What is Azure Active Directory?
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps an Organization’s employees sign in and access resources. The resources can be external resources like Microsoft 365, Azure portal, and 100 of third party SaaS applications, or internal resources such as apps on Organisation’s corporate network and intranet, along with any cloud apps developed by any organization for their internal purposes. Many big organizations use this Azure AD as an extension of their OnPremise Windows AD to use their resources internally and externally with the same identity.
Microsoft Online business services, such as Office 365 or Microsoft Azure, require Azure AD for sign-in and to help with identity protection. If you subscribe/purchase to any Microsoft Online business service, the subscriber automatically gets Azure AD with access to all the free features.
To enhance the existing Azure AD implementation, the subscriber can also add paid capabilities by upgrading the existing Free Azure AD to Azure Active Directory Premium P1 or Premium P2 licenses. Azure AD paid licenses are built on top of the existing free directory, providing self-service, enhanced monitoring, security reporting, and secure access for mobile users.
In this blog, we are providing an overview of some of the additional features which cover Azure AD Premium P1 and Premium P2 licenses. Administrators can purchase these licenses on a subscription basis after evaluation of the features too. Microsoft provides a free trial of a monthly subscription for evaluation.
Access URL: https://aad.portal.azure.com/
Login to Azure AD portal → On “My Dashboard” click Try Azure AD Premium -> Click Activate under Free trial on Azure AD Premium P2. You can see a notification “Successfully activated Azure AD Premium P2 trial”.
Premium features available in Azure AD Premium P1 and P2
Password Protection (custom banned password), Password Protection for Windows Server Active Directory (global and custom banned password), Self-service password reset/change/unlock with on-premises write-back, Group access management, Microsoft Cloud App Discovery, Azure AD Join: MDM auto-enrollment and local admin policy customization
Azure AD Join: self-service BitLocker recovery, enterprise state roaming, and Advanced security and usage reports
Application Proxy, Microsoft Identity Manager user CAL, Connect Health
Advanced Group Access Management
Dynamic groups, Group creation permission delegation, Group naming policy, Group expiration
Usage guidelines, Default classification,
Conditional Access based on the group, location and device status, Azure Information Protection integration, SharePoint limited access, Multi-Factor Authentication with Conditional Access, Microsoft Cloud App Security integration and 3rd party identity governance partners integration
All these above features are commonly available on Azure Free Office 365, Premium1 and Premium2 subscriptions.
What is available in Premium P2 and not in Premium P1?
The below features Identity Protection and Identity Governance are exclusive features for Premium P2. In this blog, we are detailing these two main features of Azure Premium P2 Identity Protection and Privileged Identity Management (PIM) in Identity Governance
Vulnerabilities and risky accounts detection, Risk events investigation and Risk-based Conditional Access policies
Privileged Identity Management (PIM), Access reviews, and Entitlement Management.
Identity Protection –
Identity Protection is a tool that allows organizations to accomplish three key tasks:
- Automate the detection and remediation of identity-based risks
- Investigate risks using data in the portal
- Export risk detection data to third-party utilities for further analysis
Administrators can review detections and take manual action on them if needed. There are three key reports that administrators use for investigations in Identity Protection:
- Risky users
- Risky sign-ins
- Risk detections
Identity Protection menu blade has four main parts viz Protect, Report, Notify and Troubleshooting + Support
Protect – User risk policy, Sign-in risk policy, and MFA registration policy
User risk policy –
Here Administrators can enable user risk policy to protect users and can remediate based on all users/individual and group members ( can exclude any members ). Administrators can set the conditions when the risk policy should apply based on user risk level ( Low, Medium, and High). The end result will be block access or allow access to enabling multi-factor authentication requirements.
Sign-in risk policy
Here Administrators can enable sign-in risk policy to protect sign-in users and can remediate based on all users/individual and group members ( can exclude any members ). Administrators can set the conditions when the risk policy should apply based on user risk level ( Low, Medium, and High). The end result will be block access or allow access with password rechange requirements.
