Azure AD Design Considerations

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
15
Video Transcription
00:00
>> Hello, Cybarians.
00:00
Welcome to Lesson 1.9 of module 1 of this course
00:00
titled AZ-301 Microsoft Azure Architects Design.
00:00
Here are the objectives that I'll be
00:00
covering in this lesson.
00:00
We'll start by talking about Azure AD security.
00:00
I will be highlighting some of
00:00
the security best practices of Azure AD.
00:00
We will then proceed to talk about
00:00
Azure AD monitoring and report,
00:00
where we'll been looking at
00:00
>> a different option to monitor
00:00
>> Azure AD and to gain insight from it.
00:00
Finally, we'll talk about
00:00
other design concentrations like scalability,
00:00
availability, and performance of Azure AD.
00:00
Let's get into this.
00:00
Why we talk about Azure AD security?
00:00
One of the first places that I want to start
00:00
is around the hardening of default configurations.
00:00
We want to start by making sure that we
00:00
view the default configuration of Azure AD,
00:00
and we align it to our organization policies.
00:00
A good example of that should be
00:00
the level of access that guests
00:00
users from other Azure AD tenants
00:00
have within your organization.
00:00
For example, by default,
00:00
a guest user can invite other guests into your tenant.
00:00
Those are some of the access that you
00:00
want to review and make
00:00
sure that they are properly aligned
00:00
with your organizational policies.
00:00
Next, we want to tightly
00:00
control who has access to Azure AD.
00:00
I'll be doing that within
00:00
Azure AD role-based access control roles.
00:00
There are certain built-in roles
00:00
that we're all familiar with,
00:00
things like global admin or just user account.
00:00
Those are built-in roles that
00:00
>> we can assign to our users.
00:00
>> It's recommended not to have
00:00
more than five global admins within an Azure AD tenant,
00:00
otherwise, it can get a bit messy.
00:00
We can also create
00:00
custom-built roles now and assign those to our users.
00:00
The next best practice is to enable MFA for everyone.
00:00
This is the principle of multi-factor authentication.
00:00
According to Microsoft, about 95 percent of
00:00
identity security vulnerabilities will
00:00
go away with MFA enabled.
00:00
It's also very important to note
00:00
that just simply enabling MFA,
00:00
just pauses different sets of challenges to
00:00
the bad people that are
00:00
trying to exploit your organization.
00:00
One of the things I want to
00:00
highlight when it comes to MFA
00:00
is that if you enable MFA for everyone,
00:00
doesn't necessarily mean that they'll be
00:00
challenged for multi-factor authentication.
00:00
There are still other factors that comes
00:00
in on whether the user will be
00:00
>> challenged for MFA or not.
00:00
>> Things like conditional access to you comes into play.
00:00
Next, we want to enable Azure AD conditional access.
00:00
This is a feature of Azure AD that's only
00:00
available for Azure AD Premium P1,
00:00
and Premium P2 additions.
00:00
Particularly, you may want to enable
00:00
conditional access for the Azure management layer.
00:00
For example, we can access
00:00
the Azure portal or maybe the API,
00:00
so we can enable conditional access for that,
00:00
and what that means is that we are taking into
00:00
consideration beyond user authentication,
00:00
other factors like the network
00:00
that they are accessing from,
00:00
or things like the health
00:00
of the endpoint that they are accessing with.
00:00
Those are the things that
00:00
>> we can take into consideration
00:00
>> to determine whether a user gets
00:00
access to an application or not.
00:00
The next best practice is to implement
00:00
Azure AD Identity Protection.
00:00
Identity protection is all
00:00
about the account messages the account has
00:00
been compromised or if a sign-in attempt is suspicious.
00:00
In other words, is it being used by
00:00
someone else other than the designated user?
00:00
Azure AD Identity Protection
00:00
is a feature that's only available
00:00
for premium P2 license edition of Azure AD,
00:00
but it's one that you want to implement.
00:00
Next, I want to implement
00:00
Privileged Identity Management,
00:00
and this helps to mitigate the risk of
00:00
excessive or unnecessary access right for users.
00:00
This helps us to be able to see
00:00
>> which users are assigned
00:00
>> privilege roles to manage Azure resources,
00:00
it enables us to be able to do things like
00:00
just-in-time administrative access to
00:00
Microsoft online services,
00:00
or even to Azure resources within subscriptions,
00:00
and even resource groups.
00:00
It is a feature that's only
00:00
available in Azure AD Premium P2,
00:00
but it's one that we want to
00:00
enable if we have that license addition,
00:00
Let's talk about Azure AD monitoring.
00:00
When you're talking about Azure AD monitoring,
00:00
Azure AD is a managed service,
00:00
and that comes into play in terms
00:00
of how we monitor for it.
00:00
For example, it's important for us to gain
00:00
visibility into the monitoring that Microsoft are doing.
00:00
What's the status of the Azure AD service?
00:00
Because in some cases we jump in
00:00
and we start troubleshooting sudden issues,
00:00
only to find out that there's an existing issue
00:00
that Microsoft are already dealing with in the back-end,
00:00
and maybe that's what's causing
00:00
the issue that you are seeing.
00:00
Azure Status Dashboard is
00:00
one of those places that we can go to review
00:00
the health of a service
00:00
in Azure at a particular point in time.
00:00
We can also view history from there.
00:00
The other option is something
00:00
called Azure Service Health.
00:00
Think about it as your own
00:00
personalized Azure status dashboard
00:00
for your organization.
00:00
You can configure that within the Azure portal,
00:00
you can tie in alerting with that,
00:00
and with your action groups also.
00:00
When we talk about Azure AD reports,
00:00
Azure AD has a number of reports
00:00
that helps us to gain insight and
00:00
understanding into activities that
00:00
are occurring within this service.
00:00
There are two main reports.
00:00
The first one is Azure AD activity report,
00:00
and this is talking about things like audit logs,
00:00
administrative events on the tenants,
00:00
who created the service principal, for example.
00:00
It also include reports like sign-in reports.
00:00
In other words, sign-in activity,
00:00
who performed the task that's been
00:00
reported by the audit log reports.
00:00
The next report that's available in Azure AD
00:00
is something called Azure AD Security Reports,
00:00
and this is where we see some of those information
00:00
that's been pulled in from
00:00
>> Azure AD identity protection,
00:00
>> so things like risky uses or risky sign-ins,
00:00
those information we can access
00:00
the report on the Azure AD security reports.
00:00
Let's talk about other design
00:00
>> concentrations of Azure AD.
00:00
>> Let's start first by talking about scalability.
00:00
There are certain limits of the Azure AD service.
00:00
For example, a user can belong
00:00
to a maximum of 500 Azure AD directories,
00:00
and that can be as a member or as a guest user.
00:00
That's the maximum.
00:00
>> Also, a single user can create
00:00
>> maximum of 20 directories.
00:00
>> I think I showed you in the demo
00:00
where I created on the directory,
00:00
a single user can create up to 20 Azure AD directories.
00:00
When we talk about Azure AD availability,
00:00
it's not mainly our responsibility as a Cloud customer,
00:00
it's mainly Microsoft responsibility as
00:00
the Cloud provider of this managed service.
00:00
But one of the useful things
00:00
that it's good for us to know,
00:00
it's that's when we talking about
00:00
write operations to Azure AD,
00:00
you create a new service principle,
00:00
you modify the properties of an existing user.
00:00
A write to the Azure AD service is durably committed to
00:00
at least two data centers
00:00
>> prior to it been acknowledged.
00:00
>> What that means is any write
00:00
operation in the background will
00:00
be replicated to another data center,
00:00
and only after that replication
00:00
has completed successfully will
00:00
an acknowledgment be sent back
00:00
to the client that made the request.
00:00
This happens transparently in the background.
00:00
Also, there are multiple secondary replicas.
00:00
When we talk about Azure AD performance,
00:00
the information that we talked about
00:00
earlier on the availability
00:00
regarding secondary replicas does come into play.
00:00
For example, directory read
00:00
requests of things like authentication requests,
00:00
are service from data centers that
00:00
are close to customers,
00:00
and that helps with the performance because we have
00:00
all these secondary replicas that are spread
00:00
across different data centers,
00:00
whenever a request comes in using something
00:00
similar to Traffic Manager,
00:00
is going to [inaudible] request
00:00
closest to the user that's making that request.
Up Next