Azure Identity Services

Azure Identity Services

Azure Identity Services is a key component of the Azure Cloud. The services that are a part of Azure Identity Services are what control authentication to, and authorization to use various resources. Azure Active Directory is a component of Azure Identity Services. In fact, it is the flagship identity service in Azure and provides users the ability to sign in to various resources. It can also be connected to on Premise Active Directory Domain Services to allow for sync between on Prem and Cloud which enables Hybrid solutions. So in this article, we’ll look at Azure Active Directory, how to use it, Conditional Access, Multi-Factor Authentication, and Single Sign-on in the enterprise.

Authentication And Authorization

Azure Authentication And Authorization
Authentication is also known as AuthN. AuthN is the process of proving that you are who you say you are. When you log into your email, work computer, social network, or any other type of service, that is Authentication. Authorization is different. This is known as AuthZ and it is the act of granting an authenticated user permission to do something or access specific resources. You can also refer to these as Identity and Access.

Azure Active Directory

Azure Active Directory
Azure Active Directory is also referred to Azure AD in short. It is the Azure identity and access management service. Azure AD facilitates users to sign in and access both internal and external resources. These can include things like applications on the corporate network, custom cloud apps, Office 365 services, and third-party Software as a Service applications.

  • Azure Active Directory is cloud based identity and access management
  • External Resources
    • Microsoft Office 365
    • Azure Portal
    • SaaS Applications
  • Internal Resources
    • Applications within internal networking
    • Access to on-premise workstations
  • Can Implement SSO Single Sign On
  • Four Editions
    • Free – MFA, SSO, Basic Usage Reports, User Management
    • Office 365 Apps – Company Branding, SLA, Two Sync On-Prem and Cloud
    • Premium 1 – Hybrid Architecture, Advanced Group Access, Conditional Access
    • Premium 2 – Identity Protection, Identity Governance

Single Sign-On (SSO)

Single Sign-On (SSO)
Single Sign-On is fantastic because it lets users sign in once, and that signed-in instance allows access to multiple different applications. They no longer have to sign in to every application they use. The one-time sign-in credential is used for multiple apps. Single Sign-On-based authentication systems is often referred to as modern authentication.

Multi Factor Authentication

Azure Multi Factor Authentication
Azure AD MFA works by requiring two or more of these authentication methods:

  • Something you know (pin or password)
  • Something you have (trused device)
  • something you are (biometric)

The Authenticator app is a popular application that runs on mobile devices that offers part of the solution to a Multi-Factor Authentication deployment.

Conditional Access

Azure Conditional Access
Conditional Access is used in Azure Active Directory to bring signals together, make decisions, and enforce organizational policies. Conditional Access looks at Signals, Verifies every access attempt, and grants or denies access to apps and data based on the combination of signals and decisions. Examples of Signals, Decisions, and Polices include:

  • User or group membership
    • Policies can be targeted to specific users and groups.
  • IP Location information
    • Use of trusted IP address ranges.
    • block or allow traffic from entire countries/regions IP ranges.
  • Device
    • Users with devices of specific platforms like Android or iOS.
  • Application
    • Attempts to access specific applications.
  • Calculated risk detection
    • Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior.
  • Microsoft Cloud App Security (MCAS)
    • Provides user application access and sessions to be monitored and controlled in real time.

Example Decisions

  • Block access
    • Most restrictive decision
  • Grant access
    • Least restrictive decision, can still require one or more of the following options:
      • Require multi-factor authentication
      • Require approved client app
      • Require Hybrid Azure AD joined device
      • Require device to be marked as compliant

Example applied policies

  • Blocking risky sign-in behaviors
  • Requiring multi-factor authentication for users with administrative roles
  • Blocking sign-ins for users attempting to use legacy authentication protocols
  • Requiring trusted locations for Azure AD Multi-Factor Authentication registration
  • Blocking or granting access from specific locations
  • Requiring organization-managed devices for specific applications
  • Requiring multi-factor authentication for Azure management tasks