Understanding Azure Active Directory and its features

Understanding Azure Active Directory and its features

Azure Active Directory and supporting tools

I have written multiple Articles related to Azure Active Directory and now feel that it is important to know what are the benefits on Azure Active Directory and its supporting tools / add-ons from Microsoft. Below are some of the articles written in the past –

  1. Active Directory – Hybrid Deployment Architecture – Click Here
  2. Azure Active Directory AD Connect – Click Here
  3. Azure Active Directory Domain Services – Click Here

Azure Active Directory has come up long way and has introduced various features since it first came live. Some of them are –

1. Azure Active Directory (AAD) and its editions
2. Azure Active Directory – Cloud App Discovery
3. Azure Active Directory – Identity Protection
4. Azure Active Directory – Collaboration using B2B / B2C
5. Azure Active Directory – Domain Services
6. Azure Active Directory – Application Proxy
7. Azure Active Directory – Graph API
8. Azure Active Directory – RBAC

1. Azure Active Directory and its editions

Azure Active Directory is a multi-tenant Identity managed Cloud that provides Authentication, Authorization, Secure Identity integration with other Business partners and Customers, Identity protection, Multi-factor Authentication, Support for legacy and modern protocols and many more.

Azure Active Directory editions and comparisons

While Azure AD has Free, Basic and Premium editions, table below has comparison for Basic and Premium editions only for easy reading. Free edition support upto 500,000 objects, user management, Windows 10 AD Join, Single Sign-on and Basic reports. Features that are listed below are not supported by Free edition

Feature Basic Premium
Directory Objects No Limit No Limit
Single Sign 10 Apps per user No Limit
Self-Service Password Reset Yes Yes
Application Proxy Yes Yes
Company Branding Yes Yes
Self-Service Password reset & write-back to On-Premise AD  No Yes
Multi Factor Authentication No Yes
Microsoft Identity Manager Server + CAL No Yes
Cloud App Discovery No Yes
Identity Protection No Yes

Supported Protocols

SAML, WS-Federation, OAuth 2.0, OpenID Connect

2. Azure Active Directory – Cloud App Discovery

Azure AD Cloud App Discovery is a handy tool to discover the Cloud Application that leverages Azure Active Directory. With Azure Cloud App Discovery you can –

  1. Find the Cloud Applications and generate reports such as number of users, number of request to application and total volume of traffic
  2. Identify and map users that use an application

Cloud App Discovery requires an agent to be deployed on end-user machine. Currently Windows Operating Systems such as Windows 7, 8, 8.1, 10 and Server operating systems such as Windows Server 2008, 2012, 2012 R2 and Windows Server 2016 are supported.

Cloud App Discovery captures URLs, headers and metadata for HTTP/HTTPs traffic originating from the end user machine browser or any application outbound. This also means that any traffic that is non HTTP or HTTPS will not be captured by Cloud App Discovery.


Image Source: Microsoft official documentation on Cloud App Discovery

3. Azure Active Directory – Identity Protection

Azure Active Directory Identity Protection is a premium service that provides monitoring of Identity related events, create risk profiles and policies to manage the user identity. Identity Protection uses 6 types of Risk events and they are –

1. Leaked Credentials – are publicly posted credentials in dark web. Microsoft reviews the credentials on these websites, checked against Azure credentials and reported as “leaked credentials” if match found. “High” security event.

2. Impossible travel to atypical locations – uses machine learning algorithm, identifies common location where user logs from such as office, home, VPN IP address (possibly in another location), and if Azure Active Directory finds one of the simultaneous login from geographically or unknown location that is atypical for the users then it marks the login in this risk event. “Medium” security event and prone to false-positives.

3. Sign-ins from infected devices – identifies logins from the malware infected machines that communicate with bot server. The Azure AD login IP address and IP address that communicates with the bot server is matched and if found then marks the login in this risk event category. “Low” security event. IP addresses of the source machine is checked with the bot server and not the infected machine, which means if there are multiple devices behind same public IP address then it is possible that genuine logins from uninfected machines are also marked in the risk event.

4. Sign-ins from anonymous IP addresses – identifies users who use “anonymous” or “proxy” IP addresses to hide their original IP address for logins. “Medium” risk event since it is not a direct indication of risk event.

5. Sign-ins from IP addresses with suspicious activity – identifies IP addresses from which high number of failed login attempts are made for multiple user accounts indicating suspicious activity. It is a machine learning algorithm that ignores frequently used IP address of user logs in from. “Medium” risk event.

