Book Image

Mastering Identity and Access Management with Microsoft Azure - Second Edition

By : Jochen Nickel
Book Image

Mastering Identity and Access Management with Microsoft Azure - Second Edition

By: Jochen Nickel

Overview of this book

Microsoft Azure and its Identity and access management are at the heart of Microsoft's software as service products, including Office 365, Dynamics CRM, and Enterprise Mobility Management. It is crucial to master Microsoft Azure in order to be able to work with the Microsoft Cloud effectively. You’ll begin by identifying the benefits of Microsoft Azure in the field of identity and access management. Working through the functionality of identity and access management as a service, you will get a full overview of the Microsoft strategy. Understanding identity synchronization will help you to provide a well-managed identity. Project scenarios and examples will enable you to understand, troubleshoot, and develop on essential authentication protocols and publishing scenarios. Finally, you will acquire a thorough understanding of Microsoft Information protection technologies.

Related Content you might be interested in

Current Title:

Small book image
Mastering Identity and Access Management with Microsoft Azure - Second Edition
Jochen Nickel
Feb, 2019 | 698 pages
Small book image
Microsoft 365 Identity and Services Exam Guide MS-100
Aaron Guilmette
Jun, 2023 | 462 pages
Small book image
Azure Active Directory for Secure Application Development
Sjoukje Zaal
May, 2022 | 268 pages
Small book image
Microsoft Identity and Access Administrator Exam Guide
Dwayne Natwick
Mar, 2022 | 452 pages
Table of Contents (23 chapters)
Title Page
Title Page
Copyright and Credits
Copyright and Credits
About Packt
About Packt
Contributors
Contributors
Preface
Preface
Free Chapter
1
Building and Managing Azure Active Directory
Building and Managing Azure Active Directory
Implementation scenario overview
Implementing a solid Azure Active Directory
Creating and managing users and groups
Assign roles to administrative units
Protect your administrative accounts
Provide user and group-based application access
Password reset self-service capabilities
Using standard security monitoring
Integrating Azure AD Join for Windows 10 clients
Configuring a custom domain
Configure Azure AD Domain Services
Summary
2
Understanding Identity Synchronization
Understanding Identity Synchronization
Technology overview
Synchronization scenarios
Synchronization terms and processes
Summary
3
Exploring Advanced Synchronization Concepts
Exploring Advanced Synchronization Concepts
Preparing your lab environment
Understanding declarative provisioning and expressions
Synchronization rules explained
Special considerations in advanced synchronization concepts
Summary
4
Monitoring Your Identity Bridge
Monitoring Your Identity Bridge
How Azure AD Connect Health works
Azure AD monitoring and logs
Azure Security Center for monitoring and analytics
Summary
5
Configuring and Managing Identity Protection
Configuring and Managing Identity Protection
Microsoft Identity Protection solutions
Azure ATP and how to use it
Azure AD Identity Protection
Using Azure AD PIM to protect administrative privileges
Summary
6
Managing Authentication Protocols
Managing Authentication Protocols
Microsoft identity platform
Common token standards in a federated world
Security Assertion Markup Language (SAML) 2.0
WS-Federation
OAuth 2.0
OpenID Connect (OIDC)
Pass-through authentication and seamless SSO
Multi-factor authentication
Summary
7
Deploying Solutions on Azure AD and ADFS
Deploying Solutions on Azure AD and ADFS
Basic environment installation and configuration
Azure AD authentication deployments
ADFS Authentication deployments
Integrating Azure MFA (YD1ADS01)
Summary
8
Using the Azure AD App Proxy and the Web Application Proxy
Using the Azure AD App Proxy and the Web Application Proxy
Configuring additional applications for Azure AD and ADFS
Publishing with Windows server and Azure AD Web Application Proxy
Using conditional access
Summary
9
Deploying Additional Applications on Azure AD
Deploying Additional Applications on Azure AD
Preparing your lab environment
What defines single- and multi-tenant applications
Deploying a single-tenant application including roles and claims
Moving the single-tenant app to a multi-tenant scenario
Deploying another multi-tenant app with OpenID Connect
Summary
10
Exploring Azure AD Identity Services
Exploring Azure AD Identity Services
Preparing your lab environment
Understanding Azure AD B2B
Exploring Azure AD B2C
Extending Active Directory solutions with Azure AD Domain Services
AD FS as an on-premise identity service for the cloud
Summary
11
Creating Identity Life Cycle Management in Azure
Creating Identity Life Cycle Management in Azure
Lab environment readiness
Handling the guest user life cycle
Azure services for automation
Summary
12
Creating a Security Culture
Creating a Security Culture
Why do we need a security culture?
Pillars of a good security culture
General overview of data classification
Azure Information Protection (AIP) overview
Summary
13
Identifying and Detecting Sensitive Data
Identifying and Detecting Sensitive Data
Extending your lab environment
Understanding and using AIP capabilities for data in motion
Understanding and using AIP capabilities for data at rest
Summary
14
Understanding Encryption Key Management Strategies
Understanding Encryption Key Management Strategies
Azure Information Protection key basics
How Azure RMS works under the hood
Summary
15
Configuring Azure Information Protection Solutions
Configuring Azure Information Protection Solutions
Preparing to configure and manage AIP
Azure RMS management with PowerShell
Configuring AIP
Summary
16
Azure Information Protection Development
Azure Information Protection Development
Technical requirements
Microsoft Information Protection solutions
Understanding the Microsoft Information Protection SDK
Preparing your Azure AD environment for tests
Using MIP binaries to explore functionality
Using PowerShell with Azure Information Protection
Overview of the RMS 2.1 and 4.2 SDKs
Summary
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think
Index
Index

