Azure Active Directory Tutorial

All employees in an organization need access to some Azure services to perform their tasks. They can access services like SQL database, machine learning, or Azure container services when the administrator assigns them separate user id and password for each service. Employees, as well as administrators, often find it hard to manage multiple user logins at the same time. It creates more of a hassle for administrators working in an organization that involves more than 1000 employees. 

This is where Azure Active Directory (AD) comes into the picture. With Azure AD, the administrators can handle multiple user logins without any issue. Administrators need to assign a single username and password to access all the services they want. 

What is the Azure Active Directory?

Azure Active Directory is Microsoft’s multi-tenant, cloud-based directory and identity management service. For an organization, Azure AD helps employees sign up to multiple services and access them anywhere over the cloud with a single set of login credentials.

Windows AD vs. Azure AD

Windows Active Directory (AD) was the previous version of Azure AD. Active Directory (AD) is an OS directory service that facilitates working with interconnected, complex, and different network resources in a unified manner. The biggest drawback of Windows AD was that it had many layers that performed various bits of work. These layers are described below:

ADDS – Windows Active Directory Domain Services 

ADDS allows the admin to manage information relating to user logins and other details.

ADLS – Azure Data Lake Storage Services 

This layer allows you to store data of any type or size.

ADFS – Active Directory Federation Services 

This layer allows you to have a single option for signing up to get access to all systems and applications.

ADCS – Active Directory and Certification Services 

This layer enables administrators to customize services to manage and issue public certificates.

ADRMS – Active Directory Rights Management Services 

ADRMS is a security tool for data protection. Administrators need to take care of a large number of layers in the case of Windows AD. Here’s where Azure AD changed the whole game. It integrates all these five layers into two, and these are:

1. 1.WAAD – Windows Azure Active Directory
   
   This layer combines all the problems related to identity management. 
2. 2.WAACS – Windows Azure Access Control Service
   
   This layer enables the federation or the division of all these services of an organization. Here division means assigning each of these services to the users. 

Hence, Azure AD simplifies a lot of problems by using only two layers. For example, Office 365 uses Azure AD to manage user identities. To make use of any of the Office 365 services like Excel, PowerPoint, or Microsoft Word, the administrator would only need to provide a single username and password.

Service Audience 

There are three types of audiences in Azure active directory:

• IT administrators
• Application developers 
• Online customers 

IT Administrators 

IT administrators take care of all the sign-in procedures. They also solve issues related to authentication.

Application Developers 

Application developers use these services to build applications. Development becomes quick since there are many resources available.

Online Customers 

They make use of services like Office 365, CRM services, and have all their demands catered immediately.

Difference Between Windows and Azure AD

Azure AD and Windows AD are both created by Microsoft, and they are both IAM systems, but that’s pretty much where the comparisons stop. They are fundamentally different systems that exist in an interconnected enterprise environment.

Azure Active Directory

• REST APIs: Azure AD uses Representational State Transfer (REST) APIs to support communication to other web-based services
• Authentication: Azure AD uses cloud-based authentication protocols like OAuth2, SAML, and WS-Security for user authentication
• Network Organization: Each Azure AD instance is called a “tenant” which is a flat structure of users and groups
• Entitlement Management: Admins organize users into groups, and then give groups access to apps and resources
• Devices: Azure AD provides mobile device management with Microsoft Intune
• Desktops: Windows desktops can join Azure AD with Microsoft Intune
• Servers: Azure AD uses Azure AD Domain Services to manage servers that live in the Azure cloud virtual machine environment

Windows Active Directory

• LDAP: Windows AD uses Lightweight Directory Access Protocol (LDAP) to pass data between clients and servers and DCs.
• Authentication: Windows AD uses Kerberos and NTLM to validate user credentials
• Network Organization: Windows AD is organized into Organizational Units, Domains, and Forests
• Entitlement Management: Admins or data owners assign users to groups, and those groups have access to resources on the network
• Devices: Windows AD does not manage mobile devices
• Desktops: Desktops joined to Windows AD are governed by Group Policy (GPOs)
• Servers: Servers in Windows AD are managed and governed by GPOs or other on-premise server management system

The answer to the question, “so which one do I use?” is probably both. If you are running an established enterprise network, you most likely already have Windows AD, and you are adding Azure AD to manage your cloud infrastructure.

