2.2.1. Governance - Azure AD - Entities.md

Azure AD Entities

Overview

• Azure AD entities are objects registered in Azure AD.
• They're uniquely identifiable.

Security principal

• Also known as security identity or security object.
• Defines the access policy and permissions for the user/application in the Azure AD tenant.
• Enables
  • Authentication of the user/application during sign-in.
  • Authorization during resource access (Azure RBAC).
• There are two types of security principals:
  • Users: See user principals.
  • Applications: See service principals.

Users

Types of users

• Cloud or Synced (from local AD through AD Connect)
• Member or Guest
  • Members are created within AD directory
  • Guests are invited by administrator or one of other users of Azure AD.

Common settings

• Usual attributes (e.g. department, phone number, contact, email)
• Setup password policy, expiration policy, flag users needing to reset their password

Usage Location

• Location is required if you want to assign license to a user within AD.
• Set usage location
  • In portal: Active Directory → Users → Select User → Profile → Settings
• You can then assign license
  • In Portal: Active Directory → Users → Select User → Licenses
• User Principal name: Combination of an user name + domain.

Create new user

• AD → User → new User
• User name
  • Required, e.g. [email protected]
• Properties: Optional information e.g. first name, last name, job title.

External access

• You can add a user as an External User
• Good for B2B scenarios
  • AD is not required on other business side.

Self-service password reset

• Scenarios
  • Allows users to change their passwords
  • If you cannot log in somehow
  • Helps with account lockout
• Authentication methods
  • Types:
    • Text message/Phone call
    • Secondary email
    • Security questions
  • Administrator requires one or more methods.
• Manage in portal
  • Steps: Active Directory → Password Reset
  • Configurations
    • Enable
      • You can enable for all users or selected users.
      • 💡 Good to first enable for a pilot group to see how it works.
    • Registration
      • Require users to register when signing in
        • Prompts user to fill information for authentication methods.
      • After how long user will be prompted to confirm authentication method information
    • Notifications
      • Notify users on password resets
      • Notifies all other admins when an admin resets his password

User access to applications

• In Azure AD you can configure certain access that users can to on application objects.
• Application registrations
  • Users can register applications (yes/no)
    • Yes; non-administrators can register applications to be used within the directory.
    • No; only administrators can do it.
• Enterprise applications
  • Users can consent to apps accessing company data on their behalf (yes/no)
    • Yes; users can consent to allow third party and multi-tenant applications to consent on their own behalf.
  • Users can add gallery apps to their Access Panel (yes/no)
    • No; as an administrator you have to manually integrate the applications through Access Panel

Groups

• Used to group objects to secure them together.
• Good for performing bulk user updates.
• Helps to:
  • Assign licenses to groups instead of to individually.
  • Delegate permissions to together.
  • Assign enterprise app access to groups.
• Can be assigned vs dynamic:
  • Assigned
    • You assign users to groups manually.
    • Static membership.
  • Dynamic
    • You select various attributes to make users member of a group
    • Dynamic query e.g. deparment Equals marketing.
• Owners and members
  • Owners: Can add/remove users from the group.
  • Members: cannot manage the group, normal permissions
• Expiration of groups
  • Groups can automatically expire.

Managing groups

• You manage in "Azure Directory → Groups"
  • You can assign licenses to a group where each member will get a license.
• Self-service group management
  • Owners manage groups instead of administrator that manage the group for the owners.
  • Users can request to join in group with providing some business justification.
  • Audits & alerts
    • Everything is logged
    • You can e.g. trigger alert on frequent activities in a group
• Company Branding
  • In portal: Active Directory → Users and groups → Company branding
  • Allows you to customize the pages with e.g. banner, sign-in page text, user name hint

Security vs Microsoft 365 Groups

• Security groups
  • Also known as Azure AD security groups.
  • Security principals 1 used for assigning permissions.
  • Analogous to Security Groups in on-prem Windows Active Directory
• Microsoft 365 Groups
  • Also known as Unified Groups 2 .
  • Groups users to assign permissions to related resources 2 .

Devices

• Enables more management
• Device settings show overview in Portal
  • Intune + MDM offer much more control
• You can add work or school account to integrate

Registration types

Register Device

• Basic registration
• Bring your own device (BYOD) scenario
• For mobile devices and Windows 10
  • Enable/disable and additional management (MDM) for mobile devices like intune.
• Enterprise State Roaming
  • Users synchronizes their user settings and application settings data to the cloud.
  • Supported in Windows 10
  • Enchanced security, management and monitoring.
  • Separation of corporate and consumer data in cloud.

Join Device

• Corporate owned assets that you want to manage
• E.g. Windows 7 or Windows 10
• You get some benefits e.g. single sign on.

