With the cloud-first strategy of Microsoft, the Azure platform and their number of services grow constantly, and we have seen a lot of costumers lost in a paradise of wonderful services and functionality. This brings us to the point of how to figure out the relevant services for IAM for you and how to give them the space for explanation. Obviously, there are more services available that stripe this field with a small subset of functionality, but due to the limited page count of this book and our need for rapid development, we will focus on the most important ones, and will reference any other interesting content. The primary service for IAM is the Azure Active Directory service, which has also been the core directory service for Office 365 since 2011. Every other SaaS offering of Microsoft is also based on this core service, including Microsoft Intune, Dynamics, and Visual Studio Online. So, if you are already an Office 365 customer you will have your own instance of Azure Active Directory in place. For sustained access management and the protection of your information assets, the Azure Rights Management services are in place. There is also an option for Office 365 customers to use the included Azure Rights Management services. You can find further information about this by visiting the following link: http://bit.ly/1KrXUxz.
Let's get started with the feature sets that can provide a solution, as shown in the following screenshot:
Including Azure Active Directory and Rights Management helps you to provide a secure solution with a central access portal for all of your applications with just one identity and login for your employees, partners, and customers that you want to share your information with. With a few clicks you can also add MFA to your sensitive applications and administrative accounts. Furthermore, you can directly add a Self-Service Password Reset functionality that your users can use to reset their password for themselves. As the administrator, you will receive predefined security and usage reports to control your complete application ecosystem. To protect your sensible content, you will receive digital rights management capabilities with the Azure Rights Management services to give you granular access rights on every device your information is used.
Doesn't it sound great? Let's take a deeper look into the functionality and usage of the different Microsoft Azure IAM services.
Azure Active Directory is a fully managed multi-tenant service that provides IAM capabilities as a service. This service is not just an instance of the Windows Server Domain Controller you already know from your actual Active Directory infrastructure. Azure AD is not a replacement for the Windows Server Active Directory either. If you already use a local Active Directory infrastructure, you can extend it to the cloud by integrating Azure AD to authenticate your users in the same way as on-premise and cloud services.
Staying in the business view, we want to discuss some of the main features of Azure Active Directory. Firstly, we want to start with the Access panel that gives the user a central place to access all his applications from any device and any location with SSO.
Note
The combination of the Azure Active Directory Access panel and the Windows Server 2012 R2/2016 Web Application Proxy / ADFS capabilities provide an efficient way to securely publish web applications and services to your employees, partners, and customers. It will be a good replacement for your retired Forefront TMG/UAG infrastructure.
Over this portal, your users can do the following:
User and group management
Access their business relevant applications (On-premise, partner, and SaaS) with single-sign-on or single logon
Delegation of access control to the data, process, or project owner
Self-service profile editing for correcting or adding information
Self-service password change and reset
Manage registered devices
With the Self-Service Password Reset functionality, a user gets a straight forward way to reset his password and to prove his identity, for example through a phone call, email, or by answering security questions.
Note
The different portals can be customized with your own Corporate Identity branding. To try the different portals, just use the following links: https://myapps.microsoft.com and https://passwordreset.microsoftonline.com.
To complete our short introduction to the main features of the Azure Active Directory, we will take a look at the reporting capabilities. With this feature you get predefined reports with the following information provided. With viewing and acting on these reports, you are able to control your whole application ecosystem published over the Azure AD access panel.
Anomaly reports
Integrated application reports
Error reports
User-specific reports
Activity logs
From our discussions with customers we recognize that, a lot of the time, the differences between the different Azure Active Directory editions are unclear. For that reason, we will include and explain the feature tables provided by Microsoft. We will start with the common features and then go through the premium features of Azure Active Directory.
First of all, we want to discuss the Access panel portal so we can clear up some open questions. With the Azure AD Free and Basic editions, you can provide a maximum of 10 applications to every user. However, this doesn't mean that you are limited to 10 applications in total. Next, the portal link: right now it cannot be changed to your own company-owned domain, such as https://myapps.inovit.ch. The only way you can do so is by providing an alias in your DNS configuration; the accessed link is https://myapps.microsoft.com. Company branding will lead us on to the next discussion point, where we are often asked how much corporate identity branding is possible. The following link provides you with all the necessary information for branding your solution:http://bit.ly/1Jjf2nw. Rounding up this short Q&A on the different feature sets is Application Proxy usage, one of the important differentiators between the Azure AD Free and Basic editions. The short answer is that with Azure AD Free, you cannot publish on-premises applications and services over the Azure AD Access Panel portal.
