2.17 Managing Azure Active Directory

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

18 hours 58 minutes
Video Transcription
Welcome back. In this episode, we're gonna dive into a little bit talking about how to manage our azure active directory by adding some additional features,
got quite a few learning objectives. This time around, we're gonna talk about identity protection, self service, password reset, conditional access, access reviews and multiple directories.
Now that we have a good handle on getting identities into our azure active directory and how to do some about dedication, let's talk about some additional features we can add. On top of it,
first feature I want to discuss is identity protection. This feature allows you to configure automated responses to suspicious actions as they relate to your user identities. What Mark Soft does is use machine learning to detect irregularities and user sign in and activities to make determinations if a user account has been compromised or not.
This data is built on the billions of Loggins performed against their cloud today, including consumer identities.
As this is a premium feature for Azure Active directory. It does require additional licenses to beep arches. This feature can be found in the azure, a de premium P to license or the enterprise mobility and security, or E M S E five license
with identity protection. We have a couple of different policies that we configure.
The first is M F A registration. This policy is meant to help with the rollout of multi factor authentication, or M f. A. You would use this in conjunction with a conditional access policy to require him if a registration for any modern authentication, Appy and used
FAA provides a second layer of security for user's Sinan beyond a user name and password,
the policy itself has very few options to configure. First, you assigned what users this policy will apply to, and then you select the control option to require MM registration. It's pretty much that simple.
Our next policy is the user risk policy. The user risk policy is meant to identify whether or not a user account has been compromised again. You can use this in conjunction with a conditional access policy. Automatically respond to different user risk levels
as your 80 analyzes each signing of a user account and uses this data to detect if any future actions are suspicious.
The user risk policy has few options to configure as well. Again, you select the users to apply the policy to things like the conditions to apply. Our conditions here include if the user Rhys level is low, medium or high.
Next is the control option where you allow or block access to the resource.
There is an additional option here where you could allow access but forced the user to change their password so you could have a policy that when the user risk is high, access is blocked to a nap or if it's just a medium risk, you could still allow access but require them to change their password first.
The last policy is the sign in risk policy.
This is similar to the user risk policy and that each signing of the user is analyzed to detect suspicious activity that comes with user sign ins. This could be anything like coming from an anonymous I P address or signing in from an unfamiliar location. The options for this policy are simple and similar to our other policies.
We signed the users to apply this to and then select the condition or sign in risk level again
low, medium or high,
and we can also allow our block access. Here we have a different option of requiring M F A.
This means you could still allow access to the resource but require the user to complete an M F A challenge first, which will hopefully reduce the risky sign in to the real user logging in
next. Let's talk about self service. Password reset, and this one is exactly like it sounds. It allows users to reset their own password without an administrator or maybe even the help desk intervening.
We have three options to include for self service. Password reset.
The first is password change. This is where you already know your password, but you want to change it to something new.
The next is password reset. This is where you can't sign in, and you want to reset your password using one arm or approved authentication methods.
Finally, we have account Unlock, which is where you can't sign in because your account is locked out and you want to unlock it. Improve who you are by using one arm or approved authentication methods
again. Like some of our other features, this is a premium option and requires an azure 80 premium P one license to activate
Looking at self service password reset inside of our azure active directory resource. In our azure portal, we have a couple of different options we can configure. Here. First is properties where you can enable the service for everyone or just selected groups inside of your environment.
Next, we have registration, which is requiring the users to register their self service password reset options when they sign in. You can also force them to reconfirm their authentication method information every certain number of days.
Finally, we have those approved authentication methods we mentioned earlier. You can require one or two of these, and these include a mobile app notification like to the Microsoft Authentication app, a mobile APP code email, mobile phone, which is just a text message or security questions.
What is conditional Access
conditional access policies allow controlling access to resource is based on user conditions. You can implement automated decision making for access and cloud applications based on different conditions presented from the user. Some of these conditions might include the group. A user is a member of the cloud application being accessed
what kind of device they're using, or even the location or I p address where the user is currently trying to log in from.
This is also where you can combine conditional access policies with the identity protection policies we learned about earlier in this episode, such as the user or Sinan policies.
The common structure of a conditional access policy is when this action happens, then do this other action.
Conditional access is applied on Lee after the first authentication is completed. Typically user name and password.
I think you'll find the most common scenario is using network location of the user.
You can do things like not requiring m f A O when the user is on the corporate network. But as soon as they leave your internal perimeter, you can require an M F A challenge before they're allowed to access Claude. Resource is
you can also completely block access attempts from location, say foreign countries, where you know your users will never attempt a log in. From
and again, this feature does require additional licensing and can be found in the azure 80 premium P one license.