MFA registration policy
Azure Multi-Factor Authentication provides a means to verify every user who is using more than just a username and password. It provides a second layer of security to user sign-ins. In order for users to be able to respond to MFA prompts, they must first register for Azure Multi-Factor Authentication. This registration policy only supports Azure MFA and not OnPremise MFA server or third party MFA Apps. Here too administrators can enforce for all users/individuals or a group member based on Azure MFA registration enforcement.
Risky users report
This report section shows users flagged for risk due to risky sign in, an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account, and Users flagged for risk – A risky user is an indicator for a user account that might have been compromised.
In this report, on selecting each user listed, we can get detailed information such as basic information about the user, his recent risky sign in, detections not linked to a sign in and his past risk history.
Risky sign-in report
A comprehensive risky sign-in activity on any users. Administrators can filter based on
Date – Last 1 month, last 7 days, last 24 hours and custom time interval
Risk state – At risk, confirmed compromised, confirmed safe, dismissed and remediated
Risk level – High, Medium and Low
Detection type – Anonymous IP address, Atypical travel, Impossible travel, Malicious IP address, Malware linked IP address, Suspicious inbox manipulation rule, and Unfamiliar sign-in properties.
Risk detections report
The risk detections report contains filterable data for up to the past 90 days (3 months).
With the information provided by the risk detections report, administrators can find:
- Information about each risk detection including type
- Other risks triggered at the same time
- Sign-in attempt location
- Link out to more detail from Microsoft Cloud App Security (MCAS)
Administrators can then choose to return to the user’s risk or sign-ins report to take actions based on information gathered.
Privileged Identity Management (PIM)
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services like Office 365 or Microsoft Intune. Azure AD PIM is a Premium feature that enables Global administrator to limit standing admin access to privileged roles and much more. This evolves in Four steps
Assign users or current admins as eligible admins for specific Azure AD roles, so that they only have access when necessary
Activate your eligible admin roles so that you can get limit standing access to the privileged identity
View and approve all activation request for specific Azure AD roles that you are configured to approve
View and export history of all privileged identity assignments and activations so you can identify attacks and stay compliant
Assigning roles to users is a pretty much straightforward one. Users with excessive access i.e. assigning a particular user to various administrative roles are vulnerable in the event of account compromise. A Global administrator should review, renew and extend access to resources periodically
Activate just in time
Also it’s a good practice to assign important roles such as Exchange administrators for users for a period of time. Any time a Global administrator can review and extend his role as when needed.
A Global administrator can choose the assignment type either Eligible or Active. He can revoke permanently eligible options and provide duration for a user’s role.
Discover and Monitor
Select the assigned user & view their role assignment for continuous monitoring. Ensure the Administrator should know who has access to what, and receive notifications when new assignments are granted to accounts in an organization. Select the member and check his roles, under Eligible role, Active role, and Expired role. Monitor the user periodically
For example, a user assigned with an Exchange administrator role, checks his Exchange administrator role settings and monitors his role changing through send mail notifications settings.
- Activation maximum duration ( in hours ) – Specify number in hours.
- Require justification on activation – Yes
- Require ticket information on activation – Yes / No
- On activation, require Azure MFA – Yes
- Require approval for activation – Yes / No
- Approvers – Global admin user or privileged admin role assigned user
Assignment settings –
- Allow permanent eligible assignment – Yes / No
- Expire eligible assignment after – Choose end period
- Allow permanent active assignment – Yes / No
- Expire active assignment after – Choose end period
- Require Azure MFA on active assignment – Yes / No
- Require justification on active assignment – Yes / No
Send notification settings
- Send notifications when members are assigned as eligible to this role:
- Send notifications when members are assigned as active to this role:
- Send notifications when eligible members activate this role:
A Global administrator can edit these settings for each role, in this example Exchange administrator role is provided.
At these times, security breaches are common and occur every day, it is very important for an administrator to protect his Azure AD resources. Even a basic version of Azure AD is not sufficient considering the level of threats increasing day by day, and it’s become more and more important to protect resources with more than just a username and password. By implementing Azure AD Privileged Identity Management, organizations can protect their resources with improved security features, and even keep an eye on what legitimate administrators are doing. And by implementing Azure AD Identity protection allows Administrators to detect potential vulnerabilities affecting any organization’s identities, configure automated responses, and investigate incidents.