What is Azure Active Directory?

 Azure AD is a cloud-based identity service. It has built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone. This means that all your applications, whether on-premises, in the cloud (including Office 365), or even mobile can share the same credentials. Administrators and developers can control access to internal and external data and applications using centralized rules and policies configured in Azure AD.

Azure AD provides services such as:

 • Authentication. This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services.

• Single-Sign-On (SSO). SSO enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts.

• Application management. You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps. • Business to business (B2B) identity services. Manage your guest users and external partners while maintaining control over your own corporate data

• Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services. • Device Management. Manage how your cloud or on-premises devices access your corporate data. Let's explore a few of these in more detail.

 

Single sign-on-

The more identities a user has to manage, the greater the risk of a credential-related security incident. More identities mean more passwords to remember and change. Password policies can vary between applications and, as complexity requirements increase, it becomes increasingly difficult for users to remember them.

 

Now, consider the logistics of managing all those identities. Additional strain is placed on help desks as they deal with account lockouts and password reset requests. If a user leaves an organization, tracking down all those identities and ensuring they are disabled can be challenging. If an identity is overlooked, this could allow access when it should have been eliminated.

With single sign-on (SSO), users need to remember only one ID and one password. Access across applications is granted to a single identity tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to the single identity, greatly reducing the effort needed to change or disable accounts. Using single sign-on for accounts will make it easier for users to manage their identities and will increase the security capabilities in your environment.

SSO with Azure Active Directory-

By leveraging Azure AD for SSO you'll also have the ability to combine multiple data sources into an intelligent security graph. This security graph enables the ability to provide threat analysis and real-time identity protection to all accounts in Azure AD, including accounts that are synchronized from your on-premises AD. By using a centralized identity provider, you'll have centralized the security controls, reporting, alerting, and administration of your identity infrastructure. As Contoso Shipping integrates its existing Active Directory instance with Azure AD, you will make controlling access consistent across the organization. Doing so will also greatly simplify the ability to sign into email and Office 365 documents without having to reauthenticate.

 

Multi-factor authentication –

Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:

 • Something you know •

 Something you possess •

Something you are

Something you know would be a password or the answer to a security question.

 Something you possess could be a mobile app that receives a notification or a token-generating device. Something you are is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices.

Using MFA increases security of your identity by limiting the impact of credential exposure. An attacker who has a user's password would also need to have possession of their phone or their security token generator in order to fully authenticate. Authentication with only a single factor verified is insufficient, and the attacker would be unable to use only those credentials to authenticate. The benefits this brings to security are huge, and we can't emphasize enough the importance of enabling MFA wherever possible.

 

Providing identities to services-

It's usually valuable for services to have identities. Often, and against best practices, credential information is embedded in configuration files. With no security around these configuration files, anyone with access to the systems or repositories can access these credentials and risk exposure. Azure AD addresses this problem through two methods: service principals and managed identities for Azure services.

Role-based access control-

Roles are sets of permissions, like "Read-only" or "Contributor", that users can be granted to access an Azure service instance. Identities are mapped to roles directly or through group membership. Separating security principals, access permissions, and resources provides simple access management and fine-grained control. Administrators are able to ensure the minimum necessary permissions are granted. Roles can be granted at the individual service instance level, but they also flow down the Azure Resource Manager hierarchy. Here's a diagram that shows this relationship. Roles assigned at a higher scope, like an entire subscription, are inherited by child scopes, like service instances.

Privileged Identity Management-

In addition to managing Azure resource access with role-based access control (RBAC), a comprehensive approach to infrastructure protection should consider including the ongoing auditing of role members as their organization changes and evolves. Azure AD Privileged Identity Management (PIM) is an additional, paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews.

 

 

Creation of OU in Active Directory

ACTIVE DIRECTORY OU (ORGANIZATIONAL UNIT)

An Organizational Unit (OU) is a container in the Active Directory domain that can contain different objects from the same AD domain: other containers, groups, users, and computer accounts. An Active Directory OU is a simple administrative unit within a domain on which an administrator can link Group Policy objects and assign permissions to other users/groups.

Azure AD DS managed domains include the following two built-in OUs:

• AADDC Computers - contains computer objects for all computers that are joined to the managed domain.
• AADDC Users - includes users and groups synchronized in from the Azure AD tenant.

Procedure Name: Creation of Organization Unit (OU) in AD

• Log in to AD server 
• RUN - DSA.msc

•  In tree select appropriate OU.
•  Then right click on OU and select New-> organization Unit

      

• Give appropriate name

• Click OK
• Your OU is created 

How to create an Active Directory OU using PowerShell?

The New-ADOrganizationalUnit cmdlet creates an Active Directory organizational unit (OU). You can set commonly used OU property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be set by using the* OtherAttributes* parameter.

You must set the Name parameter to create a new OU. If you do not specify the Path parameter, the cmdlet creates an OU under the default NC head for the domain.

PowerShell

PS C:\> New-ADOrganizationalUnit -Name "UserAccounts" -Path "DC=FABRIKAM,DC=COM"

Azure-Backup, Restore VM, Add Notification Alert

Azure Backup :- 

Azure Backup is a service provided by Azure. In this we can use to  backup data to  Azure cloud. Why azure backup service require and what is the Key & Benefits. Please refer below simple point from https://docs.microsoft.com/en-us/azure/backup/backup-overview

·        First, we need to create recovery vault in azure portal. Go to search option and type recovery Service vault. Below screen will appear. 

·        Click on create option

·        Click on review + Create

·        Click on Go to Resources -Properties – Backup Configuration- Click on Update.

·        By default, we can see GRS is selected. GRS is more effective than LRS because it Saves the data synchronously three times at the primary physical location (LRS) and asynchronously three times in a secondary physical region.

 

·        In Real production work you should choose GRS but now I am using LRS coz its cheaper but not survivor. And I am doing LAB practical so using LRS.

 

·        Click in LRS option and save configuration. 

·        Move on to Security setting –

·        Under security setting Disabled Soft delete because I am doing LAB.  

·        Then click on Backup Policy.

·        After click on Backup policy, you can see some types which backup you want so here, we need AZ VM backup. So, click on Azure Virtual Machine option and it will navigate to next page

·        Under Backup policy, we can see multiple option there and we need to select as per project requirement. For example, Weekly backup Point, Monthly Backup point, Yearly Backup Point, so whatever we have received requirement, accordingly we can perform task. Here, LAB practice going on so we can choose option as per our self-requirement.    

·        Now click on Backup

·        Select Backup Policy Name where we selected at initial stage. Then click on Add Option. 

·        Remember One thing “Your VM and Recovery service vault Should be in Same region’’. Select VM (You can see in Under VM name option in drop down menu and click on Ok Option. After that click on Enable Backup option so it will start your process and take some time. 

·        Then click on go to resources and click on Backup items. 

·        Click on Azure VM

·        After clicked on AZ VM, it is telling me that precheck has passed. Also get warning sign that initial backup pending.

·        Click on View details and it will redirect to next page. Click on Backup now so it will trigger to backup.  

·        After completed deployment process go to backup job. We can see backup Status in completed and other tab “In progress” click on view details and Snapshot backup also completed and transfer to vault under process

Again, go to recovery service vault from search option. Backup items and click on Azure VM backup. We can see below window

·        If we need to restore VM then follow below process. Click on restore VM option. Then click on select Option. Once restore point screen appear then select restore point. It would take time to refreshing list. Then click on OK option and it will navigate to next window where you need to select actual option.

·        So, it will take some time to restore VM. Before that we should fill-up all details which is require like RG, VNET, Storage option.

 

Backup Alerts: -

 We need to setup backup alerts of our recovery SV. Please click on RSV, Backup alerts. Click on configuration notifications.

Once configuration notification window appears then we need to select Recipients (Email) to whom we want to receive alert from email. Enter email id in options.

In notify window we can select per alert option and in Severity option we can see multiple option, so accordingly as per our requirement I am selecting only Critical alerts and click on Save button. 

Azure Backup - Frequently asked questions: -

Question: - Is there any limit on the number of vaults that can be created in each Azure subscription?

Answer: - Yes. You can create up to 500 Recovery Services vaults, per supported region of Azure Backup, per subscription. If you need additional vaults, create an additional subscription.

 

     Question: - Can I move my vault between subscriptions?

     Answer: - Yes. To move a Recovery Services vault. Refer -  https://docs.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-services-vault

 

Question: - Can I move backup data to another vault?

Answer: - No. Backup data stored in a vault can't be moved to a different vault

Question: - Can I change the storage redundancy setting after a backup?

 

Answer: - The storage replication type by default is set to geo-redundant storage (GRS). Once you configure the backup, the option to modify is disabled and can't be changed.

Question: - What operating systems are supported for backup?

Answer: -

OS	SKU	Details
Workstation
Windows 10 64 bit	Enterprise, Pro, Home	Machines should be running the latest services packs and updates.
Windows 8.1 64 bit	Enterprise, Pro	Machines should be running the latest services packs and updates.
Windows 8 64 bit	Enterprise, Pro	Machines should be running the latest services packs and updates.
Windows 7 64 bit	Ultimate, Enterprise, Professional, Home Premium, Home Basic, Starter	Machines should be running the latest services packs and updates.
Server
Windows Server 2022 64 bit	Standard, Datacenter, Essentials, IoT	With the latest service packs/updates.
Windows Server 2019 64 bit	Standard, Datacenter, Essentials, IoT	With the latest service packs/updates.
Windows Server 2016 64 bit	Standard, Datacenter, Essentials	With the latest service packs/updates.
Windows Server 2012 R2 64 bit	Standard, Datacenter, Foundation	With the latest service packs/updates.
Windows Server 2012 64 bit	Datacenter, Foundation, Standard	With the latest service packs/updates.

Availability Set & Availability Zone

 Availability Set: -

Many definitions of availability set have been read but as far as I know in a few words Availability set is a service that protects your infrastructure from MS azure datacenters outage.

 

In Availability set we can see two services Fault domain and Update domain

 

Fault Domain: - If there is ever a power outage or any problem in the network, the fault domain helps keep the applications in your virtual machine running smoothly. The group of virtual machines that share a common power source and network switch. The virtual machines configured within your availability set are separated across up to three fault domains.

 

Update Domain: - It will help to make sure any 1 VMs will reboot at a time if there are any patches applied by MS as per their regular patches scheduled.

How to Create Availability Set: -

·       Click on all services

·       Then select the Availability set or search the Availability set

·        Provided the Name, resource Group Location etc.

·        Select the Fault domain/ Update Domain

    ·        Click on Create 

Availability Zone: - 

 This concept from Microsoft Azure I am recommended to prefer this concept only.

Azure Availability Zones are physically separate locations within each Azure region that tolerate local failures. Failures can range from software and hardware failures to events such as earthquakes, floods and fires. Failure tolerance is achieved through redundancy and logical isolation of Azure services. To ensure resiliency, at least three separate Availability Zones are present in all Availability Zone-enabled zones.

  There are three Availability Zones per supported Azure region