Access management capabilities of Azure AD
3 minute read
Access management capabilities of Azure AD
https://docs.microsoft.com/en-us/learn/modules/explore-access-management-capabilities/
- Main function of Azure AD is to manage access
- Security perimeter has shifted from organizational boundaries to user, device and identities
Conditional access and its benefits
- Feature of Azure AD
- Layer of security prior to allowing authenticated users to access data or resources
- Managed through policy using different signals:
- User/groups
- Location
- Device
- Application
- Real-time sign-in risk
- User risk
- For example a policy could state that if a user is a member of a certain group then they require MFA
- If multiple signals are assigned to a policy then all signals must be satisfied to trigger the policy
Conditional access signals
User/groups can be used to cover all users or just those in specified groups
Location are based on IP address ranges such as country specific Internet IP ranges
Device can be specific platforms or the state of the device as per InTune
Application can mean a specified application has specific conditions that must be met
Real-time sign-in risk uses Azure AD identity protection and conditional access to identify risky sign-in behavior which is the probability that the a given sign-in is not authorized by the identity owner. The triggered policy could then request a password reset or enforce MFA or blocked entirely until an administrator intervenes
User risk uses Azure AD identity protection to evaluate the probability that a given identity is compromised with a value of high, medium or low
Access controls
When a policy is triggered its action is to
- Block access
- Grant access
- Require one or more conditions to be met
- MFA
- Device marked as compliant
- Hybrid Azure AD joined device
- Approved app
- App protection policy
- Password change
Azure AD role-based access control
- Azure AD supports built-in and custom roles
- This is also known commonly as RBAC (Role Based Access Control)
- It’s best practice and more secure to use least privilege access rights
Built-in roles
- Some common built-in roles are
- Global Administrator
- Access to all admin features in Azure AD
- Teh default built-in role assigned to the person who sings up for the tenant
- User administrator
- Can create and manage all aspects of users and groups
- Can also manage support tickets and monitor service health
- Billing administrator
- Can make purchases
- Manage subscriptions
- Manage support tickets
- Monitor service health
- Global Administrator
- There are other built-in roles available
Custom roles
- Gives you flexibility to control what access is given instead of what the wider built-in roles offer
- First step is to create the custom role definition which consists of a collection of permissions taken from a preset list
- Then you assign the user to the role by creating a role assignment
- Grants the user permissions as per the role definition
- Role is assigned to a scope such as either of these
- Organization-wide
- Resource-level
- Requires Azure AD P1 or P2