Author : MD TAREQ HASSAN | Updated : 2020/10/15
Azure AD
- Azure is protected by Azure Active Directory (authentication and authorization)
- Azure AD sits in the heart of Microsoft cloud
- See: Active Directory and Azure AD
- Azure AD provides:
- User management
- Application integration
- Single sign on
- Integration with other directory services
- Azure AD is different than (on-premise) Active Directory Domain Services
Azure AD related services
- Azure AD Domain Services
- a seperate service
- a PaaS offering from Azure
- different than Azure AD
- Azure AD Connect
- Azure AD Connect is a tool for connecting on premises identity infrastructure to Microsoft Azure AD
- designed to meet and accomplish your hybrid identity goals
- used to replicate objects from (on-premise) Active Directory Domain Services to Azure AD
- See: What is Azure AD Connect?
Role based access control
- In short RBAC
- Roles allow you to group together sets of permissions
- We can make users or groups members of roles
- Members of roles inherit all the permissions assigned to the role
- When using roles:
- Choose or create a role
- Assign role to members
- Configure a scope for the role
- Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources
- Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to
- Details: https://docs.microsoft.com/en-us/azure/role-based-access-control/
Roles
- Built-in roles
- Custom roles
Built-in roles
- Owner: Lets you manage everything including access to resources
- Contributor: Lets you manage everything except granting access to resources
- Reader: Lets you view everything but not make changes
- More => https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Understanding RBAC
- A role is assigned to an Azure AD Object with a Scope
- RBAC and Azure AD roles are not same
Allowing access to Resource Group
- Create Azure AD user:
- Go to active Azure Active Directory: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
- Users > Create new user
- Login (switch account) using initial password of new user
- Azure AD will ask for password reset, reset password
- Go to Resource Group: https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups
- Select a Resource Group > Access control (IAM)
- Add > Add role assignment > set followings:
- Role
- Assign access to
- Select
- Save
- Azure AD user / group can be assigned to Resource Group
Locking Resources
Why to lock?
- to prevent accidental deletion
- other purposes
Locking a resource group
- Go to Resource Group: https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups
- Select a Resource Group > Locks
- Set Lock name and type > OK
Locking a resource: same as above
Azure security options
- Azure firewall
- Azure DDOS Protection
- Azure web application firewall
- Network Security groups
- Forced tunneling
- Marketplace devices
Azure information protection
- AIP is used to classify documents and emails
- AIP applies labels to documents
- Labeled documents can be protected
- AIP labels
- Can be applied automatically
- Can be applied manually
- Can be recommended to users
Two sides to AIP
- Classification: Metadata is added to documents. Clear text and visual markings like headers, footers and watermarks
- Protection: Azure rights management encrypts documents using rights management templates
Advanced threat protection
- Monitor and analyze user activity
- Identifies suspicious activity and events
- Works with your on-premises Active Directory forest
- Identifies
- Reconnaissance attacks
- Compromised credentials
- Lateral movements
- Domain dominance
Azure Advisor Security Assistance
- Azure advisor integrates with Azure security center
- Advisor security assistance helps prevent, detect and respond to threats
- You should be using this tool everyday
- Configuration is managed through security center
- Links:
- Azure Advisor: https://portal.azure.com/#blade/Microsoft_Azure_Expert/AdvisorMenuBlade/overview
- Azure Advisor Security: https://portal.azure.com/#blade/Microsoft_Azure_Expert/AdvisorMenuBlade/Security
Azure Security Center
- Protect PaaS: No deployment needed, just works
- Non-Azure services: Deploy monitoring agent
- Compliance: Reports our compliance posture
- Assessment: Continuous assessment of existing and new sources
- Threat protection: Detect and prevent threats to laaS and PaaS
- Links: