Azure Active Directory (AAD)

In my last post I talked about Azure Information Protection (AIP). It was a way of getting a good sense of security in the Cloud. Today I want to talk about a very important feature in Azure: Azure Active Directory (AAD). AAD is a good place to start with security. Users that are allowed or prevented from logging in is your first line of defense.

In preview

AAD is not something radically new. Microsoft created the Management portal om the new Azure Portal to make it look and feel like the new portal. At this moment the most users will have to use the old portal for AAD but once the new management portal is out of preview we are good to go!

What has changed?

So who cares? It's a new Mangement portal for AAD. To be honest nothing has really changed, Microsoft just changed the look & feel of the new portal.

3 versions

There are 3 versions of the AAD: Free, Basis and Premium. See the link below to decide what versions of AAD you need.

Overview AAD subscriptions

Features AAD


Let's discuss some cool features of the AAD.

MFA

Let's start with a cool feature! Multi Factor Authentication (MFA). With MFA you can get 3 levels of extra security.

  1. Text messages, MFA sends a text message with a code which you have to fill in when you log-on. 
  2. Phone calls, you get a phone call that gives you a number you have to fill in when you log-in. 
  3. My personal favorite is the Microsoft Verificator-app, this makes life  a lot easier. MFA sends a notification to the APP and all you have to do is press verify. No more waiting for a phone call or text. Awesome feature!
Logging in is not the part that MFA helps you with, MFA also uses machine learning to determine if the log-in attempt is correct. Should a users attempt to log-in in a location that he or she wasn't at recently the administrator will get a notification.  You can even use MFA with other SaaS applications like Salesforce and Dropbox. 

Conditional Access 

You can prevent users from accessing an application by setting conditions the user has to meet. Once the user meets all the criteria he/she is granted access. Conditions could be the following:

  • Group membership, user has permissions based on a membership in a group
  • Location, use MFA if the user is not in a trusted network or location (white listed)
  • Device platform, the device platform is the condition for the applying policy. 
  • Device-enabled, check if a device is enabled or disabled. If you disable a lost or stolen device in the directory it doesn't full fill the policy requirements. 
  • Sign-in and user risk, you can use Azure AD protection Identity for conditional access risk policies. 


B2C

Use your own credentials to log-in to an app with Business 2 customer (B2C). You can log-in with your Google, LinkedIn, Facebook and many more accounts. It's a good way to prevent users from having to create multiple accounts to log-in to another App. It's a lot like OAuth, which is supported by a lot of well known internet companies.




Windows 10

Another cool feature is the fact that when you connect to Azure AD through Windows 10 you'll automatically get all the corporate policies and get access to all the apps you need. You can also use Azure AD to sign into Windows 10. 

Conclusion

I've talked only about a few features of AAD, there are still a lot more, think of:

  • Identity protection
  • Self service
  • Partner access
  • DC as a service
  • User lifecyle
  • Monitoring
A lot of cool things to do with AAD, making life a lot easier. AAD will be your first wall of defense in preventing people from entering your application. I like to dive into some more detail on Conditional access in my next blog. Stay tuned. 

Reference

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azureadjoin-deployment-aadjoindirect

Comments

Post a Comment

Popular posts from this blog

Azure Information Protection (AIP)

Image
Let's start with one of my favorites (till now). Azure Information Protection (or AIP). Just imagine the following example: You are working on your Word document and you want to send this document to an external person. You e-mail that document as an attachment. The person opens this document, reads it and puts it on an USB stick to take with him. The USB stick get's lost! Now the document can have fallen into the wrong hands! Now what? OK this is a little bit of a roman but hey it could happen! Active Director Rights Management  First let us go back in time to when AIP didn't exist and there was  Active Directory Rights Management Services .  This was a server role that could be installed on Windows Server 2008 R2, it exists since Windows server 2003! Back then it was called RMS. The RMS client is available  from Windows 2000 and later. So what does RMS do? To explain in simple English: Information with RMS on it has certain policies with it  that would remain
Read more

Tiles modern UI

Image
Back in SharePoint 2013 Microsoft introduced "Promoted links" a feature which enabled users to create tiles quick and easy without any custom code. Since then I've seen Promoted links being used a lot of ways, some better than others. However creating tiles with an image in the background was always a nasty thing to do. People would use the weirdest images as background to indicate what it was, totally not user friendly. Especially the choice of the color was very "weird" you would have tiles with all sort of colors and images (see image below as an example). Promoted links always had one big problem; Scaling! It's not responsive in a way you would want to have it. Since Microsoft introduced Modern UI they have also introduced the webpart "tiles". Tiles enables the user to create custom tiles within their SharePoint site, quick and easy. Cool features of the Tiles webpart. Tiles are responsive! They resize when the screen gets smalle
Read more