6. AD Identity Protection
So we’ve given it a couple of minutes and successfully updated our account to Azure Active Directory Premium. P two level. P two level allows us to use all of the advanced features that we’re about to investigate. Now, this is just a test account. Unfortunately, it does not have very many users or any application or anything associated with it. But it’s good for this purpose, I guess. Thing we’re going to do, we’re going to investigate something called Azure Ad Identity Protection. Go into the new tab, go down to Identity category. We saw that Azure identity protection is in yellow here. Now it’s chosen our account Scott’s test directory for this. If this is not the correct account, you can’t change it here. Have to go over to the top right and say Switch Directory.
Now I already have Identity Protection enabled, but if you don’t, you just come down here and click the Create button will enable the Azure Identity Protection onto your account. Now, Identity Protection is a series of machine learning algorithms that will analyze the users logins and any sort of vulnerabilities in your Active Directory account. So this is in some of those advanced AI machine learning features in order to warn you about things that could be happening within your Active Directory. Suspicious logins, users not using their Active Directory as you would expect. And again, it allows you to improve your security by bringing this to your attention.
You’re also able to set policies that will restrict access. You won’t block logins or require microauthentication, or require a password change under certain risky conditions. So click Create and this will be enabled for your account. I’ve already got this enabled, so I’m going to close this up and if I go into the services, I can type ad. It will bring up the Identity Protection service, go into it, and we can see here now there’s a whole new set of services that’s going to tell us about the security of our Active Directory account. Now, right now, like I said, there’s nothing really going on. I don’t have any risk events. There’s no high, medium or low events that I need to investigate.
There’s no users that are flagged for suspiciousity, and there’s been no vulnerabilities detected on my account. That’s strange for my account. If you ran this on a very large Active Directory, you might find different results. On the left we see there’s an Investigate section, and that’s where you’re going to investigate these three things users, Risk, Events, and vulnerabilities. And so if there were things to investigate, you would start here. The real fun happens in the configuration tab. So this is going to set the policy that determines what is considered a risky user. What is a risky sign in. So I’m going to click on sign in risk. Now this is a policy that I can create that says for this type of user, I want this in this situation, I want this to happen and it’s going to estimate the impact. If I had 1000 sign in a day but I set up a new policy, it’s going to impact 500 of them. It’s going to let me know at the bottom I can turn this policy off and on. Now, all users is pretty signatory. If you go into it, you can actually select individual users or exclude individual users.
Why would you want to exclude individual users from a security policy? Well, there might be categories of users within your organization that are naturally going to be doing riskier things and you do not want them to be always having to call support, always having to change their password. So for instance, you might have a development team that is going to use their accounts to use programs or certain testing on this. And you may want to exclude your development team from the strongest policies, et cetera. It’s a total corporate decision basically in terms of what policies, how strong to enforce the policies, and whether you do it evenly across the organization or you exclude certain individuals or you make it stronger based on your job role, et cetera. And I leave that as all users. But we can certainly filter this policy down only to a subset. Conditions is where the machine learning kicks in. So we basically set a high, medium or low risk level. So if somebody is detected remember we talked about sign in risk. One example of sign in risk would be somebody is logging in from a geographic location in which they’ve never logged in before. So suddenly. I’m not trying to pick on a region of the world, but in a remote area of northern Russia, someone logs into your application, that could be considered a high risk sign in.
And you may want to set a policy that says, wait a second. If somebody’s logging in from an area of the world that we’re not expecting people to log in from, then we want to take additional precautions on that account. So we can say we want this to apply to almost everyone low risk, medium risk, or only high risk sign in. I’m going to choose medium in this case. Now what do we want to happen? So let’s say for all users, if the machine learning algorithm detects it’s, a medium or a risk, what do we want to happen? So we go into controls and we can either just allow access, we can require access as long as they pass a multi factor authentication, which would be a cell phone, an SMS message, an email, et cetera. Another way of verifying their identity before we allow them access to their account.