Assign roles to administrative units

To delegate tasks, we use the creation of administrative units (AUs) and assign roles for specific tasks. In this configuration, we generate an HR [AU] , and we assign the manager of the HR department with the role to manage user accounts in this scope.

Creating an administrative unit

First of all, we need to connect to our Azure AD with the PowerShell cmdlet Connect-AzureAD for the [email protected] user.

Use the following cmdlets to create the HR [AU]:

New-AzureADAdministrativeUnit -Description "Human Resources Users" -DisplayName "HR"

View the expected output:

Newly created administrative unit

Next, we will add the related users.

Adding users to an administrative unit

Next, we add the users of the HR department to the HR [AU]. Use the following cmdlets to do this:

$HRAU = Get-AzureADAdministrativeUnit -Filter "displayname eq 'HR'"
$initialDomain = (Get-AzureADDomain)[0].Name
$HRUser1 = Get-AzureADUser -Filter "UserPrincipalName eq 'don.hall@$InitialDomain'"
$HRUser2 = Get-AzureADUser -Filter "UserPrincipalName eq 'ellen.adams@$InitialDomain'"
Add-AzureADAdministrativeUnitMember -ObjectId $HRAU.ObjectId -RefObjectId $HRUser1.ObjectId
Add-AzureADAdministrativeUnitMember -ObjectId $HRAU.ObjectId -RefObjectId $HRUser2.ObjectId
Get-AzureADAdministrativeUnitMember -ObjectId $HRAU.ObjectId | Get-AzureADUser

The output of the preceding command is as follows:

Newly added users overview

Next, we will use the scoping options.

Scoping administrative roles

In the next step, we assign the user account administrator role. Verify available roles with the following cmdlet:

Get-AzureADDirectoryRoleTemplate

Now, we enable the user account administrator role with the following cmdlet:

Enable-AzureADDirectoryRole -RoleTemplateId fe930be7-5e62-47db-91af-98c3a49a38b1

Set variables and assign the user to the role:

$admins = Get-AzureADDirectoryRole
foreach($i in $admins) {
    if($i.DisplayName -eq "User Account Administrator") {
        $uaAdmin = $i
       }
    }

$HRUA = Get-AzureADUser -Filter "UserPrincipalName eq 'Don.Hall@$InitialDomain'"
$uaRoleMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ ObjectId = $HRUA.ObjectId }
Add-AzureADScopedRoleMembership -RoleObjectId $uaAdmin.ObjectId -ObjectId $HRAU.ObjectId -RoleMemberInfo $uaRoleMemberInfo

The output of the preceding command is as follows:

User Account Administrator assignment

Next, we will test our configuration.

Test your configuration

Open a new PowerShell and connect with the Connect-MsolService command to the Azure AD, and log in with [email protected] credentials.

Modify a user account assigned to the HR administrative unit:

Set-MsolUser -UserPrincipalName [email protected] -Department HR

Verify your modification:

Get-MsolUser -UserPrincipalName [email protected] | select Department

Next, we will protect an administrative account with the Privileged Identity Management (PIM) features of Azure AD Premium P2. We recommend using Azure MFA to protect your administrative accounts, if you don't want to invest in Azure AD Premium P2.

Previous Section
End of Section 5
Next Section