If you are starting a brand new organization from scratch, Azure AD could meet all of your needs, especially if you plan on using an entirely cloud-based infrastructure.

The other question you might ask is “which one is harder to configure than the other?” And I would say that neither one is more or less configurable than the other, and neither one is more or less secure than the other.  Both systems require a qualified expert to manage and protect your network for companies larger than 100 users or so. Smaller shops will find Azure AD easier to manage overall.

Azure AD Connect for Hybrid Deployments

Azure AD Connect is Microsoft’s solution to enable hybrid Windows AD and Azure AD deployments. Azure AD Connect syncs data between the on-premise DCs and the cloud.

Azure AD Connect will let you sync user accounts from your on-premise system to your Azure tenant. It also provides password hash synchronization, pass-through authentication, federation, and health monitoring.

Those features allow your users to have the same user id and password on-premise and in the cloud and to ease the management of your hybrid environment. In short, you need Azure AD Connect if you have a hybrid environment.

As a sysadmin or security pro, it’s important that your security solutions give you a unified view of each user regardless of whether they’re accessing cloud or on-prem resources. The Varonis Data Security Platform, for example, makes it easy to pinpoint a user and see their activity in Azure AD and Windows AD. Even though there are two user repositories behind the scenes, Varonis treats them as a single user with a comprehensive user behavior profile that includes on-prem and cloud activity.

Azure Active Directory Considerations

OK, so if you have made it this far, you might be considering implementing Azure AD for your organization. Now you have real decisions to make.

1. Licensing: Azure AD licensing follows the same monthly subscription licensing as the Office 365 licenses. There are four license levels – Free, Office 365 Apps, Premium P1, and Premium P2.

Office 365 Apps comes as part of your Office 365 subscription, and the Premium packages are a separate item. You get the Free license as part of a subscription to Azure, Dynamics 365, Intune, and Power Platform.

The Premium tier adds features like advanced password protection, self-service password management for your users,  advanced group access management, and conditional access.

The features lists for Azure AD and Microsoft 365 are separate, and you need to look at both of them to understand everything available to you so you can build your implementation strategy.

Ed. Note: Office 365 recently got renamed to Microsoft 365. At the time of this writing, Microsoft’s documentation contains both names, but they are the same thing.

2. Choose your scenario: Hybrid Azure AD or Azure AD? If you already have Windows AD, Hybrid might be your best option. If you are trying to build a cloud-only infrastructure, Azure AD is the better choice.

For your Hybrid environment, you can go with Managed or Federated configurations. If you are going to create users in Windows AD, you need to have Azure AD Connect to sync with Azure AD.

Are you going to use the device management in Azure AD? If so, you need Windows 10 on all those devices.

3. SSO: Are you going to enable Single Sign-on(SSO) with Azure AD? You will need to configure your cloud apps and services to use the Azure SSO, and set up a hybrid cloud for printing.

4. User Provisioning: How are you going to add your existing users to Azure? You can set up self-enrollment where users run the process themselves, Windows Autopilot, or have an admin enroll your users.

Those four steps will set you on the right path. You will have to do some more homework to figure out all the answers, which will lead you to more questions that need different answers.

How Does Azure Active Directory Work?

Azure AD is a new system that Microsoft designed from the ground up to support cloud infrastructure. Azure AD uses REST APIs to pass data from one system to other cloud applications and systems that support REST (which is most cloud applications).

Unlike Windows AD, Azure AD is a flat structure in a single tenant. Think of the tenant as a circle that surrounds all your stuff. You can control the stuff inside the tenant, but once it leaves that circle you lose some agency over what happens to your stuff.

At Varonis, our approach to data security aligns with zero-trust principles, so as we continue we will weave in zero-trust when appropriate.

Users and Groups

Users and groups are the basic building blocks for Azure AD. You can further organize users into groups that will all behave similarly. For example, you may put your Product Management team in one Azure AD group and grant permissions at the group level, so when users leave the organization, you only need to deactivate one account, and the rest of the group stays the same.

Users in Azure AD can come from both inside and outside of Azure AD. Let me restate that. Your Azure AD can contain identities for users inside of your organization and users from outside your organization that have a Microsoft account. See below:

What this means is that you can bring people outside of your organization inside your tenant and grant them specific permissions just like they are part of your organization. When done correctly, this provides an additional level of security to the organization’s data.

Adding User and Groups to Azure AD

There are several methods to populate your users and groups in Azure AD.

