Skip to content

Latest commit

 

History

History
159 lines (136 loc) · 10.6 KB

1.4. Security - Azure Active Directory (Azure AD).md

File metadata and controls

159 lines (136 loc) · 10.6 KB

Azure Active Directory (Azure AD)

  • PaaS
  • Multi-tenant, cloud-based directory and identity management service.
  • Combines core directory services, advanced identity governance, and application access management.
  • Allows IT admins to give SSO to many services including Office 365, Salesforce.com, DropBox and Concur.
  • Full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, privileged account management, role-based access control, application usage monitoring, auditing and security monitoring and alerting.

Single Sign-On

  • Also called identity federation
  • Hybrid-based directory integration scenario of Azure Active Directory that you can implement when you want to simplify your user's ability to seamlessly access cloud services with their existing Active Directory corporate credentials
  • A Secure Token Service (STS) enables identity federation,
  • Extends centralized authentication, authorization and SSO to e.g. Web applications & services, including perimeter networks, partner networks, and the cloud.
  • Configuring a STS is creating a federated trust between your on-premises STS and the federated domain you've specified in your Azure AD tenant.

Azure AD Authentication Strategies

Azure AD Connect

  • Always a required sync tool.
  • Supports synchronization from multiple Azure AD Forests/Domains, into a single Azure Active Directory environment.
  • Enables cloud way of authenticating:
    1. Password Hash Sync
    2. Federation (ADFS)
    3. Azure AD Passthrough Authentication Agent
  • The underlying database can be a SQL Server Express, or a full SQL Server 2008 R2 or newer database instance.
  • Can be installed on dedicated VMs, or directly on ADDS Domain Controllers
  • AD Connect requires an AD Connect Service Account
    • Reads/write information from the Azure AD Tenant, as well as requiring an on-premises account in Active Directory, Enterprise Admin level rights, to read/write information back in the on-premises Active Directory.
    • Allows for a two-way sync, e.g. password resets (optional – requires P1), account deletions and other strategies for connecting.

Azure AD Connect Health

  • Monitoring of on-premises identity infrastructure.
  • It enables you reliable connection to Office 365 and Microsoft Online Services.
  • Rich usage metrics: Use the Azure AD Connect Health portal to view alerts, performance monitoring, usage analytics, and other information
  • Get alerted on all critical ADFS system issues
  • Easy to deploy and manage

Azure AD B2B vs B2C

  • Use B2C e.g. when users need to authenticate via facebook to your application.
    • Azure AD B2C implements OpenID Connect, which supports many different providers, including Twitter, Google, and many others that support the standard.
    • Azure AD B2C protects from denial-of-service and password attacks against your applications and includes user interface customizations to easily integrate into your existing applications.
  • Use B2B e.g. when inviting consultant companies.
Category Azure AD B2B Azure AD B2C
Intended for To be able to authenticate users from a partner organization, regardless of identity provider. Inviting customers of your mobile and web apps, whether individuals, institutional or organizational customers into your Azure AD.
Identities supported Employees with work or school accounts, partners with work or school accounts, or any email address. (Soon to support) direct federation. Consumer users with local application accounts (any email address or user name) or any supported social identity with direct federation.
Which directory the partner users are in Partner users from the external organization are managed in the same directory as employees, but annotated specially. They can be managed the same way as employees, can be added to the same groups, and so on. In the application directory. Managed separately from the organization's employee and partner directory (if any).
Single sign-on (SSO) Single sign-on to all Azure AD-connected apps is supported. E.g. you can provide access to Office 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday. Single sign-on to customer owned apps within the Azure AD B2C tenants is supported. ❗ SSO to Office 365 or to other Microsoft and non-Microsoft SaaS apps is not supported.
Partner lifecycle Managed by the host/inviting organization. Self-serve or managed by the application.
Security policy and compliance Managed by the host/inviting organization. Managed by the application.
Branding Host/inviting organization's brand is used. Managed by application. Typically tends to be product branded, with the organization fading into the background.

Multi-Factor Authentication

  • Requires more than one verification method.
  • E.g. any two or more of the following verification methods:
    • Something you know (typically a password)
    • Something you have (a trusted device that is not easily duplicated, like a phone)
    • Something you are (biometrics)
  • Azure Multi-Factor Authentication (MFA)
    • Microsoft's two-step verification solution
    • Verification methods includes phone call, text message, or mobile app verification.
    • You grant access to users and require Azure MFA registration.
      • 💡 You do not block & require MFA.

