Unitfly_logo_color

Extend and Protect Your Identity with Azure

In the past, companies relied on the network security controls to create a perimeter around the corporate data and resources which were, on the larger part, located on-premises. Employees were accessing these resources mostly when they were located physically on company’s premises. Or while using tightly controlled remote access capabilities like VPN. With the defense zone created around the resources, IT could protect them from the outside and at the same time enable employees to do their work while being able to control, monitor and audit every access. Here’s how you can protect your identities with Azure.

Traditional network perimeter controls are not sufficient anymore

Today, the way employees work and how companies are collaborating with the partners has changed. Company’s data is now located not just on-premises but also in cloud, using many of the available Software-as-a-Service (SaaS) providers (for example Office 365). Employees are using number of devices (desktops, laptops, tablets, and smartphones) and device types (corporate-owned devices, Bring Your Own Devices – BYOD, personal devices used at home). In these scenarios, traditional network perimeter controls are not sufficient anymore.

Identity as a new perimeter

Identity can follow employees no matter which device they are using. Identity tells us where they are located when accessing company’s data and at what time of the day. IT still wants to have control, but at the same time enable employees to be productive in a way that best suites them. For example, if an employee wants to edit the tomorrow’s presentation slides from home on their personal tablet, she/he should be able to do so. IT on the other side wants to make sure that device employee is using is compliant with the company’s policy. Based on the accessed data classification, we can even define conditions that will allow (or not allow) the access. For example, data classified as Confidential can be accessed only from company-owned devices, but data classified as Public can be accessed from any device, implying that employee’s identity was linked to that device.

Companies are already providing identities for their employees and have made significant investment in the on-premises identity and access management (IAM) systems but now they need to extend these identities to the cloud.

Microsoft as a one of the leading cloud providers and with the large base of enterprise Active Directory installations across the world provides solutions for the challenges mentioned above, challenges that many companies have today.

In this post we’ll talk about:

  • Azure Active Directory
  • Azure Multi-factor Authentication
  • Azure AD Identity Protection
  • Azure AD Privileged Identity Management
  • Conditional access

Azure Active Directory

Azure Active Directory (Azure AD) is multi-tenant directory, identity, and access management system, developed for the cloud. All Microsoft’s cloud offerings (Office 365 or Dynamics CRM Online) are using Azure AD but there are also many 3rd party SaaS solutions (like Salesforce, Dropbox, Workday or Concur) that also rely on Azure AD. With Azure AD, IT professionals can easily give employees and business partners access to any of such applications.

Developers can concentrate on how to solve business challenges and build applications that will empower the users, without spending too much time on integration with Azure AD. That is because Microsoft provides Azure AD authentication libraries for many application platforms. Once application is integrated with Azure AD, it can be accessed by company’s employees, business partners or if that is desired, to anyone who has Azure AD account.

Azure AD has many capabilities:

  • integration with on-premises Active Directory
  • multi-factor authentication
  • device registration
  • self-service password management
  • self-service group management
  • privileged account management
  • role based access control
  • application usage monitoring
  • auditing, security monitoring and alerting

For companies that have existing Active Directory installation, Azure AD allows easy integration using free tool Azure AD Connect. Once on-premises identities are synchronized to Azure AD, employees can access any of the Microsoft’s, 3rd party SaaS or you company’s custom applications that live in cloud. Also, Azure AD capabilities are available to such (synchronized) identities, e.g., they have full self-service password management through the cloud, or they can use multi-factor authentication even when accessing some of the on-premises resources.

Azure Multi-factor Authentication

Azure Multi-factor Authentication is Microsoft’s two-step verification solution offered as a cloud service. Two-step verification means that user must go through more than one verification method when signing-in.

It works by requiring any two or more of the following methods:

  • Something you know (for example a password)
  • Something you have (device like a smartphone or a hardware token)
  • Something you are (e.g., biometrics)

When employee is enabled for multi-factor authentication signing-in to any application protected by Azure AD (e.g., Office 365) is not possible any more with just a password. If company has internal applications protected by Active Directory Federation Services (AD FS), Azure Multi-factor Authentication can also be used as a two-step verification for that local AD FS instance. Azure Multi-factor Authentication can protect IIS web applications, VPN access, Remote Desktop access and other remote access applications that use RADIUS or LDAP authentication.

Tip: Microsoft is offering free Azure Multi-factor Authentication for Azure AD administrators (accounts that are members of Global administrator role in Azure AD) and for Office 365 as part of the Office 365 subscription.

Azure AD Identity Protection

Today, majority of successful cyber-attacks rely on compromised credentials. Attackers are becoming more and more effective in launching intelligent phishing attacks and using external breaches to obtain employee’s credentials. Once credentials are compromised, attacker can gain access to any resource available to the employee and then use lateral movement to escalate their privileges.

With Azure AD Identity Protection you can:

  • Detect vulnerabilities that could affect company’s identities
  • Investigate incidents and take appropriate action to resolve
  • Enable automated response actions to any detected suspicious event with the use of company’s identities

Azure AD Identity Protection uses machine learning and behavioral analysis under the hood, allowing it to be very effective in detecting suspicious events. For each such event, corresponding risk event is created. Some risk events are detected in real-time. But for others, Azure AD Identity Protection engine detects them offline and then alerts the administrator.

You start by creating risk-based policies and through the policy configure how to respond to suspicious event based on the level of risk.

Detected risk events are:

  • Users with leaked credentials
  • Sign-ins from anonymous IP addresses
  • Impossible travel to atypical locations
  • Sign-ins from infected devices
  • Sign-ins from IP addresses with suspicious activity
  • Sign-ins from unfamiliar locations

There are two types of policies: User risk policy and Sign-in risk policy.

User risk policy evaluates all active risks events for specific user, creates risk level and then applies mitigation steps, depending how access controls and conditions on the policy are set. For example, level of created risk is a condition and can be Low, Medium, or High. Access controls could then, based on the risk level value, either block the user from signing-in or allow it, but require multi-factor authentication or a password change.

Sign-in policy evaluates user’s sign-ins in a real-time and offline and similarly to user risk policy, applies mitigation steps, again depending on risk level and its value, and configured access controls which are same for both policy types.

We can also review users flagged for risk, detected Risk events and Vulnerabilities.

Azure AD Identity Protection is a part of the Azure AD Premium P2 edition, it can be obtained by purchasing Azure AD Premium P2 or as part of Enterprise Mobility + Security E5 edition.

Azure AD Privileged Identity Management

Azure AD Privileged Identity Management allows companies to have better control over how privileged accounts are utilized. In any environment, use of privileged accounts should be minimized – number of such accounts should be minimal and most of such accounts should be activated only when there is a business need and deactivated immediately after that (Just-In-Time access).

With Privileged Identity Management, employees who need a temporary access to a privileged role are assigned to a role of Eligible administrator. They need to sign-in to Azure Portal and complete an activation for their account. Once activation is completed, they will have necessary privileges. They can then use their privileged role until activation for that role expires. How long privileged role can be used before expiration is configurable.

Before user can activate their privileged role, it could require approval of one or more administrators. Administrators need to approve the activation unless approved user will not be able to use their privileged role.

Currently, with Azure AD Privileged Identity Management, we can use any of the available Azure AD directory roles (like Global Administrator or Password Administrators) but we can also allow temporary privileged access to Azure resources (like resource groups, virtual machines, App Service Web Apps, Azure SQL databases, etc.).

Same as Identity Protection, Azure AD Privileged Identity Management is a part of the Azure AD Premium P2 edition, it can be obtained by purchasing Azure AD Premium P2 or as part of Enterprise Mobility + Security E5 edition.

Azure AD Conditional Access

As we’ve mentioned before, employees today want to be productive on any device, any location and at any time of the day. IT has to allow this and at the same time appropriately protect company’s data and resources. We need to ensure that only the right people under the right conditions have access, and if that’s not the case we need to block the access or require additional requirements (like multi-step verification).

With Azure AD Conditional Access, we have ability to enforce controlled access to cloud applications based on the multiple conditions by configuring policies. Using policies simplifies the configuration and we have the ability to configure multiple policies, for specific groups of users, specific set of applications or for specific set of conditions are access controls.

Azure AD Conditional Access policy is comprised of assignments and access controls. Within the assignment we define users and groups in scope of the policy, cloud applications protected by the policy and conditions.

Conditions are based on a sign-in risk (likelihood that the sign-in is coming from someone other than that employee), device platform (Android, iOS, Windows phone, Windows or macOS), user’s location and client app employee is using (browser, native mobile apps, or desktop clients).

With Access controls we can either block or grant the access and require multi-factor authentication, require device to be marked as compliant, require domain joined (Hybrid Azure AD) device or require approved client app. For example, we could configure policy so that it applies only to employees who are members of Remote Sales group and when they access Office 365 and Salesforce from untrusted network location and from Android or iOS device. If these conditions are fulfilled, then we require multi-factor authentication or we require device to be marked as compliant (managed by Intune) before employee is allowed access.

Summary

As we can see, Azure provides many ways to extend identities to the cloud, enables employees to securely access both cloud and on-premises applications and provides IT with the level of control they need, and with capability to appropriately monitor and audit access to company’s data.

Free Azure MFA for Global Administrators [Step-By-Step Guide]

Using any kind of administrative account without multi-factor authentication (MFA) today presents high level of risk. If you have accounts that belong to Global administrator role in Azure Active Directory you can easily enable Azure MFA for free. Let take it step by step.

With today’s sophisticated attacks on your credentials (like phishing attacks) using just password it not secure enough, especially if we know that many people use simple passwords, or they are re-using same password for different services, even for administrative accounts.

If you have accounts that belong to Global administrator role in Azure Active Directory you can enable Azure multi-factor authentication for free (but only if account is Work or School account (i.e. Azure AD account like john.smith@mycompany.onmicrosoft.com). At the moment it cannot be enabled for Microsoft Accounts (MSA, accounts with @hotmail or @outlook domain).

To get a list of all Global administrators in the Azure AD tenant you can use following PowerShell commandlets:

Connect-AzureAD
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser

These commandlets are part of Azure AD V2 PowerShell. Azure AD role with display name “Company Administrator” is basically Global administrator. Output of Get-AzureADDirectoryRoleMember will give us a list of all Global administrator users:

To enable Azure MFA for an administrative account open the Azure Portal (https://portal.azure.com), open the Azure AD tile, click Users and Groups, All Users and then Multi-Factor Authentication:

Microsoft Azure administrative account display

New tab will open in the browser, here we can see all users from our Azure AD tenant. Select a Global administrator account you want MFA enabled and click Enable:

Microsoft Azure multi-factor authentication

Confirm by clicking Enable Multi-Factor Auth and Close.

We are back on the user’s list, we can see that for our Global administrator account Multi-factor auth status is now Enabled:

First time you (administrative user) log into Azure Portal you will be asked to complete additional security verification, to proceed click on Set it up now:

Microsoft Azure sign in display

You can choose between different additional security verification methods:

  • Call or text to mobile phone
  • Call to the office phone
  • Using mobile application (Microsoft Authenticator) to receive notification for verification or generate a verification code

In this post we’ll show how to configure additional security verification methods using mobile app.

Under How should we contact you? choose Mobile app and click Set up:

Azure MFA will generate QR code that you need to scan with Microsoft Authenticator app installed on the mobile phone. Scanning the QR code will configure the app, click Next after that.

We’ll return back to Additional security verification page which will say that mobile app has been configured:

Select Receive notification for verification or Use verification code and click Next. Azure MFA can either send a notification message to the mobile phone or Microsoft Authenticator app will generate a one-time code that must be entered on Additional security verification page. In our example we have chosen notification message:

Once previous step is completed Azure MFA will ask you for mobile phone number in case you lose access to mobile app:

In the last step Azure MFA will generate app password. App password is not used in this scenario, Global administrator is accessing Azure Portal or Azure PowerShell so it’s not relevant for us:

Next time our Global administrator user logs to Azure Portal she will be asked to complete multi-factor authentication using the method configured in the previous steps:

If we now open list of our users we’ll see Multi-factor auth status for administrative user now says Enforced:

And that’s it, you’re all set up!

Related resource: Extend and Protect Your Identities with Azure

BESPLATNI WEBINAR

Zašto digitalno poslovanje više nije dovoljno?

Otkrijte kako postići maksimalnu produktivnost zaposlenika i povećanje profitabilnosti kompanije.