Hybrid Join

• You can enable automatic registration for your AD joined computers
• Join device in both local AD and Azure AD
• Grant device user access to apps that need traditional local AD (=on-prem AD) authentication.
• You get service principal for the device
• Actual management is done through Group Policy or System Center Configuration Manager.
  • They're tied in to Azure AD but not part of core AD.
• Relies on AD Connect for synchronization
  • If they're already joined to local AD, they're also registered in Azure AD automatically.
• Configuration
  • Ensure access to external Azure AD URLs.
  • Configure SCP (service connection point) internally.
  • Configure ADFS if required

Manage in Portal

• Active Directory → Devices
• Configurations
  • Users may join devices to Azure AD
  • Additional administrators on Azure AD joined devices
    • Default is none, you can select users
  • Users may register their devices with Azure AD
  • Require Multi-Factor Auth to join devices
  • Maximum number ofdevices per device
  • Users may sync settings and enterprise app data
    • All, selected, None
  • For more you need PowerShell.

Azure AD Device Settings/Policies

• Control permissions
  • Who's allowed to access join devices?
• Control sync
  • Enabled/disabled
• Device management through Intune or other MDM
• Conditional access
  • Whether or not device has access to resources within your organization

Applications

• Azure AD IDaaS (Identity Directory as a Service)
• Application types
  • Third party or internal
  • Pre-integrated or proxies
• Automated user provisioning through SCIM 2.0
  • Use provisioning enables synchronization of user account.
  • SCIM
    • System for cross domain identity management.
    • Defined by IETF
    • Control users, groups and their relations
  • Available on select SaaS apps
• In portal, you can assign access to applications
  • AD → Applications → Select application → Users and groups

Application registration

• Also known as app registration
• Identity configuration of an application that allows integration with Azure AD.
• Creates a unique application object in Azure tenant.
• 💡 You usually use app registrations for apps that you develop yourself.
• Used to create service principals.
  • Using portal
    • If created using portal, service principal is created as well.
    • Service principal can only be created by creating app registration in portal.
  • APIs
    • If created using Microsoft Graph APIs, service principal object is created in separate step.
    • Service principals can be created using e.g. Azure PowerShell, Azure CLI, Microsoft Graph...
• Using CLI: az ad app create --display-name "displayName"

Application object

• Object created by an application registration.
• Its object is globally unique with ID known as app ID or client ID.
• Resides in same tenant application was registered (also known as home tenant).
• It's used to create one or more service principals.
• It can be seen as a template to create service principal.
  • Or in object-oriented terms; abstract base class for service principal.
  • All service principals created inherits some properties from application.
• It defines three configurations:
  1. How the service can issue tokens in order to access the application.
  2. Resources that the application might need to access.
  3. Actions that the application can take.
• See application entity in Microsoft Graph for its scheme

Service principal

• An uniquely identifiable object.
• Security principal enabling access to Azure AD secured resources.
• Defines the access policy and permissions for the user/application in the Azure AD tenant.
• There are three types of service principal:
  1. Application
     • Created from application object inheriting some of its properties.
     • Created in each tenant where application object is used.
     • Describes what application can access and can be accessed by in tenant.
  2. Managed identity
     • Used to present a managed identity.
     • Managed identities eliminate the need for developers to manage credentials.
     • Created when managed identity is enabled in a resource.
     • They can be can be granted access and permissions.
     • ❗️ They cannot be updated or modified directly
  3. Legacy
     • Created before app registrations were introduced or using legacy ways.
• On portal they can be managed in "Azure AD → Enterprise Applications" blade
• See service principal entity in Microsoft Graph for its scheme
• Using CLI
  • Create SP: az ad sp create --id "<existing-application-id>"
  • Assign roles: az role assignment create --assignee "<service-principal-object-id>/<application-id>" --role role_name

Enterprise application

• Service principals are also known as enterprise applications
• In Azure portal, service principals are listed and can be managed in "Azure AD → Enterprise Applications" blade.
• Enterprise Applications is category of Service Principal where
  • Service Principal and Application registration are in same tenant.
  • Service Principal has tag WindowsAzureActiveDirectoryIntegratedApp 1
    • ❗️ Otherwise it won't be listed in "Azure AD → Enterprise Applications" 1
    • 💡 You can add tag using az ad sp update --id "service_principal_object_id" --add tags WindowsAzureActiveDirectoryIntegratedApp.

Application object vs service principal

• Application object is base template to derive to create service principal objects.
• Application object has
  • One-to-one relation with software application.
  • One-to-many relation with service principals.
• Deleting an application object delete its associated service principal objects.
  • ❗️ Restoring it will not restore service principal objects back.
• Tenancy
  • Application object is global representation of an application for use across all tenants.
  • Service principal is the local representation for use in a specific tenant.
    • It must be created in each tenant where the application is used.
    • A single-tenant application has only one service principal (in its home tenant).

Application registration configurations

• During registration:
  • Tenancy
    • single-tenant (accessible in one tenant),
    • or multi-tenant (accessible in other tenants).
  • Redirect URI
    • Can be customized.
    • It's where the access token is sent to.
• After registration:
  • Add secrets or certificates and scopes to make app accessible
  • Customize the branding (e.g. a logo) in the sign-in dialog