Manage Users and Access with Azure Active Directory

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 51 minutes
Difficulty
Beginner
CEU/CPE
4
Video Transcription
00:00
>> Now, let's see how we can manage users in Azure.
00:00
Authentication and authorization are
00:00
the fundamental concepts when
00:00
discussing identity and access management.
00:00
Let's take a look at what are
00:00
the differences between those.
00:00
Authentication is the process of
00:00
establishing the identity of a person
00:00
on application looking to
00:00
gain access to a resource or data.
00:00
In essence, it confirms that
00:00
they are who they claim they are.
00:00
Authentication is not new to the digital world either.
00:00
The use of passports, driving licenses,
00:00
or other identification methods are
00:00
all examples for authentication in the offline world.
00:00
Authentication is the basis for creating
00:00
a security principle that can be
00:00
used to access a resource.
00:00
Authorization, on the other hand,
00:00
is the process of establishing
00:00
the level of access the principle has.
00:00
It determines what data and
00:00
resources they're allowed to access.
00:00
For example, an employee can access
00:00
their own payroll information while
00:00
the accountant can access
00:00
the payroll for the whole company.
00:00
Authentication and authorization are
00:00
often abbreviated as authN and an authZ.
00:00
We've already had a brief discussion
00:00
of Azure Active Directory,
00:00
but let's take a look a bit deeper into it.
00:00
Azure Active Directory or AAD is
00:00
a cloud-based identity service
00:00
that you can use to synchronize
00:00
your on-premises identities or to use with
00:00
other enterprise services from Microsoft
00:00
like Office 365 and Dynamics 365.
00:00
This means that you can use
00:00
the same identity across applications.
00:00
AAD provides services like
00:00
authentication, single-sign-on,
00:00
business-to-business and business-to-consumer
00:00
identity management application,
00:00
and the device management.
00:00
The more identities a user has to manage,
00:00
the greater risk of credential-related
00:00
security incidents.
00:00
Different applications have different password policies,
00:00
and with the growth of complexity,
00:00
remembering those becomes hard.
00:00
On the other hand, if a user leaves an organization,
00:00
removing those from every application is a tedious task.
00:00
With single-sign-on, users need to remember
00:00
only one password that will simplify the security model.
00:00
By using Azure Active Directory for SSO,
00:00
you also have the ability to create
00:00
an intelligent security graph that you can use to
00:00
do a threat analysis and offer
00:00
real-time identity protection for all your users.
00:00
Another technology that improves
00:00
the protection of users' identities
00:00
is multi-factor authentication or MFA.
00:00
MFA is also known as two-factor authentication or
00:00
TFA because it requires
00:00
two or more elements for full authentication.
00:00
Those elements fall into the following categories.
00:00
Something you know, like a password or the answer to
00:00
a security question, something you possess,
00:00
like an authenticator app on
00:00
your phone or a hardware security token,
00:00
and something you are,
00:00
like your fingerprint, iris, or your face.
00:00
MFA increases the security of users' accounts because
00:00
the probability a hacker has access to
00:00
multiple of these factors is low.
00:00
Azure AD has built-in capabilities for
00:00
multi-factor authentication and can
00:00
integrate with external MFA providers.
00:00
The functionality is free of
00:00
charge for users who are designated
00:00
global administrators in Azure AD
00:00
because those are highly sensitive accounts.
00:00
Other user accounts can have MFA
00:00
enabled after purchasing a license.
00:00
Azure Active Directory also
00:00
allows you to create service identities.
00:00
Service identities are kept in Azure and eliminate
00:00
the need to store those in configuration files,
00:00
thus reducing the exposure of the credentials.
00:00
AAD has two ways to handle service identities.
00:00
The first one is the use of a service principle.
00:00
To understand what a service principle is,
00:00
let's look at the difference
00:00
between identity and principal.
00:00
An identity is something that can be authenticated.
00:00
This can be a user who has a username and password,
00:00
but it can also be an application or
00:00
service that can authenticate with certificates and keys.
00:00
A principal is an identity that
00:00
has certain claims and roles assigned to it.
00:00
A service principle is a service identity
00:00
that can be assigned roles.
00:00
The creation of a service principle requires
00:00
configuration steps that make this a tedious process.
00:00
You need to create the principle,
00:00
configure the server or the application to use it,
00:00
then you have to maintain
00:00
the principle throughout the application lifecycle.
00:00
The use of managed service identities is
00:00
much easier because of all the work of creation,
00:00
configuration, and maintenance is done by Azure.
00:00
The infrastructure is responsible for
00:00
establishing the identity and
00:00
authenticating with the service.
00:00
Within your application, you can use
00:00
this identity as any other Azure AD user identity.
00:00
Note that not all Azure services in Azure
00:00
support the managed services identity as of now,
00:00
but the list is constantly growing.
00:00
We've mentioned the roles in the previous slide,
00:00
but what are they really useful for?
00:00
More roles are a set of granular permissions to
00:00
resources and data that can be assigned to users.
00:00
Azure has built-in roles like reader, contributor,
00:00
or global administrator,
00:00
but you can create custom ones if
00:00
neither of the built-in one satisfies your need.
00:00
Identities are mapped to roles either
00:00
directly or through a group membership.
00:00
Roles can be granted at the individual resource level,
00:00
but they can also flow down the Azure hierarchy.
00:00
A role assigned to a higher level in
00:00
the Azure hierarchy is also
00:00
considered in effect at the lower levels.
00:00
Azure doesn't only give you the tools to
00:00
manage the role-based access for your users,
00:00
but also a tool to monitor and audit the role members.
00:00
Azure Privileged Identity Management
00:00
completes the set of tools you
00:00
need to achieve a high level of
00:00
regulatory compliance for your workloads in Azure.
00:00
Azure Privileged Identity Management is
00:00
a paid offering to customers who purchase
00:00
Azure AD Premium P2 or Enterprise Mobility
00:00
and Security E5 or Microsoft 365 M5.
00:00
In our next video, we'll see how you can
00:00
leverage encryption in Azure to protect your data.
Up Next