Windows server with either Windows Server 2012 R2 or Windows Server 2016 operating system and keep this VM as a standalone machine. So now, let’s have a look how to do it.

Login to the Azure Portal from application proxy VM and go to Azure Active Directory and then go to the Application proxy to download connector.

A web browser will open, select terms and condition and download the tool.

Once tool is downloaded, run the tool and agree to the license terms and condition and click on Install.

Now, AAD Application Proxy Connector installation will start.

Now, installation will progress further and will finish in few minutes.

Now, go to the Azure portal and enable application proxy.

Once it is done, you will be able to find your application proxy server in active status.

Now, It is a time to publish your internal application. Therefore, go to the Enterprise applications under Azure AD.

Click in “On-premises application”.

Enter your internal url and save the settings. However, you should note down the external url to access this application.

Select Assign a user for testing.

Add users and define their roles and click on Assign.

Once, you are done please wait for some time. Now access your application from the internet by using the external url. You can also publish this app through myapps portal, the way we publish enterprise apps from the gallery.

Now, you can see that I am able to access my intranet portal. (I am not a developer, however I tried to modify the default IIS page )

If you have MFA enabled for your users, you can leverage an additional layer of security for your internal web applications as well.

#AzureAD : SSO to SaaS

Leave a reply

In this era, Software as a Service offerings have changed the entire applications landscape. Now, organizations want to take advantage of the enterprise applications to solve their business problems but trying to avoid heavily in deploying and managing these applications. Azure AD is playing a vital role in this space by providing single sign experience to the enterprise users. It is not just providing SSO experience but at the same time maintaining security context for the applications by providing features such as MFA and auditing.

Let’s have a look, how to configure enterprise application from the gallery and associate with your Azure AD.

Go to the Enterprise applications.

Click on New application.

There are around 3000 applications available in gallery. Look for the application that you like to add.

In my case, I am trying to add twitter for single sign on. Now, you may have a quick question; why twitter? Just think about any multinational organization, it operates in several countries and obviously every country would like to tweet something specific to their country. How will manage it? You wouldn’t like to create multiple accounts or different local identities for your organizations as you have unique brand value associated with specific name. Here, with Azure AD you can have a single twitter account and its password managed by one responsible person and access can be given to multiple people who are involved in PR activities.

Click on Add.

Now you are ready to configure your application. You can assign user, configure single sign-on, conditional access etc.

Let me add two users so that both can access this account without knowing the password through https://myapps.microsoft.com

Select the users and click on select.

Once users selected, click on Assign.

Now, it is time to set the Single-Sign-on mode. Go to the Single sign-on mode and select the Password -based Sign-on.

As, I would like to set the password for my twitter account and give access to end users. Therefore, select the user and click on update credentials.

Set the twitter account credentials. If you don’t want to update the credential in future then select “I want Azure AD to automatically manage this user or group’s password” option so that Azure AD can manage it on your behalf. Perform the same steps for another user.

Now, login to https://myapps.microsoft.com and access your applications.

#AzureAD : Azure AD Connect

1 Reply

Azure Active Directory Connect (a.k.a. AAD Connect) is a tool provided by Microsoft to connect your Windows Server Active Directory to Microsoft Azure AD. It incorporates all the features provided by preceding synchronization tools (Azure AD Sync and Dir Sync) and provides many advance features natively. Future release of AAD Connect is about to provide many FIM 2010 R2 (Forefront Identity Manager) and MIM 2016 (Microsoft Identity Manager) features such as connect to single or multiple on-premises LDAP directories, connect to on-premises AD and on-premises LDAP directories, connect to custom systems (i.e. SQL, Oracle, MySQL etc.) and connect to on-premises HR Systems (i.e. SAP, Oracle, eBusiness, Peoplesoft).

Here is the system pre-requisite to install AAD Connect:

At least Windows Server 2008 or later. (Note: If using Windows Server 2008 or 2008 R2 then apply the latest updates and hotfixes before starting the installation.)
Windows Server Standard edition or above, Essential is not supported.
Full GUI version of Windows Server, server core is not supported.
Server must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later installed.
At least Windows Server 2008 R2 SP1 or later if you have plan to use password synchronization feature.
At least Windows Server 2012 or later if you have plan to use group managed service account feature.
Server must not have PowerShell Transcription Group Policy enabled.

Now let’s have a look on how to install and configure AAD Connect. I am using Windows Server 2016 for AAD Connect server and will use local SQL server 2012 express edition. SQL Server 2012 express edition is a default DB option and recommended for small to medium AD environment with up to 100K AD objects. Otherwise, you can use SQL server instance with “customize” option at the time of installation.

First, go to your Azure AD tenant and create an account with global administrator directory role. This global administrator account will be used to configure AAD Connect.

Once user is created, login to the https://portal.azure.com to set the new password.

Now, open https://portal.azure.com on AAD Connect server and login with global administrator account.

Now click on Azure Active Directory in the left panel.

Now, Click on Azure AD Connect.

Now, click on “Download Azure AD Connect”. (Note: you can also download it directly from the web.)

Now, Run the executable file to install the Azure AD Connect tool.

Once installation is completed, a new wizard will open. Accept the term and conditions and click on continue.

Now, you have two options either go with express settings or click on customize. If your AAD Connect server is not domain joined then you will not have a choice to go with express settings.

Installation using express settings is too simple. You just need to make sure your AAD Connect server is domain joined and then follow the steps.

In this blogpost let me show you how to install AAD Connect with customize option. There are four optional self-explanatory configuration choices but I’m not going to select anyone for customization. However, I’ll explain these options in next step.

If you select first two options for customization then you need to provide an installation location path for “Specify a custom installation location” option and SQL server name and instance name for “Use an existing SQL Server” option. As well as you need to make sure required ports are open to connect to SQL Server.

“Use an existing service Account” customization option requires either Managed Service Account credentials or service account credential that is part of the domain in Domain Account option to connect with remote SQL Server. Make sure the user who is running the installation has SA role in SQL so that a login for the service account can be created. By default, AAD Connect creates four sync groups in local server but if you would like to select your own groups then specify those here and make sure those groups are local to the server, not in domain.

In my installation, I am not performing any optional configuration. Click on Install.

Once Installation starts, will take couple of minutes.

In User sign-in window select the sign on method and click Next.

Enter the credential of Azure AD global administrator. This step will verify your credentials.

Now, you need to connect your Widows Server Active Directory forest. This step is quite simple if your AAD Connect server is domain joined. Enter your forest fqdn and click on Add Directory.

Now, you have two option either create new AD account using Enterprise Admin credential or use existing account. In my case, I am creating a new AD account.

You may find the following error while creating a new account.

[Workaround: Go to your Active Directory and you will find a newly created user with MSOL_****** in Users container. Reset the password and copy the user name. While doing it please make you are assigning required permission (read and write) to this user.]

Required permissions:

For Password Sync: Replicate Directory Changes and Replicate Directory Changes All

For Password Writeback: Reset password

Enter the MSOL_***** credential under “Use existing AD account”.

Now, you can see that forest has been added under configured directories. Click on Next.

In Azure AD sign-in configuration you will find your Active Directory UPN Suffix but in Azure AD Domain section you can find three different states (Verified, Not Verified and Not Added).

If you want to change the Azure AD Domain status, go to the Azure portal and add custom domain. However, while adding custom domain you can verify your domain as well. In my case, I didn’t verify it.

Refresh, now you can see that status has been changed from “Not Added” to “Not Verified”. Select “continue without any verified domains” and click on Next.

Select required option and click on Next.

Select “Let Azure manage the source anchor for me” and click on Next.

Select required option and click on Next.

Select required features and click on Next.

Click on Install.

Configuration will take couple of minutes.

Once configuration completes, you will get this wizard. Click on Exit.

Now, you Windows Server Active Directory has been synced with Azure AD. If you want to do any customization after initial setup, you can open Azure AD Connect and make the necessary changes.

#AzureAD : Microsoft Azure Active Directory

Leave a reply

First, a small clarification for entrants: Nowadays a big confusion exists among the IT folks for Active Directory. If you had worked on Active Directory in the past and asked anyone about Microsoft Identity or Directory services, you must have received a simple answer i.e. Active Directory or Windows Server Active Directory. However, people who still worked on Active Directory they know multiple variations of Active Directory. All of these confusions came up in existence because of cloud. Let me explain these variations in a simplest form:

Windows Server Active Directory (Native)
Azure Active Directory (Identity as a Service)
Active Directory on Azure (Basically Windows Server Active Directory on Azure IaaS)

In this article, I’ll explain Azure Active Directory (a.k.a. Azure AD) in detail:

Azure AD is an Identity and access management service provided by Microsoft Azure. It is a multi-tenant, cloud based identity and was initially started with Microsoft Office 365 (formerly known as BPOS). It provides identity and access management for SaaS offerings as well as for core infrastructure and platform services. When setup your Microsoft Azure or Office 365 subscription first-time, by default an Azure AD tenant created for your subscription. Azure AD is also an integral part of Microsoft Enterprise Mobility Suite (EMS) and not limited to only identity services. It also provides advance protection services such as MFA and threat management services such as security reports, audits, alerts and adaptive conditional access policies based on device health, user location and risk level. Apart from these unique features Azure AD can be synced with on-premise Windows Server Active Directory through Azure AD Connect and provides many user/admin friendly features such as self-service password management, self-service group management, privileged account management, role based access control, dynamic group membership etc. Some unique set of capabilities such as application proxy to publish your intranet web applications is also part of the Azure AD.

Courtesy: Microsoft Ignite

Nevertheless, one blog post can’t explain you an ocean of Azure AD in one place. Let me explain different editions of Azure AD that fits in different requirements/scenarios.

Azure AD Free: Free always looks good to everyone It comes with all Azure subscription by default and offers all common set of identity features without any cost.

Azure AD Basic: It meant for cloud focused and cloud-first needs, and provides distinct functionality such as single sign-on experience for cloud centric applications, self-service password reset for cloud users along with group based access management. It also provides some great tools such as application proxy to publish your on-premises web applications using Azure AD, customized logon page, and all backed by an enterprise level SLA of 99.9% uptime.

Azure AD Premium P1: It can be seen as a top up on Azure AD Basic and provides great capabilities for hybrid identity environments. It is a complete suite for enterprise identity needs and provides features such as self-service group and app management, self-service password management and write back, device objects two-way synchronization between on-premises directories and Azure AD (Device write-back), Multi-Factor Authentication, Cloud App discovery, and many more.

Azure AD Premium P2: It is basically designed for advanced identity protection and privileged identity management, and covers all necessary security related concerns on top of Azure AD Premium P1. Azure advanced identity protection helps you to leverage inbuilt intelligence to control access to your applications and critical organization data based on user risk profile dynamically. While Azure AD privileged identity management allows you to control administrators access to resources and provide just-in time access based on the need.

Now, let’s see how to create an Azure AD tenant.

Login to your Azure subscription.
Look at the left panel and click on +New.
Look for Azure Active Directory in Azure Marketplace search window.
Click on Create from Azure Active Directory panel.
Now fill the organization name, intial domain name and select the “Country or region” and click on create.
Once directory created then you can click on “here” and play with your Azure AD.