![Azure AD Infrastructure [PDF]](https://pdfs.asia/img/200x200/azure-ad-infrastructure.jpg)
6 0 614 KB
1. What is Azure Active Directory? Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps employees sign in and access resource in: External resources, such as Microsoft Office 365, the Azure Portal and thousands of other SaaS applications. Internal resources such as apps on your corporate network and intranet along with any cloud apps developed by your own organization. 2. What are Azure Licenses? Microsoft Online business services, such as Office 365 or Microsoft Azure, require Azure AD for sign-in and to help with identity protection. If you subscribe to any Microsoft Online business service, you automatically get Azure AD with access to all the free features. To enhance your Azure AD implementation, you can also add paid capabilities by upgrading to Azure Active Directory Premium P1 or Premium P2 licenses. Azure AD paid licenses are built on top of your existing free directory, providing self-service, enhanced monitoring, security reporting and secure access for your mobile users.
3. What are the features of Azure AD license? Azure Active Directory Free: Provides user and group management on-premises directory synchronization, basic reports self-service password change for cloud users and single sign-on across Azure Office 365 and many popular SaaS apps. Azure Active Directory Premium P1: In addition to free features, P1 also lets your hybrid user access both on-premises and cloud resources. It also supports advanced administration such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities which allow selfservice password reset for your on-premises users. Azure Active Directory Premium P2: in addition to the free and P1 features, P2 also offers Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity management to help discover, restrict and monitor administrators and their access to resource and to provide just-in-time access when needed. “Pay as you go” feature licenses: You can also get additional feature licences, such as Azure Active Directory Business-to-Customer (B2C). B2C can help you provide identity and access management solutions for your customer-facing apps.
4. What are the Azure AD Pricing Details? Azure Active Directory comes in four editions—Free, Office 365 apps edition, Premium P1, and Premium P2. The Free edition is included with an Azure subscription. The Premium editions are available through a Microsoft Enterprise Agreement, the Open Volume License Program, and the Cloud Solution Providers program. Azure and Office 365 subscribers can also buy Azure Active Directory Premium P1 and P2 online. Premium P1: Designed to empower organizations with more demanding identity and access management needs, Azure Active Directory Premium edition adds feature-rich enterprise-level
identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. This edition includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management (IAM), and security in the cloud. Price details below: Enterprise Agreement: Contact Enterprise Agreement Representative Online: $6 per user / per month
Premium P2: Azure Active Directory Premium P2 includes every feature of all other Azure Active Directory edition enhanced with advanced identity protection and privileged identity management capabilities. Price details below: Enterprise Agreement: Contact Enterprise Agreement Representative Online: $9 per user / per month
5. What the features of Azure AD editions? Core Identity and Access Management Directory Objects Single Sign-On (SSO) User Provisioning Federated Authentication (ADFS or 3rd P) User and Group Management (a/u/d) Device Registration Cloud Authentication (Pass-Through Auth, Password Hash sync, Seamless SSO) Azure AD Connect Sync (On-Premises) Self-Service Password Change for Cloud Users Azure AD Join: Desktop SSO and administrator bitlocker recovery Password Protection (global banned pass) Multi-factor Authentication for Administrator Basic security and usage reports Business to Business Collaboration Azure AD features for guest users Identity & Access Management for Office 365 Company branding MFA (Phone & SMS) Group access management Self-Service password reset for cloud users Service Level Agreement (SLA) Device write-back (device objects two-way synchronization between on-premises directories and Azure Premium Features Password Protection (custom banned password)
Free
Office 365
Premium P1
Premium P2
5,00,000 object Limit Upto 10 apps √ √ √ √ √
No object limit
No object limit
No object limit
Upto 10 apps √ √ √ √ √
Unlimited
Unlimited
√ √ √ √ √
√ √ √ √ √
√ √ √
√ √ √
√ √ √
√ √ √
√ √ √
√ √ √
√ √ √
√ √ √
√
√
√
√
√ √ √ √ √ √
√ √ √ √ √ √
√ √ √ √ √ √
√
√
Password Protection for Windows Server Active Directory (global & custom banned password) Self-service password reset/change/unlock with on-premises write-back Microsoft Cloud App Discovery Azure AD Join: MDM auto enrolment & local admin policy customization Azure AD Join: Self-Service bitlocker recovery, enterprise state roaming Advanced security and usage reports Hybrid Identities Application Proxy Microsoft Identity Manager user CAL Connect Health Advanced Group Access Management Dynamic Groups Group creation permission delegation Group naming policy Group expiration Usage guidelines Default classification Conditional Access Conditional Access based on group, location and device status SharePoint limited access Terms of Use (set up terms of use for specific access) Microsoft Cloud App Security integration 3rd party MFA partner integration 3rd party identity governance partners integration Vulnerabilities and risky accounts detection Risk events investigation Risk based Conditional Access policies Identity Protection Vulnerabilities and risky accounts detection Risk events investigation Risk based Conditional Access policies Identity Governance Privileged Identity Management (PIM) Access Reviews Entitlement Management Price
6. Which features working Azure AD?
Application Management Authentication Business-to-Business (B2B) Business-to-Customer (B2C) Conditional Access
√
√
√
√
√ √
√ √
√
√
√
√
√ √ √
√ √ √
√ √ √ √ √ √
√ √ √ √ √ √
√
√
√ √
√ √
√ √ √
√ √ √
√ √ √
√ √ √ √ √ √
Free
Include with O365
$6 user / per month
√ √ √ $9 user / per month
Azure Active Directory for Developers Device Management Domain Services Enterprise Users Hybrid Identity Identity Governance Identity Protection Managed identities for Azure resources Privileged identity management (PIM) Reports and monitoring
7. What is Application Management in Azure AD Azure Active Directory (Azure AD) simplifies the way you manage your applications by providing a single identity system for your cloud and on-premises apps. You can add your software as a service (SaaS) applications, on-premises applications, and line of business (LOB) apps to Azure AD. Then users sign in once to securely and seamlessly access these applications, along with Office 365 and other business applications from Microsoft. You can reduce administrative costs by automating user provisioning. You can also use multi-factor authentication and Conditional Access policies to provide secure application access. 8. Why Manage application with cloud solution? Organizations often have hundreds of applications that users depend on to get their work done. Users access these applications from many devices and locations. New applications are added, developed, and sunset every day. With so many applications and access points, it's more critical than ever to use a cloud-based solution to manage user access to all applications. 9. What types of applications can I integrate with Azure AD? There are four main types of applications that you can add to your Enterprise applications and manage with Azure AD:
Azure AD Gallery applications – Azure AD has a gallery that contains thousands of applications that have been pre-integrated for single sign-on with Azure AD. Some of the applications your organization uses are probably in the gallery. Learn about planning your app integration, or get detailed integration steps for individual apps in the SaaS application tutorials. On-premises applications with Application Proxy – With Azure AD Application Proxy, you can integrate your on-premises web apps with Azure AD to support single sign-on. Then end users can access your on-premises web apps in the same way they access Office 365 and other SaaS apps. Learn why to use Application Proxy and how it works. Custom-developed applications – When building your own line-of-business applications, you can integrate them with Azure AD to support single sign-on. By registering your application with Azure AD, you have control over the authentication policy for the application. For more information, see guidance for developers. Non-Gallery applications – Bring your own applications! Support single sign-on for other apps by adding them to Azure AD. You can integrate any web link you want, or any application that renders a username and password field, supports SAML or OpenID Connect protocols, or supports SCIM. For more information, see Configure single sign-on for non-gallery apps.
10. What is Authentication in Azure AD? Authentication is the act of challenging a party for legitimate credentials, providing the basis for creation of a security principal to be used for identity and access control. In simpler terms, it's the process of proving you are who you say you are. Authentication is sometimes shortened to AuthN. Authorization is the act of granting an authenticated security principal permission to do something. It specifies what data you're allowed to access and what you can do with it. Authorization is sometimes shortened to AuthZ. 11. What is Business-to-Business (B2B) in Azure AD? Azure Active Directory (Azure AD) business-to-business (B2B) collaboration lets you securely share your company's applications and services with guest users from any other organization, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources. Developers can use Azure AD business-to-business APIs to customize the invitation process or write applications like self-service signup portals. 12. What is Business-to-Customer (B2C) in Azure AD? Azure Active Directory B2C (Azure AD B2C) is an identity management service that enables custom control of how your customers sign up, sign in, and manage their profiles when using your iOS, Android, .NET, single-page (SPA), and other applications. Azure Active Directory B2C (Azure AD B2C) is a customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day. It takes care of the scaling and safety of the authentication platform, monitoring and automatically handling threats like denial-of-service, password spray, or brute force attacks. Azure AD B2C is a white-label authentication solution. You can customize the entire user experience with your brand so that it blends seamlessly with your web and mobile applications. Customize every page displayed by Azure AD B2C when your users sign up, sign in, and modify their profile information. Customize the HTML, CSS, and JavaScript in your user journeys so that the Azure AD B2C experience looks and feels like it's a native part of your application. 13. What protocol is used by Azure AD B2C? Azure AD B2C uses standards-based authentication protocols including OpenID Connect, OAuth 2.0, and SAML. It integrates with most modern applications and commercial off-the-shelf software. By serving as the central authentication authority for your web applications, mobile apps, and APIs, Azure AD B2C enables you to build a single sign-on (SSO) solution for them all. Centralize the collection of user profile and preference information, and capture detailed analytics about sign-in behaviour and sign-up conversion.