6. Sign-in from unfamiliar locations – is a mechanism that considers past sign-in locations (IP, Latitude/Longitude and ASN) to determine new / unfamiliar locations. This mechanism has learning period of 14 days. The system also ignores sign-ins from familiar devices and locations that are geographically close to a familiar location. “Medium” risk event.

Azure Active Directory Identity Protection provides options with Risk Identification (using methods listed above), investigate the risk and help resolve the events by implementing Password reset, require multi-factor or Azure MFA authentication.

4. Identity collaboration using Azure Identity System

It is essential to have unified ways to managing identities within application and to be able to provide access to partners you work with and thousands of consumers who would subscribe to the application service that is developed without writing much or minimal code. Azure Active Directory helps here greatly. It provides method to securely provide access to users of partner organizations and individual users access to application, which can be managed partially from the Azure Active Directory hosting the application. Services that Azure Active Directory Identity System provides –

  1. Multi-Tenant SaaS Application
  2. Azure AD – Business-to-Business collaboration (B2B)
  3. Azure AD – Business-to-Consumer collaboration (B2C)

4.1 Azure Active Directory Collaboration – B2B

Traditionally one would have created Active Directory trust (one-way or two-way) to provide access to your corporate application to partner organization or created the partner organization accounts in their Active Directory. Such approach creates huge administrative overhead in managing trust / identities, and is often not approved by the Corporate Information Security teams.

Today on Azure, you could leverage Azure AD B2B functionality to provide access to applications from another Azure AD source without having to build any trust. Azure AD B2B is –

  1. Simple – Application hosted Azure AD administrator invites users in partner organization by uploading a CSV file. If partner organization uses Azure AD then the application access is straight away else the invitation takes the partner user to an Azure AD ID creation process. Once the ID is created and application access is granted, the application would show in the list of applications to access.
  2. Secure – Application Azure AD administrator controls the access and can revoke the users from the application when the partnership terminates or when partner user leaves the partner organization his access is automatically revoked since he is part of partner corporate Azure AD.

What happens to Azure AD account that gets created if partner organization doesn’t have Azure AD subscription is still unknown to auther of this blog. Please add comments if you have an answer and I will update the blog.

Limitations –

  1. MFA is not supported or enforced on partner / external users.
  2. Invites are possible only via CSV
  3. Invitations to consumer email addresses such as hotmail.com, gmail.com are not supported
  4. Only Cloud applications are supported
  5. Auto-clean up of Azure AD not supported when partner organization user leaves
  6. Invitation to distribution list not supported
  7. CSV invite has limitation of upto 2000 records

4.2 Azure Active Directory Collaboration – B2C

Azure AD B2C removes lines to code to effectively provide access to multiple foreign identities to corporate application. Foreign identities are such as – facebook, gmail, amazon, linkedin etc. Azure AD B2C supports OAuth 2.0 and Open ID protocols.

Use case – Think of a career site of a large globally spread banking organization where for their multiple jobs hundreds of people apply. Leveraging Azure AD B2C, the job-seekers can login with their public domain credentials and once the login is validated, they can access the portal and apply for the job.

Unlike Azure B2B, Azure AD B2C supported applications that are hosted On-Premise and on Cloud.

Supports Multi-factor Authentication.

Limitations –

  1. Doesn’t support B2C access to Office 365 and Microsoft Dynamics
  2. Azure AD B2C supports OpenID Connect and OAuth 2.0.

5. Azure Active Directory – Domain Services

See my detailed blog on Azure Active Directory – Domain Services here

Azure AD Domain Services is an integrated services with Azure Active Directory that provides features like domain join, LDAP read, LDAP bind, NTLM, Kerberos authentication and Group Policy.

5.1 Points to remember –

  1. The Azure AD managed Domain Services is a stand-alone domain and is not an extension of on-premise Active Directory domain.
  2. Elevated privileges such as Domain Administrator or Enterprise Administrator is not available
  3. Azure AD Domain Controllers replication and host OS access is managed by Microsoft
  4. Once Azure AD Connect replicates users and group data to Azure AD; they are automatically made available in Azure AD Domain Services
  5. Azure managed AD Domain is largely read-only except for OU that can be created by Tenant. Therefore, synchronization of user accounts, passwords and groups is uni-directional i.e. from Azure AD to Azure AD Domain Services
  6. Multi-domain or multi-forest on-premise environments can be replicated to Azure AD Domain Services using Azure AD Connect. The target environment on Azure AD Domain Services is always a flat OU structure

