Identity protection and governance capabilities of Azure AD

  3 minute read  

https://docs.microsoft.com/en-us/learn/modules/describe-identity-protection-governance-capabilities/

  • ID governance is about balancing ID security with user productivity
  • Should be justified and auditable
  • Azure AD offers
    • Privileged Identity Management (PIM)
    • Identity Protection
    • Terms of use statements

Identity governance in Azure AD

https://docs.microsoft.com/en-us/learn/modules/describe-identity-protection-governance-capabilities/2-describe-identity-governance

  • Azure AD ID governance can perform the following tasks

    • Govern ID lifecycle
    • Govern access lifecycle
    • Secure privileged access for administration

  • Can be performed in cloud and on-premises for all users

  • Four key questions

    • Which users should have access to which resources?
    • What are those users doing with that access?
    • Are there effective organizational controls for managing access?
    • Can auditors verify that the controls are working?

Identity lifecycle

A basic lifecycle would be

Joins An employee ID is created and permissions assigned for the role

Moves An employee moves organizational boundaries and their permissions are adjusted

Leaves An employee leaves the business and their ID is stripped or all permissions

  • The lifecycle is often controlled by an HR system such as Workday (SaaS) or SAP HCM (on-premises)
  • Azure AD can integrate with cloud HR systems meaning when changes are made in Workday by HR the employees’s ID can be created and changed
    • Requires Azure AD premium
  • Azure AD can integrate with on-premises HR systems using Microsoft ID manager which can import records.

Access lifecycle

  • Process of managing what the user has access to
  • Dynamic groups can automate access rights

Privileged access lifecycle

  • Used for administrator permissions
  • Azure AD PIM provides extra controls to secure access rights
  • Helps minimize the number of people who have privileged access
  • Requires Azure AD P2

What is entitlement management and access reviews

https://docs.microsoft.com/en-us/learn/modules/describe-identity-protection-governance-capabilities/3-describe-what-entitlement-management-access-reviews

  • ID governance feature
  • Enables organizations to manage ID and access at scale
  • Automates access requests workflows, access assignments, reviews and expiration
  • Requires Azure AD P2 license

Azure AD access reviews

  • Manage group memberships, access to apps and role assignment
  • Regular reviews ensures access is controlled
  • Excessive access rights are a security risk
  • Created through Azure AD access reviews or PIM
  • Used for users and guests
  • Self-review or peer reviewed
  • Requires Azure AD P2 license

Azure AD terms of use

  • MOTD presented prior to accessing a system
  • Disclose legal info or disclaimers

Capabilities of Privileged identity Management

https://docs.microsoft.com/en-us/learn/modules/describe-identity-protection-governance-capabilities/4-describe-privileged-identity-management

  • PIM is part of Azure AD and enables you to
    • Manage
    • Control
    • Monitor … access
  • Covers all MS services such as Azure, Azure AD, Office 365 and InTune
  • Mitigates the risk of excessive, unnecessary access permissions
  • Requires justification why users want access
  • Enforces MFA
  • Requires Azure AD P2 license

JIT provides privileged access when required

Time-bound based on start-end dates

Approval-based approval required

Visible notifications are sent when roles are enabled

Auditable full history can be accessed

Azure Identity protection

https://docs.microsoft.com/en-us/learn/modules/describe-identity-protection-governance-capabilities/5-describe-azure

Enables three key tasks

  • Automate the detection and remediation of ID based risk

  • Investigate risks using data in the portal

  • Export risk detection data to third-parties for analysis

  • MS analyses 6.5 trillion signals per day to identity risk

  • Signals are fed to Azure ID protection

  • Signals can be used by tools such as conditional access

  • Signals can be sent to security information and event management (SIEM) systems such as Azure Sentinel for analysis

  • ID protection uses three tiers

    • Low
    • Medium
    • High

  • Can also calculate user and sign-in risk

Sign-in risk is the probability that a given authentication request is not authorized by the user

  • Anonymous IP address; Tor browser of anonymized VPN
  • Atypical travel; IP located in different locations at the same time
  • Malware linked IP
  • Unfamiliar sign-in properties; past sign-in properties are cached and if different reviewed
  • Password spray
  • Azure AD threat intelligence

User risk is the probably that a user account is compromised

  • Leaked credentials; hackers share credential lists. MS checks leaked credential lists against accounts.
  • Azure AD thread intelligence
Last modified July 21, 2024: update (e2ae86c)