14. What is Conditional Access in Azure AD? The modern security perimeter now extends beyond an organization's network to include user and device identity. Organizations can utilize these identity signals as part of their access control decisions.
Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane. Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it. Administrators are faced with two primary goals:
Empower users to be productive wherever and whenever Protect the organization's assets
By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user’s way when not needed. Conditional Access policies are enforced after the first-factor authentication has been completed. Conditional Access is not intended as an organization's first line of defence for scenarios like denial-ofservice (DoS) attacks, but can use signals from these events to determine access.
15. What is Azure Active Directory for Developers? Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) developer platform. It allows developers to build applications that sign in all Microsoft identities and get tokens to call Microsoft APIs such as Microsoft Graph or APIs that developers have built. It’s a full-featured platform that consists of an OAuth 2.0 and OpenID Connect standard-compliant authentication service, open-source libraries, application registration and configuration, robust conceptual and reference documentation, quickstart samples, code samples, tutorials, and how-to guides.
16. What is Device Management in Azure AD? With the proliferation of devices of all shapes and sizes and the Bring Your Own Device (BYOD) concept, IT professionals are faced with two somewhat opposing goals: Allow end users to be productive wherever and whenever Protect the organization's assets To protect these assets, IT staff need to first manage the device identities. IT staff can build on the device identity with tools like Microsoft Intune to ensure standards for security and compliance are met. Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from anywhere through these devices. Your users get access to your organization's assets they need. Your IT staff get the controls they need to secure your organization. Device identity management is the foundation for device-based conditional access. With device-based conditional access policies, you can ensure that access to resources in your environment is only possible with managed devices.
17. What is Domain Service in Azure AD? Azure Active Directory (AAD) Domain Services allows organizations to “lift-and-shift” apps that use onpremises AD for authentication to the cloud, extending the capabilities of AAD to provide many of the features of on-premise Windows Server Active Directory (AD) but without the effort of installing domain controllers (DCs), setting up ExpressRoute or a VPN to connect on-premise DCs to Azure. Domain Services extends AAD to support Kerberos, NTLM, Group Policy, domain join, LDAP bind and read, Secure LDAP, custom domain names, DNS management, and custom Organizational Units (OUs). In addition to these features, it provides high availability, account lockout protection, and management using familiar tools. In the first part of this two-part series, I’ll show you how to set up Domain Services in Azure and configure DNS. In the second part, I’ll discuss password hash synchronization requirements and how to perform a domain join operation.
18. What is Enterprise User?
19. What is Hybrid Identity?
20. What is Identity Governance? Azure Active Directory (Azure AD) Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right users have the right access to the right resources, and it allows you to protect, monitor, and audit access to critical assets -- while ensuring employee productivity. Identity Governance give organizations the ability to do the following tasks across employees, business partners and vendors, and services and applications: Govern the identity lifecycle Govern access lifecycle Secure administration Specifically, it is intended to help organizations address these four key questions: Which users should have access to which resources? What are those users doing with that access? Are there effective organizational controls for managing access? Can auditors verify that the controls are working? 21. What is Identity Protection? Azure Active Directory Identity Protection enables organizations to configure automated responses to detected suspicious actions related to user identities. Microsoft has secured cloud-based identities for more than a decade. With Azure Active Directory Identity Protection, in your environment, you can use the same protection systems Microsoft uses to secure identities.
The vast majority of security breaches take place when attackers gain access to an environment by stealing a user’s identity. Over the years, attackers have become increasingly effective in leveraging third-party breaches and using sophisticated phishing attacks. As soon as an attacker gains access to even low privileged user accounts, it is relatively easy for them to gain access to important company resources through lateral movement. 22. What are Managed Identities in Azure Resource? A common challenge when building cloud applications is how to manage the credentials in your code for authenticating to cloud services. Keeping the credentials secure is an important task. Ideally, the credentials never appear on developer workstations and aren't checked into source control. Azure Key Vault provides a way to securely store credentials, secrets, and other keys, but your code has to authenticate to Key Vault to retrieve them. The managed identities for Azure resources feature in Azure Active Directory (Azure AD) solves this problem. The feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. The managed identities for Azure resources feature are free with Azure AD for Azure subscriptions. There's no additional cost. 23. What are the terminologies of Manage Identity? The following terms are used throughout the managed identities for Azure resources documentation set:
Client ID - a unique identifier generated by Azure AD that is tied to an application and service principal during its initial provisioning. Principal ID - the object ID of the service principal object for your managed identity that is used to grant role-based access to an Azure resource. Azure Instance Metadata Service (IMDS) - a REST endpoint accessible to all IaaS VMs created via the Azure Resource Manager. The endpoint is available at a well-known non-routable IP address (169.254.169.254) that can be accessed only from within the VM.
