Azure Active Directory: Versatile and Secure

Sep 22, 2020

This month I’ll be writing about Microsoft Azure Active Directory (AAD) and how it can benefit customers in many ways beyond being the directory for Office 365. Once AAD is configured, it can be used as the authentication source for not only Microsoft SaaS applications such as O365, Azure, Intune, and Dynamics, but also any other SaaS application that supports SAML and OAUTH. Thousands of these applications are listed in the AAD gallery and SSO can be configured very easily. Others are configured with a few simple lines of code. In addition, AAD can even be configured via proxy to provide authentication for on-premises applications. Windows 10 supports authentication via AAD and Planet has worked with many customers to migrate them to cloud based management with Intune and AAD, bypassing the traditional on premises AD and SCCM.

Once authentication is configured for the appropriate use, AAD has many security features, such as MFA, Self Service Password Management, etc. that should be configured. The features available vary depending on the licensing level, details found here. Let’s discuss some of the more popular features and what benefits they provide.

Multi Factor Authentication (MFA): Most security experts agree that by enabling MFA, the attack surface for the “bad guys” is reduced by 99%. There is still A LOT more to do to protect that other 1%, but still this is a big deal and why Microsoft enables MFA by default on the default admin accounts in AAD. At the very least MFA should be enabled on ALL admin accounts, but it is highly recommended that MFA be enabled for all users. To make MFA more seamless for users, conditional access can be utilized so that MFA is not needed for secure environments.

Self Service Password Management: Allows users to manage their passwords. If P1 or P2 licensing is owned, write back can be enabled to also change the users AD password at the same time.

User and Group Management: Enables users to create and manage their own security groups or Microsoft 365 groups.

Security Reporting: Helps you to protect your environment from users flagged as risky or a suspicious sign-in. Depending on the licensing, these reports can be very detailed.

Privileged Identity Management: This is one of my favorite features and while it requires P2 licensing, I highly recommend it for admin accounts (individual licenses can be purchased for admins). This feature provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. For example, if one of your admins needs to make a change to SharePoint, their account can be given specific permission to only change SharePoint between certain hours. Further detail on this feature can be found here.