Or we can just deny access and then they’d have to call the help or something like that to get past it. Okay, so allowing access with multicultural authentication seems like a reasonable precaution for a high risk or a risk sign in. Again, from a device that you don’t recognize from a location, you don’t recognize a date and time that is not usually expected, et cetera. Now that’s my policy. Now we can review what this policy would hack against my account. Now again this is a test account. Microsoft seems to be crying here. There’s no data for them to analyze but this I guess, but presumably if you had thousands of users and thousands of sign ins they will just say oh, this would have impacted one 10th of 1% of your sign in. And then policy on and say save and now you have a new policy that’s voting against your active directory account that will restrict medium risk sign in to require authentication, multifactor authentication for instance. They have the same other than the sign in policy of course there is the user themselves. So if they sign in or not we can choose certain conditions. So again choose which users it applies to. We can choose a risk level low, medium or high and above. And what we want to happen, whether we want to block access or require a password change. So for instance, let’s say a user has not logged in in like twelve. That could be a, you know, the next time that they log in that’s an unusual event and you may want to buy a password change.
So instead of requiring multi factor authentication this is just saying it’s been a long time since you’ve been here. Let’s get you to reset your password and again you can review the users impacted. Turn this on and it becomes a user risk. And then this will get calculated on a daily basis into your report and then you can start to investigate these things. You can set alerts weekly, just emailed to you. And specifically you probably want to pin this to your dashboard in order for this to be something useful for you to review. Okay, so that’s Azure ad identity protection. It’s pretty easy to turn on and pretty easy to set up. These types of policies must have an article on their website talking about best practices. Certainly something we’re looking to if you need to really set this up in a production setting.
7. Conditional Access
So the next security setting we’re going to investigate here within Active Directory is called Canal Access. If we go into our Active Directory, which is a premium account, scroll down, we can see under security that conditional access is one of the options we’ll go into there. Now, by default, we get this baseline policy which says require de facto authentication for admitting and it’s clicking to it. We can see that it’s explaining it here. Basically any administrator that is part of this group, which are Global Active Directory administrator or any of the specific applications like SharePoint, Exchange or Security Administrators, they must have multifactor authentication.
And you can see that it’s automatically enabled in the future. Use policy immediately. Do not use policy. You can sort of set the settings. Also you can exclude users, although if you’re going to set a policy like this, have administrators that don’t require multitask authentication, it seems like a security hole. So maybe this is the best policy to have exclusions, but you can basically set number of requirements for this. Okay, this comes with it, but we get this concept now, right? So in terms of a conditional access policy, you’re basically selecting either authors or specific users. And we’re basically selecting which condition we want to require multi factor authentication, very similar to the identity feature. Again, this was specifically for administrators.
But if we go into here and we say for selected users, and I’m going to select the accounting department again to keep picking on them, this even includes the portal, right? So anyone who’s in the accounting department, this policy, if they get locked out of their account, they’re going to get locked out even after. So make sure there’s somebody who can get in. This is only the accounting department. So let’s call this accounting rules. That’s fine. I want to be included. So under what condition do we want accounting users to have to go through multi factor authentication? So we’ve got these categories signin risk, which devices they are using, where locations they’re in, apps they’re accessing, and what the state of their device is. Take one of these one at a time. So again, very similar to the identity protection thing, there is a machine learning element that basically categorizes someone as low risk, medium risk, high risk when they do assign it. That’s sort of the definition of that. And so if we want to say, well, if they are in a high risk situation, we want this policy to apply to them device platforms, if they are using say they’re using a phone device. So Android, iOS and Windows Phone are the forms that we want this policy to apply to. But if they’re using a desktop, then put the policy doesn’t apply to them. Do we want any locations? So we can basically say any location that they’re in this policy will apply, or any trusted location or obligations. Let’s not figure locations again, which apps they’re going to be through browser or mobile or any apps that you register to your account and whether they are a part of the hybrid network, etc.
So that turned off. So this is basically for high signing risks. In fact, I’m going to send this to all platforms. So no matter what platform you’re on, if you are high risk, this policy will apply to you. Now what do we want it to happen for all users in the accounting group who are part of a high risk situation? Again, we can either block access to them or we can access to them with multi factor authentication requiring them to be on a specific device like their office laptop versus personal laptop. They have to be part of the hybrid network. So logged into a Windows single sign on, they have to be using an approved app in order to log in, et cetera. So we can basically set the controls.
There’s also session level controls and basically allow them to log into the application, but then give them very limited things that they can do within this single sign on application. Here we are, we can turn this policy on. So I’m going to go back to the access controls, I’m going to see grant access, but require multi factor authentication. Turn the policy on and hit create. And so now we have requiring multi factor authentication for all admins and multi factor authentication will be required if people are logged in and what Azure identifies as a high risk scenario, no matter what type of device they use, windows device or mobile device, they’re going to have to go through multi factor authentication as well. So that’s using conditional access policies to restrict access to your application and into the portal as well. Based on machine learning rules central.
8. Access Reviews
All right, so you see me a few touching between Active Directory accounts. If I go to the top right here, there is a switch directory, and I can see that I have a few Azure Active Directory accounts. I can set which directory is the default. So when I log in, this is what’s going to be chosen first. And it’s fairly easy to switch to between different accounts I saw earlier. It’s pretty easy to create new accounts. So if you do need multiple Active directories, it’s pretty straightforward to create a new one. Now in this video, we’re going to talk about Access Reviews.
Now the challenging thing is when you get into working with large Active directories, is managing all the different accesses of all your users and all your groups, making sure that everyone has the access lead and not more, and basically the day to day operations of the security of your organization. So Microsoft has been providing numbers we’ve gone through in this section security Tools, Privilege, Identity Management, et cetera. But what we’re talking about in this video is Access Reviews. So I have this account still on the Azure Ad Premium level. And so we’re going to go into the search box here and we’re going to say Access. And you can see at Reviews is one of the services that’s listed.
I can go into Access Reviews, and basically it’s telling me that Access Reviews allow you to view and reduce employee and guest group permissions and access to the applications of your organization. You can do compliance and risk management. And basically, if you have guest users, you can remove their access once their guest usage is over. Now, you do need a premium P Two account to get access to this or an Enterprise Mobility and Security. EMS license E Five. So you have to go through an onboarding process to get started using these features.
So we see most of it is grayed out. We do have to click the onboarding button. Now we have to create yourselves an onboarding Access Reviews. So clicking the Create button will start up with that. So that only took a few seconds. We have now on Access Reviews we’re taking to a familiar overview screen here, and we can see that if we had applications associated with this account, we would have apps to review and groups to review. We haven’t done any of the reviews location access or group access. So right now we’re seeing that zero, basically.
So what is an access review? Basically, we’re going to go either group by group or caution by application and get a set of reviewers, one or more people to review all the members of the group or all the people with access to the application and to provide basic approval or a denial for them to have continued access. Let’s click off this review group members. We have to give the review a name. So it’s called this test Review one. It has a start and an end date. If you’re going to run this as a one time review, then you could say it starts day and it ends a month from now. Okay, you do have the option of scheduling this. Maybe weekly is a bit excessive, but monthly, quarterly, or annually reviews of people who have access to this group or access to the application. Let’s schedule this as a review. How many days though, the reviewers have to review access? Let’s only give five days. So it’s a monthly job. It’s a reasonable time for them to get their work done. And so we can say how many occurrences is it going to have. So let’s say this is a monthly job. We want this to be a monthly review for the next twelve months. Payer can never end. We want to review the members of the group.
We want to review everyone, not just guest members. And we’re going to sell the accounting group. There it is. Say select. The reviewers are in this case are going to be group owners. I guess you could get people to review their own access, but in this case the group owners are the ones going to have to approve members of the group. And we’re going to do this every month. Talk about programs, but right now it comes with the default program. Interesting is when you get down into the completion settings. So the person reviewing the access to this group is going to basically approve or deny access to those members of the group. And either we want to auto apply those results. So at the end of the review, let’s say after the five days, we say, you know what, if the person has been denied access, we’re going to automatically remove their access. And what do you do should the reviewer not respond? So after the five days passed and the person who’s responsible for reviewing access just didn’t get in there to do any reviews, do you remove everyone’s access? Do you approve everyone’s access? So you’ve got a number of options here. So let’s say we’re going to be pretty brutal, if you don’t mind.