Creating a conditional access policy has lots of options to it. So let's jump out to the editor portal and take a look
and our every portal I've already gone to the conditional access service
here, we can take a look at creating a policy by clicking on new policy.
Let's take a look at all the options we have when creating conditional access policies.
First, we have an assignment option.
We can select which users or groups we want to include, and we can even exclude certain groups like guest and external users.
Next, we can apply our policy to cloud ABS or actions
here. If we select on select APS, we can go through and see the apse that are available that we can apply this conditional access policy, too.
Such a CZ office 3 65 service is like exchange online, SharePoint or Skype for business.
Next, we can look at our conditions
here. We have sign and risk, which we've looked at previously, such as low, medium, high or no risk sign ins.
We can also base our policy based on the device platform.
We could apply this to specific mobile devices like Android or IOS
next week and configure locations for our policy.
Our locations can include any location or trusted locations that we have to find.
We can also look at client APS such as if it's a browser or a mobile or desktop client.
And finally, our last condition is defy state.
We can look at device states determined by into management,
and we can also exclude our hybrid azure Adie joined or exclude devices marked as compliant.
After we have to find our condition, we can define our access controls.
We can grant or block access and in addition to granting access if we feel it's a risky sign in or if it's outside our trusted network, we could do something like require M F A or require that advice to be mark compliant by in tune.
Finally, we can take a look at the device session
where we can limit the experience within the cloud app based on the conditions we define previously.
Now, during the creation of the policy I mentioned trusted in named locations,
we can define those here under managed name locations, and when we create a new location,
we can give it a name and define the location based on I p address ranges or countries or regions
that does it right now for conditional access. Let's jump back to the slides and look at our next features.
Next, let's talk about access reviews, access for views, allow, managing group membership and roll assignments.
And really, this gives power to users as they can self service their own groups and determine who should and should not be allowed in. Groups that they manage as access reviews are a premium feature. It does require the azure 80 premium P two licensed activate.
Let's take a look at some screen shots on how to configure this.
First, you'll need to give the review and name and a start date and what frequency, perhaps daily, monthly or quarterly or yearly,
and you can define the duration and days of when the access review needs to be completed. You can also said, inundate if you don't need to review access to the group anymore.
Next you define what is being reviewed. Here is gonna be the members of a group, and you can set a scope. For example. You may not care about internal people being in a group, but you want to review the guest users in a group to make sure there's no one external that needs to be there anymore.
Finally, you define the group and who the reviewers should be for the excess review.
Finally, for our last topic, let's talk about multiple directories when we've been talking about azure Active directory. So far we've just been talking about a single tenant or directory with a set of users. And resource is. But now let's talk about the concept of having multiple azure active directories inside of Azure. You can have multiple tenants to host. Different resource is and users.
Each azure 80 tenant or directory is completely independent of each other,
unlike what you might find in your on premises. Active directory. There is no parent child relationship between the tenants. This allows for having independence between the tenets. For example, you can have a resource is in different tenants, and applying in action to resource in one tenet would not affect a resource in another tenant.
You can also split out administration. You could have a production tenant and a deaf tenant
and have the ability to split out administrative permissions between the two. Finally, you can also configure separate azure 80 tenants to receive synchronize data from Azure 80 connect. You could take users and resource is from a single on premises. Forest and sink them to separate tenants.
Or you can synchronize data for multiple on premises forest and to multiple azure 80 tenants.
Creating another directory is just like creating the resource inside the azure portal you would select, create a resource search for azure active directory and click on create. When you go to create a directory, you're going to give the organization of name here. I've named another one a Z 300 tech test,
and you'll give it the initial domain name. As mentioned previously, every tenant will have a dot on Microsoft dot com Initial domain name. Finally select your country region for it to be located in Once that's created
inside the Azure active directory, you can select Switch Directory
and over here on the right, you see, we now have multiple directories are default Directory is the 1st 1 created, but we now have a second directory called Test, where we could deploy Test Resource is and separate administration for our environment
that does it for talking about some additional features we can use to manage azure active directory. So let's follow it up with a quick post assessment question.
What licenses are available toe add premium features Toe Azure Active directory.
We have three answers here.
Azure active directory, P one p two and then the enterprise Mobility and security license. I would definitely remember thes three different licenses and what features you get with each one for the azure exam,
then does it for talking about azure active directory and identities. In our next episode, we're gonna talk about how we can monitor Azure and take a look at our cost and billing with an introduction to Azure Monitor. See you in the next episode.
Up Next