Contents
What is Azure AD?
Azure Active Directory (Azure AD) is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. Azure AD is the backbone of the Office 365 system, and it can sync with on-premise Active Directory and provide authentication to other cloud-based systems via OAuth.
Azure AD – Free Vs Premium
- Free: You get a lot with the Free version including:
– 500,000 object limit
– SSO
– AD sync
– Self service password change for cloud users
O365: Extra features here include
- Company branding
- Self password reset for cloud users
- SLA guaranteeing uptime
- Device write back 2 way synch between on premise directories and Azure
P1:
- Password Protection (ban certain words)
- Group access management
- Hybrid identities
- Advanced Group access management
P2: advanced features like Identity Protection and Governance
Custom Domains
You can add your custom domain to Azure AD which will allow you to create users using your domain name.
To add the domain you will need to verify you won the own by using a TXT record in your DNS for the domain.
Azure AD Join
Azure AD join is intended for organizations that want to be cloud-first or cloud-only. Any organization can deploy Azure AD joined devices no matter the size or industry. Azure AD join works even in a hybrid environment, enabling access to both cloud and on-premises apps and resources.
Scenarios
While Azure AD join is primarily intended for organizations that do not have an on-premises Windows Server Active Directory infrastructure, you can certainly use it in scenarios where:
- You want to transition to cloud-based infrastructure using Azure AD and MDM like Intune.
- You can’t use an on-premises domain join, for example, if you need to get mobile devices such as tablets and phones under control.
- Your users primarily need to access Microsoft 365 or other SaaS apps integrated with Azure AD.
- You want to manage a group of users in Azure AD instead of in Active Directory. This scenario can apply, for example, to seasonal workers, contractors, or students.
- You want to provide joining capabilities to workers in remote branch offices with limited on-premises infrastructure.
You can configure Azure AD joined devices for all Windows 10 devices with the exception of Windows 10 Home.
The goal of Azure AD joined devices is to simplify:
- Windows deployments of work-owned devices
- Access to organizational apps and resources from any Windows device
- Cloud-based management of work-owned devices
- Users to sign in to their devices with their Azure AD or synced Active Directory work or school accounts.
Azure AD Identity Protection
You need Azure P2 level for these features.
Identity Protection uses advanced machine learning algorithms to monitor accounts and alert you of potential risks. This includes things like:
- Suspicious logins
- Unorthodox use of accounts (eg: someone signing in from a different geographical level)
You set policies to perform actions if a risky event occurs. This can do things like block logins, require password resets etc…
Identity Protection Service
You need to turn on this service for your account. You can then go this service and see the dashboard where it will show you:
- Users flagged for risk
- Risk events
- Vulnerabilities
Configuration
This is where you can set the policies. Options for policies:
- Users: all users or just select users
- Conditions: set a high, medium or low risk level
- Access: Block, Allow, or require MFA in the case of a security event
Conditional Access
This is also a P2 only feature. You can find this under “Security -> Conditional Access”
Conditional Access Policies
By default there is a policy for admins to require MFA.
Creating a new Policy
The following is how you would setup a policy to lock users out of cloud apps
- Users: select the users it will effect
- Cloud apps: select certain apps or all
- Conditions:
– Sign in risk (likelihood the sign in is coming from someone other than the user)
– Device platform (EG: if they login on a phone)
– Location (any location, a trusted location etc…)
– Client apps (Browser or mobile apps)
– Device State (are they part of the hybrid network?) - Access Controls:
– Block or Grant access
– make them use MFA or use a compliant device
– Session controls: limited experiences within a cloud app
Access Reviews
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User’s access can be reviewed on a regular basis to make sure only the right people have continued access.
Access Reviews is a service within Azure Portal. You need Azure P2 or E5 to access this.
There is an onboarding process to set this up.
Creating Reviews
The options for setting Group Reviews:
- Start date
- Frequency to run
- End date
- Users/Group to review
- Completion settings: upon completion (depending on the results) you can set it to auto remove access or approve it, or manually do it
Managing Multiple Directories
Switching Directories
By clicking on your name in the top right corner of the portal, you can switch directory. You can also select which directory should be the default.
Administrative Units
This is a premium feature. This is similar to OU’s in AD on premise.
https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units
An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only users and groups.
Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.