5.2 What is not synchronized to Azure AD Domain Services managed domain –

  1. Excluded Attributes: While using Azure AD Connect, tenant may choose to not sync certain attributes to Azure AD and hence not to Azure AD Domain Services
  2. Group Policies: On-premise group policies are not synchronized to Azure AD Domain Services managed domain
  3. SYSVOL share: Contents of SYSVOL is not replicated from on-premise Active Directory to Azure AD Infrastructure
  4. Computer Objects: Existing computer objects from on-premise AD to Azure AD Domain Services is not supported. However, computers that are explicitly joined to Azure AD Domain Services is seen in the Azure AD managed domain
  5. SidHistory: SidHistory attribute for users and groups is not synchronized to Azure AD Domain Services
  6. Organizational Unit (OU) Structure: Existing OUs from on-premise AD to Azure AD is not supported. However, Azure AD provides option to create custom OUs which are again not replicated back to on-premise Active Directory

6. Azure Active Directory – Application Proxy

Azure AD Application Proxy provides secure access to applications hosted on-premise. Traditionally, providing access to on-premise applications requires creating VPN / DMZ infrastructure and manage such complex infrastructure.

Applications that work with Application Proxy

  1. Web Applications that use Integrated Windows Authentication
  2. Web Applications that use form-based authentication
  3. Web APIs
  4. Applications hosted behind Remote Desktop Gateway

Application proxy installs an “Application Proxy Connector” , light windows service, inside on-premise network. The connector is automatically scalable by deploying more connectors to serve high traffic. The connector is also “stateless

Application Proxy can be enabled in Azure AD section of Azure Portal and information it requires is “Internal URL” of the application in the Internal network and Authentication type; 1. Azure AD authentication 2. Pass through authentication.

Azure AD Application proxy supports –

  1. Multi-factor authentication
  2. Conditional access i.e. to provide application access to set of users using Azure AD groups.
  3. ADFS based Claim-aware application

7. Azure Active Directory – Graph API

Azure Active Directory Graph API provides programmatic access to Azure AD through REST API endpoints. Applications can use the Graph API to perform Create, Read, Update and Delete operations on directory data and objects. Graph API can be used to create a new user,  update user properties, change password or even know group memberships.

8. Azure Active Directory – RBAC (Role based access control)

Azure provides fine-grained access control policies that can be applied to users on Azure resources such as subscriptions, resource groups and resources that are deployed in the resource groups.

Built-in RBAC roles are –

Owner: has full access to all resources including the right to delegate access to others

Contributor: can create and manage all types of Azure resources except access

Viewer: can view existing Azure resources

Other Azure default roles are –

Role name Description
API Management Service Contributor Can manage API Management services
Application Insights Component Contributor Can manage Application Insights components
Automation Operator Able to start, stop, suspend, and resume jobs
BizTalk Contributor Can manage BizTalk services
ClearDB MySQL DB Contributor Can manage ClearDB MySQL databases
Contributor Can manage everything except access.
Data Factory Contributor Can create and manage data factories, and child resources within them.
DevTest Labs User Can view everything and connect, start, restart, and shutdown virtual machines
DNS Zone Contributor Can manage DNS zones and records
DocumentDB Account Contributor Can manage DocumentDB accounts
Intelligent Systems Account Contributor Can manage Intelligent Systems accounts
Network Contributor Can manage all network resources
New Relic APM Account Contributor Can manage New Relic Application Performance Management accounts and applications
Owner Can manage everything, including access
Reader Can view everything, but can’t make changes
Redis Cache Contributor Can manage Redis caches
Scheduler Job Collections Contributor Can manage scheduler job collections
Search Service Contributor Can manage search services
Security Manager Can manage security components, security policies, and virtual machines
SQL DB Contributor Can manage SQL databases, but not their security-related policies
SQL Security Manager Can manage the security-related policies of SQL servers and databases
SQL Server Contributor Can manage SQL servers and databases, but not their security-related policies
Classic Storage Account Contributor Can manage classic storage accounts
Storage Account Contributor Can manage storage accounts
User Access Administrator Can manage user access to Azure resources
Classic Virtual Machine Contributor Can manage classic virtual machines, but not the virtual network or storage account to which they are connected
Virtual Machine Contributor Can manage virtual machines, but not the virtual network or storage account to which they are connected
Classic Network Contributor Can manage classic virtual networks and reserved IPs
Web Plan Contributor Can manage web plans
Website Contributor Can manage websites, but not the web plans to which they are connected

Azure RBAC – Custom Roles

Azure supports creation of custom roles if the default and built-in roles doesn’t meet the requirement. These custom RBAC roles can be created using Azure PowerShell, Azure CLI or using REST APIs. Once created these roles can be assigned to users, groups, resource groups and applications.

Custom roles are Azure AD tenant based and are available to all subscriptions.


About The Author

Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *