Skip to content

Latest commit

 

History

History
315 lines (261 loc) · 12.9 KB

2.2.1. Governance - Azure AD - Entities.md

File metadata and controls

315 lines (261 loc) · 12.9 KB

Azure AD Entities

Overview

  • Azure AD entities are objects registered in Azure AD.
  • They're uniquely identifiable.

Security principal

  • Also known as security identity or security object.
  • Defines the access policy and permissions for the user/application in the Azure AD tenant.
  • Enables
    • Authentication of the user/application during sign-in.
    • Authorization during resource access (Azure RBAC).
  • There are two types of security principals:

Users

Types of users

  • Cloud or Synced (from local AD through AD Connect)
  • Member or Guest
    • Members are created within AD directory
    • Guests are invited by administrator or one of other users of Azure AD.

Common settings

  • Usual attributes (e.g. department, phone number, contact, email)
  • Setup password policy, expiration policy, flag users needing to reset their password

Usage Location

  • Location is required if you want to assign license to a user within AD.
  • Set usage location
    • In portal: Active Directory → Users → Select User → Profile → Settings
  • You can then assign license
    • In Portal: Active Directory → Users → Select User → Licenses
  • User Principal name: Combination of an user name + domain.

Create new user

  • AD → User → new User
  • User name
  • Properties: Optional information e.g. first name, last name, job title.

External access

  • You can add a user as an External User
  • Good for B2B scenarios
    • AD is not required on other business side.

Self-service password reset

  • Scenarios
    • Allows users to change their passwords
    • If you cannot log in somehow
    • Helps with account lockout
  • Authentication methods
    • Types:
      • Text message/Phone call
      • Secondary email
      • Security questions
    • Administrator requires one or more methods.
  • Manage in portal
    • Steps: Active Directory → Password Reset
    • Configurations
      • Enable
        • You can enable for all users or selected users.
        • 💡 Good to first enable for a pilot group to see how it works.
      • Registration
        • Require users to register when signing in
          • Prompts user to fill information for authentication methods.
        • After how long user will be prompted to confirm authentication method information
      • Notifications
        • Notify users on password resets
        • Notifies all other admins when an admin resets his password

User access to applications

  • In Azure AD you can configure certain access that users can to on application objects.
  • Application registrations
    • Users can register applications (yes/no)
      • Yes; non-administrators can register applications to be used within the directory.
      • No; only administrators can do it.
  • Enterprise applications
    • Users can consent to apps accessing company data on their behalf (yes/no)
      • Yes; users can consent to allow third party and multi-tenant applications to consent on their own behalf.
    • Users can add gallery apps to their Access Panel (yes/no)
      • No; as an administrator you have to manually integrate the applications through Access Panel

Groups

  • Used to group objects to secure them together.
  • Good for performing bulk user updates.
  • Helps to:
    • Assign licenses to groups instead of to individually.
    • Delegate permissions to together.
    • Assign enterprise app access to groups.
  • Can be assigned vs dynamic:
    • Assigned
      • You assign users to groups manually.
      • Static membership.
    • Dynamic
      • You select various attributes to make users member of a group
      • Dynamic query e.g. deparment Equals marketing.
  • Owners and members
    • Owners: Can add/remove users from the group.
    • Members: cannot manage the group, normal permissions
  • Expiration of groups
    • Groups can automatically expire.

Managing groups

  • You manage in "Azure Directory → Groups"
    • You can assign licenses to a group where each member will get a license.
  • Self-service group management
    • Owners manage groups instead of administrator that manage the group for the owners.
    • Users can request to join in group with providing some business justification.
    • Audits & alerts
      • Everything is logged
      • You can e.g. trigger alert on frequent activities in a group
  • Company Branding
    • In portal: Active Directory → Users and groups → Company branding
    • Allows you to customize the pages with e.g. banner, sign-in page text, user name hint

Security vs Microsoft 365 Groups

  • Security groups
    • Also known as Azure AD security groups.
    • Security principals 1 used for assigning permissions.
    • Analogous to Security Groups in on-prem Windows Active Directory
  • Microsoft 365 Groups
    • Also known as Unified Groups 2 .
    • Groups users to assign permissions to related resources 2 .

Devices

  • Enables more management
  • Device settings show overview in Portal
    • Intune + MDM offer much more control
  • You can add work or school account to integrate

Registration types

Register Device

  • Basic registration
  • Bring your own device (BYOD) scenario
  • For mobile devices and Windows 10
    • Enable/disable and additional management (MDM) for mobile devices like intune.
  • Enterprise State Roaming
    • Users synchronizes their user settings and application settings data to the cloud.
    • Supported in Windows 10
    • Enchanced security, management and monitoring.
    • Separation of corporate and consumer data in cloud.

Join Device

  • Corporate owned assets that you want to manage
  • E.g. Windows 7 or Windows 10
  • You get some benefits e.g. single sign on.

Hybrid Join

  • You can enable automatic registration for your AD joined computers
  • Join device in both local AD and Azure AD
  • Grant device user access to apps that need traditional local AD (=on-prem AD) authentication.
  • You get service principal for the device
  • Actual management is done through Group Policy or System Center Configuration Manager.
    • They're tied in to Azure AD but not part of core AD.
  • Relies on AD Connect for synchronization
    • If they're already joined to local AD, they're also registered in Azure AD automatically.
  • Configuration
    • Ensure access to external Azure AD URLs.
    • Configure SCP (service connection point) internally.
    • Configure ADFS if required

Manage in Portal

  • Active Directory → Devices
  • Configurations
    • Users may join devices to Azure AD
    • Additional administrators on Azure AD joined devices
      • Default is none, you can select users
    • Users may register their devices with Azure AD
    • Require Multi-Factor Auth to join devices
    • Maximum number ofdevices per device
    • Users may sync settings and enterprise app data
      • All, selected, None
    • For more you need PowerShell.

Azure AD Device Settings/Policies

  • Control permissions
    • Who's allowed to access join devices?
  • Control sync
    • Enabled/disabled
  • Device management through Intune or other MDM
  • Conditional access
    • Whether or not device has access to resources within your organization

Applications

  • Azure AD IDaaS (Identity Directory as a Service)
  • Application types
    • Third party or internal
    • Pre-integrated or proxies
  • Automated user provisioning through SCIM 2.0
    • Use provisioning enables synchronization of user account.
    • SCIM
      • System for cross domain identity management.
      • Defined by IETF
      • Control users, groups and their relations
    • Available on select SaaS apps
  • In portal, you can assign access to applications
    • AD → Applications → Select application → Users and groups

Application registration

  • Also known as app registration
  • Identity configuration of an application that allows integration with Azure AD.
  • Creates a unique application object in Azure tenant.
  • 💡 You usually use app registrations for apps that you develop yourself.
  • Used to create service principals.
    • Using portal
      • If created using portal, service principal is created as well.
      • Service principal can only be created by creating app registration in portal.
    • APIs
      • If created using Microsoft Graph APIs, service principal object is created in separate step.
      • Service principals can be created using e.g. Azure PowerShell, Azure CLI, Microsoft Graph...
  • Using CLI: az ad app create --display-name "displayName"

Application object

  • Object created by an application registration.
  • Its object is globally unique with ID known as app ID or client ID.
  • Resides in same tenant application was registered (also known as home tenant).
  • It's used to create one or more service principals.
  • It can be seen as a template to create service principal.
    • Or in object-oriented terms; abstract base class for service principal.
    • All service principals created inherits some properties from application.
  • It defines three configurations:
    1. How the service can issue tokens in order to access the application.
    2. Resources that the application might need to access.
    3. Actions that the application can take.
  • See application entity in Microsoft Graph for its scheme

Service principal

  • An uniquely identifiable object.
  • Security principal enabling access to Azure AD secured resources.
  • Defines the access policy and permissions for the user/application in the Azure AD tenant.
  • There are three types of service principal:
    1. Application
    2. Managed identity
      • Used to present a managed identity.
      • Managed identities eliminate the need for developers to manage credentials.
      • Created when managed identity is enabled in a resource.
      • They can be can be granted access and permissions.
      • ❗️ They cannot be updated or modified directly
    3. Legacy
      • Created before app registrations were introduced or using legacy ways.
  • On portal they can be managed in "Azure AD → Enterprise Applications" blade
  • See service principal entity in Microsoft Graph for its scheme
  • Using CLI
    • Create SP: az ad sp create --id "<existing-application-id>"
    • Assign roles: az role assignment create --assignee "<service-principal-object-id>/<application-id>" --role role_name
Enterprise application
  • Service principals are also known as enterprise applications
  • In Azure portal, service principals are listed and can be managed in "Azure AD → Enterprise Applications" blade.
  • Enterprise Applications is category of Service Principal where
    • Service Principal and Application registration are in same tenant.
    • Service Principal has tag WindowsAzureActiveDirectoryIntegratedApp 1
      • ❗️ Otherwise it won't be listed in "Azure AD → Enterprise Applications" 1
      • 💡 You can add tag using az ad sp update --id "service_principal_object_id" --add tags WindowsAzureActiveDirectoryIntegratedApp.

Application object vs service principal

  • Application object is base template to derive to create service principal objects.
  • Application object has
    • One-to-one relation with software application.
    • One-to-many relation with service principals.
  • Deleting an application object delete its associated service principal objects.
    • ❗️ Restoring it will not restore service principal objects back.
  • Tenancy
    • Application object is global representation of an application for use across all tenants.
    • Service principal is the local representation for use in a specific tenant.
      • It must be created in each tenant where the application is used.
      • A single-tenant application has only one service principal (in its home tenant).
Application registration configurations
  • During registration:
    • Tenancy
      • single-tenant (accessible in one tenant),
      • or multi-tenant (accessible in other tenants).
    • Redirect URI
      • Can be customized.
      • It's where the access token is sent to.
  • After registration:
    • Add secrets or certificates and scopes to make app accessible
    • Customize the branding (e.g. a logo) in the sign-in dialog