Azure AD is a cloud-based identity service. It has built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone. This means that all your applications, whether on-premises, in the cloud (including Office 365), or even mobile can share the same credentials. Administrators and developers can control access to internal and external data and applications using centralized rules and policies configured in Azure AD.
Azure AD provides services such as:
• Authentication.
This includes verifying identity to access applications and resources, and
providing functionality such as self-service password reset, multi-factor
authentication (MFA), a custom banned password list, and smart lockout
services.
• Single-Sign-On (SSO). SSO enables users to remember
only one ID and one password to access multiple applications. A single identity
is tied to a user, simplifying the security model. As users change roles or
leave an organization, access modifications are tied to that identity, greatly
reducing the effort needed to change or disable accounts.
• Application management. You can manage your cloud
and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal
(also referred to as Access panel), and SaaS apps. • Business to business (B2B)
identity services. Manage your guest users and external partners while
maintaining control over your own corporate data
• Business-to-Customer (B2C) identity services.
Customize and control how users sign up, sign in, and manage their profiles
when using your apps with services. • Device Management. Manage how your cloud
or on-premises devices access your corporate data. Let's explore a few of these
in more detail.
Single sign-on-
The more identities a user has to manage, the greater the
risk of a credential-related security incident. More identities mean more
passwords to remember and change. Password policies can vary between
applications and, as complexity requirements increase, it becomes increasingly
difficult for users to remember them.
Now, consider the logistics of managing all those
identities. Additional strain is placed on help desks as they deal with account
lockouts and password reset requests. If a user leaves an organization,
tracking down all those identities and ensuring they are disabled can be
challenging. If an identity is overlooked, this could allow access when it
should have been eliminated.
With single sign-on (SSO), users need to remember only one ID and one password. Access across applications is granted to a single identity tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to the single identity, greatly reducing the effort needed to change or disable accounts. Using single sign-on for accounts will make it easier for users to manage their identities and will increase the security capabilities in your environment.
SSO with Azure Active Directory-
By leveraging Azure AD for SSO you'll also have the ability
to combine multiple data sources into an intelligent security graph. This
security graph enables the ability to provide threat analysis and real-time
identity protection to all accounts in Azure AD, including accounts that are
synchronized from your on-premises AD. By using a centralized identity
provider, you'll have centralized the security controls, reporting, alerting,
and administration of your identity infrastructure. As Contoso Shipping
integrates its existing Active Directory instance with Azure AD, you will make
controlling access consistent across the organization. Doing so will also
greatly simplify the ability to sign into email and Office 365 documents
without having to reauthenticate.
Multi-factor authentication –
Multi-factor authentication (MFA) provides additional security
for your identities by requiring two or more elements for full authentication.
These elements fall into three categories:
• Something you know
•
Something you possess
•
Something you are
Something
you know would be a password or the answer to a security question.
Something you possess
could be a mobile app that receives a notification or a token-generating
device. Something you are
is typically some sort of biometric property, such as a fingerprint or
face scan used on many mobile devices.
Using MFA increases security of your identity by limiting
the impact of credential exposure. An attacker who has a user's password would
also need to have possession of their phone or their security token generator
in order to fully authenticate. Authentication with only a single factor
verified is insufficient, and the attacker would be unable to use only those
credentials to authenticate. The benefits this brings to security are huge, and
we can't emphasize enough the importance of enabling MFA wherever possible.
Providing identities to services-
It's usually valuable for services to have identities.
Often, and against best practices, credential information is embedded in
configuration files. With no security around these configuration files, anyone
with access to the systems or repositories can access these credentials and
risk exposure. Azure AD addresses this problem through two methods: service
principals and managed identities for Azure services.
Role-based access control-
Roles are sets of permissions, like "Read-only" or
"Contributor", that users can be granted to access an Azure service
instance. Identities are mapped to roles directly or through group membership.
Separating security principals, access permissions, and resources provides
simple access management and fine-grained control. Administrators are able to
ensure the minimum necessary permissions are granted. Roles can be granted at
the individual service instance level, but they also flow down the Azure
Resource Manager hierarchy. Here's a diagram that shows this relationship.
Roles assigned at a higher scope, like an entire subscription, are inherited by
child scopes, like service instances.
Privileged Identity Management-
In addition to managing Azure resource access with
role-based access control (RBAC), a comprehensive approach to infrastructure
protection should consider including the ongoing auditing of role members as
their organization changes and evolves. Azure AD Privileged Identity Management
(PIM) is an additional, paid-for offering that provides oversight of role
assignments, self-service, and just-in-time role activation and Azure AD and
Azure resource access reviews.