24. How does the manage identities for Azure resources work? There are two types of managed identities: A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that's trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it's enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD. A user-assigned managed identity is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Azure AD tenant that's trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure service instances to which it's assigned. Internally, managed identities are service principals of a special type, which are locked to only be used with Azure resources. When the managed identity is deleted, the corresponding service principal is automatically removed. Your code can use a managed identity to request access tokens for services that support Azure AD authentication. Azure takes care of rolling the credentials that are used by the service instance.
25. What is Privileged identity management (PIM)? Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization. This includes access to resources in Azure AD, Azure resources, and other Microsoft Online Services like Office 365 or Microsoft Intune. 26. What is the purpose of PIM used? Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Azure AD, Azure, Office 365, or SaaS apps. Organizations can give users just-in-time (JIT) privileged access to Azure resources and Azure AD. There is a need for oversight for what those users are doing with their administrator privileges. PIM helps to mitigate the risk of excessive, unnecessary, or misused access rights. 27. What can be done with PIM? PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Here are some of the key features of PIM: Provide just-in-time privileged access to Azure AD and Azure resources Assign time-bound access to resources using start and end dates Require approval to activate privileged roles Enforce multi-factor authentication to activate any role Use justification to understand why users activate Get notifications when privileged roles are activated Conduct access reviews to ensure users still need roles Download audit history for internal or external audit 28. What PIM support? PIM supports the following scenarios: As a Privileged Role Administrator, you can: Enable approval for specific roles Specify approver users and/or groups to approve requests View request and approval history for all privileged roles As an approver, you can: View pending approvals (requests) Approve or reject requests for role elevation (single and/or bulk) Provide justification for my approval/rejection As an eligible role user, you can: Request activation of a role that requires approval View the status of your request to activate Complete your task in Azure AD if activation was approved 29. What is reports and monitoring in Azure AD? Azure Active Directory (Azure AD) reports provide a comprehensive view of activity in your environment. The provided data enables you to: Determine how your apps and services are utilized by your users Detect potential risks affecting the health of your environment Troubleshoot issues preventing your users from getting their work done The reporting architecture relies on two main pillars: Security reports Users flagged for risk Risky sign-ins
Activity reports Audit Logs Sign-ins
30. What is Tenant in Azure AD? A tenant is the organization that owns and manages a specific instance of Microsoft cloud services. It's most often used in an inexact manner to refer to the set of Azure AD and Office 365 services for an organization. It is a dedicated and trusted instance of Azure AD that's automatically created when your organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft Intune, or Office 365. An Azure tenant represents a single organization. 31. What is Identity secure score in Azure AD? The identity secure score is number between 1 and 223 that functions as an indicator for how aligned you are with Microsoft's best practice recommendations for security. Each improvement action in identity secure score is tailored to your specific configuration. The score helps you to: Objectively measure your identity security posture Plan identity security improvements Review the success of your improvements 32. How to get Azure Identity Secure Score? The identity secure score is available in all editions of Azure AD. To access your score, go to the Azure AD Overview dashboard. 33. How does ISS work? Every 48 hours, Azure looks at your security configuration and compares your settings with the recommended best practices. Based on the outcome of this evaluation, a new score is calculated for your directory. It’s possible that your security configuration isn’t fully aligned with the best practice guidance and the improvement actions are only partially met. In these scenarios, you will only be awarded a portion of the max score available for the control. Each recommendation is measured based on your Azure AD configuration. If you are using third-party products to enable a best practice recommendation, you can indicate this configuration in the settings of an improvement action. You also have the option to set recommendations to be ignored if they don't apply to your environment. An ignored recommendation does not contribute to the calculation of your score. 34. How does it help us? The secure score helps you to: Objectively measure your identity security posture Plan identity security improvements Review the success of your improvements 35. Who can use Identity Secure Score? Global Admin Security Admin Security Readers 36. How controls are scored? Controls can be scored in two ways. Some are scored in a binary fashion - you get 100% of the score if you have the feature or setting configured based on our recommendation. Other scores are calculated as a percentage of the total configuration. For example, if the improvement recommendation states you’ll get 30 points if you protect all your users with MFA and you only have 5 of 100 total users protected, you would be given a partial score around 2 points (5 protected / 100 total * 30 max pts = 2 pts partial score).
37. What does not sored mean? Actions labelled as [Not Scored] are ones you can perform in your organization but won't be scored because they aren't hooked up in the tool (yet!). So, you can still improve your security, but you won't get credit for those actions right now. 38. How often is my scored updated? The score is calculated once per day (around 1:00 AM PST). If you make a change to a measured action, the score will automatically update the next day. It takes up to 48 hours for a change to be reflected in your score. 39. My scored is changed. How do I figure out why? Head over to the Microsoft 365 security center, where you’ll find your complete Microsoft secure score. You can easily see all the changes to your secure score by reviewing the in-depth changes on the history tab. 40. Does the secure scored measure my risk of getting breached?
