Skip to the content.
Microsoft Azure Fundamentals
Identity and Access (Azure AD)
- Old-school corporate security
- Network perimeters, firewalls, and physical access controls
- Does not work good with bring your own device (BYOD), mobile apps, and cloud applications.
- Identity = new primary security boundary
- Proper authentication and assignment of privileges is critical to maintaining control of your data.
- Allows to maintain a security perimeter outside physical control
- Possible to always be sure who has the ability to see & manipulate data and infrastructure with single sign-on and appropriate role-based access configuration.
Authentication and authorization
Authentication
- π Verification of a person or service looking to access a resource.
- Establishes if they are who they say they are.
- Challenges a party for legitimate credentials, and provides the basis for creating a security principal for identity and access control use.
- Sometimes called az AuthN.
Authorization
- π Establishes what level of access an authenticated person or service has.
- Specifies what data theyβre allowed to access and what they can do with it.
- Sometimes shortened to AuthZ.
Azure Active Directory
- Called also as Azure AD.
- Cloud-based identity service.
- Can synchronize with existing on-premises Active Directory or can be used stand-alone.
- Allows to share identities in cloud (e.g. Microsoft 365), mobile on-premises applications.
- βπ No SLA for free tier, 99.9% for standard & premium
- Some services:
- Authentication.
- Single-Sign-On (SSO)
- Application management. Manage cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps.
- Business to business (B2B) identity services: Manage guest users and external partners.
- Business-to-Customer (B2C) identity services: Customize and control how users sign up, sign in, and manage their profiles when using apps & services.
- Device Management
- Manage how your cloud or on-premises devices access your corporate data.
Single sign-on
- More identities for single user
- = more passwords & harder for users to remember them
- = more risk of credential-related security incident
- = harder management: more account lockouts and password reset requests
- if a user leaves an organization = all identities must be tracked down
- Single sign-on (SSO) = single identity
- = one password to access across all applications
- π less effort to manage e.g. if someone leaves an organization
- π Allows you to use third-party e.g. on-prem identities in Azure.
SSO with Azure Active Directory
- Ability to combine data sources into an intelligent security graph.
- Graph enables the ability to
- provide threat analysis
- real-time identity protection
- Applied to all accounts in Azure AD (can be synchronized from on-prem).
- Centralized identity provider is good
- centralized security controls, reporting, alerting, and administration of the identity infrastructure.
- E.g. allows signing into email and Office 365 documents without having to reauthenticate.
Multi-factor authentication
- Called also MFA
- Requires two or more elements for full authentication.
- Element categories:
- Something you know
- E.g. a password or the answer to a security question
- Something you possess
- E.g. a mobile app that receives a notification or a token-generating device
- Something you are
- E.g. a fingerprint or face scan used often on mobile devices.
- π‘ Enable it wherever possible for more security.
Azure AD MFA
- Integrates also with other third-party MFA providers.
- π‘ Always use at least for Global Administrator role in Azure AD.
- π You can activate conditionally using Azure AD Identity Protection
- E.g. any time a user is signing in from an unknown computer.
Providing identities to services
- Valuable for services to have identities
- Often, and against best practices, credential information is embedded in configuration files.
- With no security around these configuration files, anyone with access to the systems or repositories can access these credentials and risk exposure.
Service identities in Azure AD
Service principals
- Identity: A thing that can be authenticated.
- e.g. users with user name + password
- e.g. applications or other servers with secret keys or certificates.
- Principal: an identity acting with certain roles or claims
- You can have same identity but different role which you are executing.
- E.g. running
sudo
on a Bash prompt or on Windows using βrun as Administrator.β
- Groups are often also considered principals because they can have rights assigned.
- Service principal = an identity that is used by a service or application that can be assigned roles.
Managed identities
- Azure infrastructure automatically takes care of authenticating the service and managing the account.
- Can be instantly created for any Azure service that supports it
- Allows the authenticated service secure access of other Azure resources just like any AD account.
Roles in Azure
Classic roles
- π Before Role-based access control was introduced there were 3 roles:
- Account Administrator: β One per Azure account
- Service Administrator:β One per Azure subscription
- Co-Administrator: β 200 per subscription
Role-based access control
- Called also Azure roles.
- π Provides fine-grained access management for Azure resources
- Role
- Sets of permissions
- E.g. βRead-onlyβ or βContributorβ
- Identities are mapped to roles directly or through group membership.
- Role assignments
- When you are assigned to a role, RBAC allows you to perform specific actions, such as read, write, or delete.
- E.g.
- Allow one user to manage VMs in a subscription
- Allow an application to access all resources in a resource group.
- Can be granted at the service instance level, but they also flow down the Azure Resource Manager hierarchy.
- Roles assigned at a higher scope, like an entire subscription, are inherited by child scopes, like service instances.
- π‘ Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.
- Four fundamental Azure roles: Owner, Contributor, Reader, User Access Administrator
Azure AD Roles
- On-tenant level
- Global Administrator: Person who signs up for Azure AD tenant, can do anything.
- Also User Administrator, Billing Administrator
Privileged Identity Management
- Also known as Azure AD Privileged Identity Management (PIM)
- Includes ongoing auditing of role members
- needed as their organization changes and evolves.
- Provides:
- Oversight of role assignments
- Self-service
- Just-in-time role activation
- Azure AD and Azure resource access reviews.