• Use Azure AD Connect to sync users from Windows AD to Azure AD. Most enterprises that already have Windows AD use this method.
• You can create users manually in the Azure AD Management Portal.
• You can script the process to add new users with PowerShell.
• Or you could program the process with the Azure AD Graph API.

No matter which option you start with or use, later on, there are a few key points to make about adding users in Azure AD.

1. 1.Establish your authentication method and password policies, and enforce multi-factor authentication.
2. 2.Only add users that you need to Azure AD. Leave service accounts or stale accounts in Windows AD, or delete them.
3. 3.Keep privileged access in Azure AD to a minimum and follow Microsoft’s guidance to keep privileged access secure.
4. 4.Organize users into groups, and only give groups access to the applications and resources they need to do their job.
5. 5.Connect users to their devices (mobile phones, laptops, etc.), so you can establish limits on how confidential data is downloaded or saved from approved and monitored devices.

Custom Domains

Adding a custom domain to Azure AD will reduce the frustration that your users’ experience as they migrate to the new system. The default Azure AD domain looks like this:

• @notarealdomain.onmicrosoft.com

That’s a lot to type. If you configured Azure AD to use a domain that you own, your users would thank you. It would look something like @notarealdomain.com instead. That’s much easier to deal with.

Common Attacks Against Azure AD

I’d like to say that the transition to Azure AD was smooth and without issue, but alas. Any significant transformation to a cloud-enabled infrastructure is bound to attract malicious attackers that want to infiltrate the new frontier. And so they did.

The Varonis IR team investigates many brute force attacks against Azure AD. Attackers love to use vast collections of usernames and passwords from data breach dumps to try to break into Azure AD accounts—a method known as credential stuffing.

Azure AD is available from the internet, so it’s a relatively easy target. A good password policy and multi-factor authentication, as well as behavioral monitoring of login activity and geo-hopping, can thwart most brute force attacks. Most. You still need to monitor your data to detect malicious activity inside your tenant in the event an attacker succeeds with a single login attempt.

Phishing is the other top attack we see against Azure AD users. Phishing can lead to credential theft or malware infection, which can provide attackers with a foothold to access your tenant. One of the better enhancements Azure AD provides is warnings when you open an email from an outsider or untrusted source.

You can enable this setting, and other email protections in the Azure AD Management Console. The Varonis IR team demonstrates how to use phishing to infiltrate and steal data in this Live Cyber Security Lab.

Azure Skeleton Key Attack

This attack has to with Azure AD Connect, which we described above as the way to synchronize your Azure and on-prem AD. Azure AD Connect can be configured via a method called Pass-Through Authentication. When this method is used, a server called the “Azure Agent” is installed on-prem.

Should an attacker compromise an organization’s Azure agent server they can create a backdoor that allows them to log in as any synchronized user. Varonis created a proof-of-concept that manipulates the Azure authentication function to 1.) give us a ‘skeleton key’ password that will work for all users, and 2.) dump all real clear-text usernames and passwords into a file.

You can read the details and see the Azure Skeleton Key attack POC in action here.

What Else Can I Configure in Azure AD?

Microsoft provides enhancements and tools to Azure AD and Microsoft 365 to further securing and protecting your organization’s data in the cloud. Here are a few more options that you can enable to keep your organization more secure.

• Integrate applications with Azure AD to enable Single Sign-On (SSO)
• Automate application provisioning to new users based on group membership
• Restrict user’s ability to consent to applications – this can be a phishing attack, and once the user clicks the attacker has a foothold in your tenant
• Block legacy protocols that have security issues, like SMTP, POP3, or MAPI
• Enable Microsoft Cloud Access Security (MCAS) to provide monitoring inside your tenant, and augment that monitoring with Azure Skeleton Key attack
• Now that you have Varonis, classify all of your sensitive data and tag it with Microsoft Azure Information Protection (AIP)

Conclusion 

The world of cloud computing is expanding with every passing day; many companies across the globe are shifting to the cloud by leveraging the services that cloud platforms offer. Microsoft Azure is the second-largest cloud service provider, and gaining expertise in it will surely take you ahead in the field of cloud computing. After learning about the Azure active directory, you can learn more about the basics of Azure by opting for Simplilearn’s Microsoft Azure Fundamentals Training. The course can help you create Azure web apps, create and configure VMs in Microsoft Azure, and much more