We’re going to kick everyone out of the group. That’s pretty extreme, but that’s security. So the person who’s supposed to be reviewing access doesn’t do their job, then everyone suffers. Essentially you do have some advanced settings and we can see that it requires a reason that we’re going to do notifications by mail. We’re going to remind people that they have to get access done. So the reviewers have not completed the review. They’re going to get regular reminders. Those are all enabled by default. And basically we’re going to kick off a review. So basically an access review is a job within Microsoft Azure that basically requires group owners or application owners to review all the members of that and all people who have access those apps. And they basically have to on a regular basis or a one time basis. Ensure that the people who are accessing it are supposed to. And that’s part of a good security protocol.
9. *NEW* Managing Multiple Directories
So in this video, we’re going to be talking about managing more than one tenant. And because I talked about tenants and subscriptions so long ago, in this at the very beginning of the course, I’m going to do a quick recap, if you don’t mind. So with these concepts of account, tenant, and subscription, and they are three independents. The account or the user is either a person or a program. So is the email address and the password that you use to log into the Azure Portal. That means a user or an account. Sometimes you have MFA enabled, and that’s part of the authentication process as well. Applications can also have a user concept, and that’s called a managed.
It where they use identity managed by Active Directory to do their work under the permissions that have been granted to that identity. It’s probably bad practice for an application to use a real person’s credentials because as soon as you change the password, it’s the application. As soon as the person quits their job or is let go, then the application is going to stop working when the account is disabled. So make unique users for your applications called Manage identity. A completely separate concept is the tenant. And so the tenant is the organization, the business, it’s the corporation. Tenants have domain names, usually. Either you have one assigned to you or you can assign an existing one to Azure Active Directory.
You cannot as the same domain name to multiple Active Directory tenants. And so if you’re going to choose example, no other Azure Ad account can have that as the domain name. Basically, Azure Ad is managing the domain that you provided. And so as we’re saying, you basically have to have a tenant in order to do anything. In order to log into Azure, do any kind of work, you do require a tenant. Now, the third concept is a subscription. That is, the billing arrangement. You can have a free subscription as you go enterprise agreement. You work with a vendor like a CSP type of agreement, many different types of subscriptions that is independent to your tenant, independent to user. Now, subscriptions can, of course, be assigned to tenants, not ever has one. So I can create a tenant that doesn’t have a subscription and therefore can’t create any reasons inside of it, or tenants can even have more than one subscription. So anytime you create a reason, you’re asked to choose the subscription, that’s because tenants can have more than one subscription and it’s not restricted to having a single account. So you can assign any number of accounts to your tenant and they have different roles, everything from being an owner, contributor, reader, and hundreds of smaller subdivisions of those types of roles. So that is the concept of subscription, tenant and user. So, switching over to the portal now. Let’s go into Azure. Active directory. We can do this multiple ways. I have it pinned to my menu this mid shape is Azure Active Directory. You can also search for it in the top search box or go under All Services and look for it there as well. However you get to it, click in to see it. Minimize this menu again. So we’ve seen this before. This is my current tenant. My current Azure Active directory. It just so happens to also be the default when I log in.
Now, it’s very easy to create a tenant. We’ve seen that it’s also quite straightforward, just over to another tenant. So I clicked on the Switch tenant button and I can sort of see some favorites there’s. My default, there are Client account and another ad that I’m using for testing. So I can just click on the Switch button and suddenly my user, which is Scott’s Course that I’ve logged in as, is now operating under a different tenant. So it’s not Scott’s course outlook tenant anymore. Go to the home and I look at, let’s say all resources I will see I don’t even have any resources. In fact, I don’t even have a subscription associated with this tenant. Does this tenant go under subscriptions? Nothing? So this is a tenant that doesn’t subscription.
And therefore, if I go to try to create some type of resort, I going to have to go and switch to another directory or create a subscription because that’s the requirement. So I have a 100 subscription. Now, I can go back into Active Directory or you can also switch your directory right in the top. Right here under your profile picture, it says Switch Directory. And so I can go back to my default or go to any one of my other test ads. This also would not have a subscription against it.
Okay, now, so the key points here are that it’s easy to create tenants, it’s easy to switch. These resources that you create are completely separate between the tenant. So a user that has any kind of management rights to one tenant does not any management rights to the other tenant unless they’re specifically granted. The person who creates the tenant is by default the owner of that tenant. And given this global administrator role and you can even set up directory connect to synchronize your users at your corporate headquarters into these two different tenants based on the settings that you’ve set up. So this is even supporting multiple tenants.