Azure AD Identity Protection

  • 📝 Available only in P2 in Azure AD.
  • Uses adaptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents that indicate potentially compromised identities.
    • Using this data, it generates reports and alerts that enable you to evaluate the detected issues and take appropriate mitigation or remediation actions
  • Enables you:
    • Detect potential vulnerabilities affecting your organization's identities.
    • Configure automated responses to detected suspicious actions that are related to your organization's identities.
    • Investigate suspicious incidents and take appropriate action to resolve them.

Privileged Identity Management (PIM)

  • Requires users to request for elevation to do a task.
    • Per elevated role / elevations, it allows to:
      • Set-up have notifications
      • Create incident/request tickets.
      • 📝 Require MFA
      • Require approval
      • Set maximum activation duration (hours)
  • Lists of users assigned
    • privileged roles to manage Azure resources
    • administrative roles in Azure AD.
  • Shows history of administrator activation
    • Including changes made to resources by admins.
  • Alerts about changes in administrator assignments.
  • Allows to require approval to activate Azure AD privileged admin roles.
  • Enables on-demand, "just in time" administrative access to Microsoft Online Services like Office 365 and Intune, and to Azure resources such as management groups or Virtual Machines.
  • Allows to review membership of administrative roles and require users to provide a justification for continued membership.
  • 📝 ❗ Available only in P2 in Azure AD.
  • Privileged accounts
    • Accounts that administer and manage IT systems.

PIM Management

  • Management of administrative roles with two branches:
    1. Directory
      • On Azure portal: Azure AD -> PIM -> Azure AD Roles
      • You can manage the users assigned to the built-in Azure AD organizational roles, such as Global Administrator.
      • Role assignments
        1. Eligible: They can activate the role when they need to perform privileged tasks.
        2. Permanent: Role is always activated.
        • Both assignments are permanent.
    2. RBAC
      • On Azure portal: Azure RBAC -> PIM -> Azure Resources
      • For consumption & spending
      • You can manage the users and groups assigned via Azure RBAC roles, including Owner or Contributor.
      • Role assignments
        1. Eligible
        2. Active
        • Same as directory but permanent is called active because in PIM Eligible/Active can have timer where assignment is removed
        • Enable subscription in PIM: PIM -> Azure resources -> Discover resources
      • ❗ Onced turned on, it cannot be turned off
        • The reason is that it in background PIM adds a principal on the scope it's on with User Access Administrator role
  • Role assignments can be done on both Group and User level
    • ❗ If a Group is Eligible when assignment becomes Active then the priviliges for whole Group is elevated instead of single individual, making harder to track individual requests.

Azure AD Domain Services

  • Directory-aware applications may rely on LDAP or Windows Integrated Authentication (Kerberos or NTLM authentication)
  • Line-of-business (LOB) applications running on Windows Server are typically deployed on domain joined machines, so they can be managed securely using Group Policy.
  • To 'lift-and-shift' on-premises applications to the cloud, these dependencies on the corporate identity infrastructure need to be resolved.
  • Administrators often turn to one of the following solutions to satisfy the identity needs:
    • Deploy a site-to-site VPN connection between workloads running in Azure IaaS and the corporate directory on-premises.
      • ❗ Vulnerable to transient network glitches or outages
    • Extend the corporate AD domain/forest infrastructure by setting up replica domain controllers using Azure virtual machines.
    • Deploy a stand-alone domain in Azure using domain controllers deployed as Azure virtual machines.
  • ❗ All these approaches suffer from high cost and administrative overhead.
    • It requires administrators to deploy domain controllers using virtual machines in Azure.
    • Additionally, they need to manage, secure, patch, monitor, backup, and troubleshoot these virtual machines

OAuth2 Flow

  1. Register your application with your AD tenant
    • App Registrations -> New application registration
    • Provide sign on URL for web apps, reply URl for API app
    • Get application client id to later use in code.
    • Applications -> Application -> Publish scope
    • Define the permissions (scopes) that can be granted to other applications
    • Add Scope Values as necessary (for example, "read").¨
  2. Authorize
    • User enters credential with consent to permissions
    • App goes to /oauth2/authorize on AD and get authorization token.
  3. Access token
    • App sends token to /oauth2/token
    • Azure AD returns an access token upon a successful response
  4. App validates access_token and return secure data to app
  5. After a while token expires
    • App requests to /oauth2/token with refresh token
    • AD gives new refresh_token and new access_token