|
Features |
AAD Free |
AAD Basic |
AAD Premium |
|
Directory as a Service (objects) |
500k
|
unlimited
|
unlimited
|
|
User/Group management (UI or PowerShell) |
X
|
X
|
X
|
|
Access Panel portal for SSO (per user) |
10 apps
|
10 apps
|
unlimited
|
|
User-based application access management/provisioning |
X
|
X
|
X
|
|
Self-service password change (cloud users) |
X
|
X
|
X
|
|
Directory synchronization tool |
X
|
X
|
X
|
|
Standard security reports |
X
|
X
|
X
|
|
High availability SLA (99.9%) |
X
|
X
| |
|
Group-based application access management and provisioning |
X
|
X
| |
|
Company branding |
X
|
X
| |
|
Self-service password reset for cloud users |
X
|
X
| |
|
Application Proxy |
X
|
X
| |
|
Self-service group management for cloud users |
X
|
X
|
The Azure Active Directory Premium edition provides you with the entire IAM capabilities, including the usage licenses of the on-premises used Microsoft Identity Manager. From a technical perspective, you need to use the Azure AD Connect utility to connect your on-premises Active Directory with the cloud and the Microsoft Identity Manager to manage your on-premises identities and prepare them for your cloud integration. To acquire Azure AD Premium, you can also use the Enterprise Mobility Suite (EMS) license bundle, which contains Azure AD Premium, Azure Rights Management, Microsoft Intune, and Advanced Threat Analytics (ATA) licensing. You can find more information about EMS by visiting http://bit.ly/1cJLPcM and http://bit.ly/29rupF4.
|
Features
|
Azure AD
Premium
|
|
Self-service password reset with on-premises write-back
|
X
|
|
Microsoft Identity Manager server licenses
|
X
|
|
Advanced anomaly security reports
|
X
|
|
Advanced usage reporting
|
X
|
|
Multi-Factor Authentication (cloud users)
|
X
|
|
Multi-Factor Authentication (On-premises users)
|
X
|
Azure AD Premium reference:
One of the newest features based on Azure Active Directory is the new Business to Business (B2B) capability. The new product solves the problem of collaboration between business partners. It allows users to share business applications between partners without going through inter-company federation relationships and internally-managed partner identities. With Azure AD B2B, you can create cross-company relationships by inviting and authorizing users from partner companies to access your resources. With this process, each company federates once with Azure AD and each user is then represented by a single Azure AD account. This option also provides a higher security level, because if a user leaves the partner organization, access is automatically disallowed. Inside Azure AD, the user will be handled as though a guest, and they will not be able to traverse other users in the directory. Real permissions will be provided over the correct associated group membership.
Azure Active Directory Business to Consumer (B2C) is another brand new feature based on Azure Active Directory. This functionality supports signing in to your application using social networks like Facebook, Google, or LinkedIn and creating developed accounts with usernames and passwords specifically for your company-owned application. Self-service password management and profile management are also provided with this scenario. Additionally, MFA introduces a higher grade of security to the solution. Principally, this feature allows small, medium and large companies to hold their customers in a separated Azure Active Directory with all the capabilities, and more, in a similar way to the corporate-managed Azure Active Directory. With different verification options, you are also able to provide the necessary identity assurance required for more sensible transactions. Azure B2C takes care about all the IAM tasks for own development application.
Azure AD Privileged Identity Management provides you with the functionality to manage, control, and monitor your privileged identities. With this option, you can build up an Role-based Access Control (RBAC) solution over your Azure AD and other Microsoft online services, such as Office 365 or Microsoft Intune. The following activities can be carried out with this functionality:
You can discover the actual configured Azure AD Administrators
You can provide just in time administrative access
You can get reports about administrator access history and assignment changes
You can receive alerts about access to a privileged role
The following built-in roles can be managed with the current version:
Global Administrator
Billing Administrator
Service Administrator
User Administrator
Password Administrator
Protecting sensible information or application access with additional authentication is an important task not just in the on-premises world. In particular, it needs to be extended to every sensible cloud service used. There are a lot of variations for providing this level of security and additional authentication, such as certificates, smart cards, or biometric options. For example, smart cards depend on special hardware used to read the smart card and cannot be used in every scenario without limiting the access to a special device or hardware or. The following table gives you an overview of different attacks and how they can be mitigated with a well designed and implemented security solution.
|
Attacker |
Security solution |
|
Password brute force |
Strong password policies |
|
Shoulder surfing
Key or screen logging
|
One-time password solution |
|
Phishing or pharming |
Server authentication (HTTPS) |
|
Man-in-the-Middle
Whaling (Social engineering)
|
Two-factor authentication
Certificate or one-time password solution
|
|
Certificate authority corruption
Cross Channel Attacks (CSRF)
|
Transaction signature and verification
Non repudiation
|
|
Man-in-the-Browser
Key loggers
|
Secure PIN entry
Secure messaging
Browser (read only)
Push button (token)
Three-factor authentication
|
The Azure MFA functionality has been included in the Azure Active Directory Premium capabilities to address exactly the attacks described in the previous table. With a one-time password solution, you can build a very capable security solution to access information or applications from devices that cannot use smart cards as the additional authentication method. Otherwise, for small or medium business organizations a smart card deployment, including the appropriate management solution, will be too cost-intensive and the Azure MFA solution can be a good alternative for reaching the expected higher security level.
In discussions with our customers, we recognized that many don't realize that Azure MFA is already included in different Office 365 plans. They would be able to protect their Office 365 with multi-factor out-of-the-box but they don't know it! This brings us to Microsoft and the following table, which compares the functionality between Office 365 and Azure MFA.
|
Feature |
O365 |
Azure |
|
Administrators can enable/enforce MFA to end-users |
X
|
X
|
|
Use mobile app (online and OTP) as second authentication factor |
X
|
X
|
|
Use phone call as second authentication factor |
X
|
X
|
|
Use SMS as second authentication factor |
X
|
X
|
|
App passwords for non-browser clients (for example, Outlook, Lync) |
X
|
X
|
|
Default Microsoft greetings during authentication phone calls |
X
|
X
|
|
Remember Me |
X
|
X
|
|
IP Whitelist |
X
| |
|
Custom greetings during authentication phone calls |
X
| |
|
Fraud alert |
X
| |
|
Event confirmation |
X
| |
|
Security reports |
X
| |
|
Block/unblock users |
X
| |
|
One-time bypass |
X
| |
|
Customizable caller ID for authentication phone calls |
X
| |
|
MFA Server - MFA for on-premises applications |
X
| |
|
MFA SDK - MFA for custom apps |
X
|
With the Office 365 capabilities of MFA, the administrators are able to use basic functionality to protect their sensible information. In particular, if integrating on-premises users and services, the Azure MFA solution is needed.
More and more organizations are in the position of providing a continuous and integrated information protection solution to protect sensible assets and information. On the one hand is the department, which carries out its business activities, generates the data, and then processes. Furthermore, it uses the data inside and outside the functional areas, passes it, and runs a lively exchange of information.
On the other hand, revision is required by legal requirements that prescribe measures to ensure that information is dealt with and dangers such as industrial espionage and data loss are avoided. So, this is a big concern when safeguarding sensitive information.
While staff appreciate the many methods of communication and data exchange, this development starts stressing the IT security officers and makes managers worried. The fear is that critical corporate data stays in an uncontrolled manner and leaves the company or moves to competitors. The routes are varied, but data is often lost in inadvertent delivery via email. In addition, sensitive data can leave the company on a USB stick and smartphone, or IT media can be lost or stolen. In addition, new risks are added, such as employees posting information on social media platforms. IT must ensure the protection of data in all phases, and traditional IT security solutions are not always sufficient. The following figure illustrates this situation and leads us to the Azure Rights Management services.
Like its other additional features, the base functional is included in different Office 365 plans. The main difference between the two is that only the Azure RMS edition can be integrated in an on-premises file server environment in order to be able to use the File Classification Infrastructure feature of the Windows Server file server role.
The Azure RMS capability allows you to protect your sensitive information based on classification information with a granular access control system. The following table, provided by Microsoft, shows the differences between the Office 365 and Azure RMS functionality. Azure RMS is included with E3, E4, A3, and A4 plans.
|
Feature |
RMS O365 |
RMS Azure |
|
Users can create and consume protected content by using Windows clients and Office applications |
X
|
X
|
|
Users can create and consume protected content by using mobile devices |
X
|
X
|
|
Integrates with Exchange Online, SharePoint Online, and OneDrive for Business |
X
|
X
|
|
Integrates with Exchange Server 2013/Exchange Server 2010 and SharePoint Server 2013/SharePoint Server 2010 on-premises via the RMS connector |
X
|
X
|
|
Administrators can create departmental templates |
X
|
X
|
|
Organizations can create and manage their own RMS tenant key in a hardware security module (the Bring Your Own Key solution) |
X
|
X
|
|
Supports non-Office file formats: Text and image files are natively protected; other files are generically protected |
X
|
X
|
|
RMS SDK for all platforms: Windows, Windows Phone, iOS, Mac OSX, and Android |
X
|
X
|
|
Integrates with Windows file servers for automatic protection with FCI via the RMS connector |
X
| |
|
Users can track usage of their documents |
X
| |
|
Users can revoke access to their documents |
X
|
In particular, the tracking feature helps users to find where their documents are distributed and allows them to revoke access to a single protected document.
Now that we have discussed the relevant Microsoft Azure IAM capabilities, you can see that Microsoft provides more than just single features or subsets of functionality. Furthermore, it brings a whole solution to the market, which provides functionality for every facet of IAM. Microsoft Azure also combines clear service management with IAM, making it a rich solution for your organization. You can work with that toolset in a native cloud-first scenario, hybrid, and a complex hybrid scenario and can extend your solution to every possible use case or environment. The following figure illustrates all the different topics that are covered with Microsoft Azure security solutions:
