Securing Your Digital Frontier: Empowering Identity Management with Azure AD
What is Azure AD?
Azure Active Directory is Microsoft’s multi-tenant, cloud-based identity and access management service. It’s the digital infrastructure that allows your employees to sign in and access external resources held in Office 365 and an ever-growing list of other SaaS applications, as well as those held on a corporate network or intranet.
Azure AD’s strength lies in the flexibility afforded to it by being entirely cloud-based. This means that it can either act as an organisation’s only directory, or it can sync with an on-premises directory via Azure AD Connect.
Either way, it enables both on-premises and cloud-based users to access the same apps and resources, simultaneously benefitting from features such as single sign-on (SSO), multi-factor authentication (MFA), conditional access, and more.
More importantly, it provides a single place from which to manage your identity, security, and compliance controls across your entire IT estate.
Securing Your Digital Frontier
Azure AD Key features
Having all of your disparate environments united under Azure AD offers some significant functionality options and features:
Manage both cloud and on-premises apps, single sign-on, the MyApps portal, and any SaaS apps.
Whether this be providing self-service password reset, calibrating MFA requirements, or enabling smart lockout, you can get really granular with your authentication settings (especially when used in conjunction with conditional access) for increased security and control. Securing Your Digital Frontier
Manage guest users and partners, providing them with the access they need but no more than you’re willing to allow.
Offer custom sign in and sign up experiences, allowing customers to manage their profiles within your applications.
Device management in Azure Active Directory (Azure AD) is the process of securely managing and controlling devices that access an organization's Azure AD environment. It includes tasks like registering devices, verifying their identity through authentication, monitoring their health and compliance, and remotely managing their configuration. Azure AD device management ensures a secure and consistent environment across different types of devices, enhances data protection, and improves administrative efficiency.
Most organisations aren’t ready to go cloud-only yet, but using Azure AD Connect allows you to take advantage of Azure AD’s features – even if you’re running some on-premises applications and some in the Cloud.
To ensure that your identity ecosystem remains healthy, Azure AD has some built-in governance features that allow you to manage identity and access lifecycles and set privileged access conditions. These controls are designed to enable organisations to ensure that the correct users have the corresponding levels of access and monitor what they’re doing with it. One of the key benefits of good governance is being able to audit and verify the effectiveness of the applied controls.
Azure AD Identity utilises security information drawn from across Microsoft’s digital empire to detect and remedy identity-based risks, automating a large part of the process of identifying and addressing security concerns. These risks can then be further investigated through the Azure AD portal.
Reports and Monitoring
Azure AD also features monitoring and reporting capabilities to help you gain insights into your environment. You can run diagnostics and view logs which can then also be applied to third-party SIEM tools to take a deeper dive into your data.
How to create secure identity infrastructure in Microsoft Azure in 5 steps:
Implement Centralized Identity Management
Enable Single Sign-On (SSO) and Multi-Factor Authentication (MFA)
Proactively Manage User Access
Actively Monitor Your Security State
Automate the Common Monitoring and Management Task
1. Implement Centralized Identity Management
If you rely on hybrid environments (e.g., your on-premises data center is extended to Azure cloud), your first step towards Azure protection should be enabling integrated identity management. After integrating on-prem and cloud directories, you can manage all user accounts from a single place, plus provide users with a common identity for accessing both environments. This, in turn, reduces password management costs. Given that almost 50% of IT help desk costs are associated with password resets, the savings of a Single Sign-On (SSO) solution can be significant. Best Practices:
Designate one Azure AD instance to all corporate accounts (on-prem & cloud-based).
Use Azure AD Connect to enable synchronization between your cloud and on-premises directories.
When it comes to high-privilege accounts that you already have in your Active Directory instance, don’t change the default Azure AD Connect configuration fileting them out. Or else, such accounts might meddle in the on-premises assets.
Enable password hash synchronization — a feature that helps protect against credential stuffing attacks. This config is particularly valuable as it helps check if users have used the same email/password combo on other services (non-connected to Azure AD), and prevent them from using the same credentials if these have already been compromised.
Embed Azure AD into all your newly developed business applications for extra security.
2. Enable Single Sign-On (SSO) and Multi-Factor Authentication (MFA)
Single sign-on (SSO) reduces the reliance on multiple passwords and, thus, increases overall Azure cloud security. Instead of asking your business users to maintain multiple passwords for their Salesforce, Microsoft 365, Google apps, and other accounts, you can set up seamless and secure access to all of them via Azure AD. Considering that an average enterprise has over 900 applications with only 28% being integrated, users are forced to store a lot of passwords (and oftentimes re-use the weak ones). This can lead to security incidents and costly data breaches. The benefit of using Azure AD is that many business applications already have pre-integrated SSO connections with it. On top of that, you can find SSO connectors for some 3,000 applications on Azure Marketplace. You can choose one of two approaches to enable SSO on Azure:
Federated SSO. In this case, Azure AD authenticates users with their Azure AD account. This method is available for all applications, supporting the following protocols – SAML 2.0, WS-Federation, or OpenID Connect.
Password-based SSO. When using this type of authentication, users are asked to provide a username/password combo to the application during their first access. For all the subsequent logins, Azure AD will supply the login credentials to the connected app.
More information on the benefits of each SSO method can be found in this Microsoft guide. Multi Factor Authentication (MFA)is another strong security facet we always recommend implementing as a part of the cloud security strategy. MFA is an intermediary measure that can help stop unsolicited login attempts, especially from compromised accounts, by asking the user to provide a second form of authentication for accessing their accounts. Azure provides an array of user-friendly authentication methods such as:
One-time text or voice passwords
Software token OTPs
FIDO2 security keys (in preview).
According to Microsoft, corporate accounts are 99.9% less likely to get hacked with MFA enabled.
Conditional Access in Azure Active Directory
With SSO and MFA enabled, you reduce your company’s reliance on passwords and, subsequently, the risks of brute force breaches due to weak passwords.
3. Proactively Manage User Access
Having complete visibility into different user roles and permissions is essential to implementing proper security controls. Azure role-based access control (Azure RBAC) is an authorization service, designated for implementing granular access management of Azure resources. Consider implementing this service for all staff members. When it comes to line-of-business leaders, Azure AD Identity Governance is a service we recommend implementing. A comprehensive solution for managing roles, data, and resources access, Azure AD Identity Governance enables a single pane of glass view into all your employees’ activity and permissions for easy audit and monitoring without placing a strain on their productivity. Running in the background, the app allows you to perform the following tasks across all users, services, and applications, running on-premises, and in the cloud:
Govern the identity lifecycle
Govern access lifecycle
Secure privileged access for administration
Through one convenient interface, your security team can monitor which users have access to which resources and how they are using that access. Privileged Identity Management (PIM) is another facet of Azure identity protection worth leveraging to safeguard the most sensitive data within your company. The service lets you smartly manage access to certain resources and operations in Azure AD, Azure, Microsoft 365, and other SaaS apps. The role of this service is to act as a controller for providing just-in-time privileged access to restricted resources to LOBs who need it, along with monitoring that access usage and automatically terminating it. Some of the main PIM features include:
Provisioning of time-bound access to certain Azure AD and Azure resources;
Approval management for activating privileged roles;
Auto-MFA initiation for activating any role;
Convenient access reviews for managing roles access;
Quick history download for audits.
PIM is especially important for larger Azure instances as was the case with our client — Metinvest Group. As part of a large-scale digital transformation project, implemented together with Metinvest Digital and encompassing migration of two on-premises data centers (with 680 servers) and some 80,000+ business users.
Bonus tip: Azure Information Protection (AIP) is a handy cloud-based labelling service for discovering, classifying, and protecting various documents and business communication. It further extends the labelling functionality offered by Microsoft 365 and enables the support of additional file types, as well as protects File Explorer and PowerShell.
4. Actively Monitor Your Security State
After you are done with the initial setup, check your Azure AD identity secure score — a measure between 1 and 223, indicating how well your infrastructure complies with Microsoft’s security recommendations.
The dashboard shows how well you have coped with various tasks and lets you plan further implements by filtering them by cost and user impact.
As the next step of your Microsoft Azure information protection plan, enable identity risk monitoring using Azure AD Identity Protection. This ML-based tool helps you automate the detection and mitigation of common identity-based risks and capture relevant data around them for further investigation. By means of Microsoft Intelligent Security Graph, which analyzes over 6,5 trillion signals per day to identify suspicious behavior patterns, these findings are then translated into alerts and mitigation suggestions for Microsoft Identity Protection users.
Some of the common risks the tool can detect are as follows:
Common Risks to Detect with Azure AD Identity Protection
Finally, make sure that you are continuously auditing accesses provided to various SaaS apps so that no third-party product attempts to overstep the granted permissions.
5. Automate the Common Monitoring and Management Task
For larger enterprises, effective identity management and security automation is a solid way to realize further TCO savings from Azure Migration.
As already mentioned, Azure AD Identity Protection is a stellar service for automating risk monitoring and taking advantage of Microsoft’s state-of-the-art machine learning algorithms, powering threat detection within this tool. With the help of this service, you can set up automated threat responses to common attack vectors. For example:
Roll-out new user risk policies in real-time to remedy compromised accounts.
Implement SSO policies in real-time to stall suspicious sign-in attempts.
Also, to reduce the volume of menial work your IT service desk has to deal with you can integrate Microsoft Graph with Azure AD identity management and other services. This will help you to automate workflows such as:
Lastly, many common identity management workflows can also be automated with the Azure Automation service.