I wanted to see if someone could help me with my capstone project. I selected access control and authentication. I need to help a company having issues with employees being able to open vital documents on the company network. I'm using Microsoft Azure to try and fix the problem. I'm trying to outline what I need to do to create a better access control system using a virtual machine in a Windows environment (1 X domain controller, 1 x clients, 4 users) to deliver a solution. I want to look at implementing DAC, RBAC, MAC, or a combination to help protect the essential information. Can anyone please break down a step-by-step process of what I should do? I need the virtual network and set up a topology. I was thinking about the hub-to-spoke topology, but it can change if something is better to use. In 2018, I last worked with Azure and access control, and I feel that I'm jumping around and missing some areas.
• I would suggest you to first create a set of virtual networks based on your different office locations or the assigned location of your employees. The address spaces used for these virtual networks should also be different and not overlap to avoid policy and access applications to the other networks. Once done, then configure the virtual machines for the concerned employees accordingly and the connectivity solution for them also, i.e., through RDP or Bastion host as such.
• Then, ensure that the user IDs are created according to the employee’s requirement for access to the Azure resources deployed, i.e., the resources may be Azure file share, blob storage, any Web app created or any certificate, secret in the key vault. Then provide access to the concerned user to that Azure resource through RBAC (Access control IAM) by providing the concerned user required access by assigning them roles according to the level of access required for that resource.
• Also, ensure that you have assigned an Azure role assignment to every user though alike if they are using resources on Azure. In this case, you can create a custom role with the required permissions, actions, and data actions necessary for that Azure role. While doing this, you will also be enrolling your users for Office 365 services to have appropriate access to online office software and mailbox. During which, you will need to opt for Azure Information Protection license such that the documents, mails, etc. are protected even after they leave the organization’s domain, i.e., client systems. Also, you would need Azure AD Premium P2 and Enterprise Mobility + Security (EMS) E5 licenses.
Thus, in this way, you can set up your organization’s infrastructure in Azure with secure and proper access. Please find below links for more information regarding the specific feature configuration: -
https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-first
The above link describes the use and configuration of Access packages in Azure and how you can use them to create a workflow for approval and requests for assigning the required resources for a particular project in Azure. Similarly, regarding the implementation of Azure Information Protection, kindly refer to the documentation link below for configuration and more details: -
https://learn.microsoft.com/en-in/previous-versions/azure/information-protection/infoprotect-quick-start-tutorial
https://learn.microsoft.com/en-us/azure/information-protection/faqs
Related
We have application on own server that should work with SharePoint Online. To access SP Online we need to have app token/secret - that's fine.
I wonder if there's possibility to restrict access via this token to some location for additional security. Let's say we have some machine with static IP that should connect to SP Online and machines with different IPs should not be able to connect even if they have right token/secret.
You can make use of Azure AD Conditional Access Policies.
The specific scenario you describe here will qualify for a condition based on Network Location. See here:
You just need to make use of location condition by defining Named Locations:
NOTE: This feature does require an Azure AD Premium License. You can compare different editions here
Has anyone successfully restricted Visual Studio Team Services access by IP address? The following blog post says it is possible by connecting the VS Team Services with Azure AD.
https://blogs.technet.microsoft.com/ad/2015/06/25/azure-ad-conditional-access-preview-update-more-apps-and-blocking-access-for-users-not-at-work/
After signing up will see the Visual Studio Team Services application on the application tab of the Azure AD portal. You can then go to the application's configure tab and set access rules, just like you would for other applications. (Like the Twitter example above.)
I have connected Team Services with Azure AD, but when I go in the Azure AD portal, click on applications under my domain and then click on "Visual Studio Online" all I get is a "Dashboard" with usage graphs. There is no "Configure" tab as the blog post says there should be. I have backed my Team Services account with TFS. Any ideas?
Thanks.
Think I found the issue. In the below link it says:
These capabilities will be available to customers that have purchased an Azure Active Directory Premium license.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-azuread-connected-apps/
Since I'm not subscribed to Azure AD Premium that is most likely why I don't get the configuration tab and the option to restrict access by IP address. Some what annoying that you would have to pay for Azure AD Premium access to get such a standard feature when already paying for VS Team Services.
You can do this in the AD: azure-ad-conditional-access-preview-update-more-apps-and-blocking-access-for-users-not-at-work:
Blocking external access
In other cases only users on the corporate network may be allowed to
access a SaaS application. This rule can help prevent data leakage and
in some cases can help you meet regulatory requirements.
When an app is on-premises you would have easily been able enforce
this policy at your network boundary. With the app in the cloud this
becomes more challenging.
We've helped address by adding the block access when not at work rule.
This rule can be applied to any of your Azure AD applications that
support conditional access.
The page below shows the option on the same Twitter configure tab as
above.
When you choose this option only users coming from an IP address that
falls within an IP range you have identified will be allowed access to
the application.
I have a business requirement where Azure Subscription owner will Provision User Groups like Infrastructure Admin, Billing Admin, Enterprise Users. Ifra Admin people should login to this Portal & can only see options related to Infra provisioning. Billing Admin people should have access to Azure usage Enterprise wide - And they should be able to generate bills for respective teams(which are part of the organization). Enterprise Users are those who want to procure azure storage, VMs etc. and they want estimate cost for required infra.
I am looking out for a solution/approach for this requirement. If Azure Portal is already providing this feature then please provide me reference material. If i should build new custom Web application which internally use Azure APIs then let me know about that option as well.
If there are any products which already doing this even am open for that.
Deeply appreciating your help. Thanks a lot :)
Vishal.
Let me answer by breaking your question in 2 parts:
Managing Users - This is something you can do today in Azure. Some time ago, Azure announced Role-based access control (RBAC) and that fits the bill nicely for you as far as managing users and granting them permissions to do things. So in your scenario, the owner will create users and groups in Azure Active Directory and then put these users and groups in appropriate roles. When a user or a group member tries to manage the resources (either by logging into the portal or using other tools like Azure PowerShell Cmdlets), they will only be able to do things the role they are in allows.
Managing Billing - Though Azure Portal exposes the billing functionality (and there's a billing/usage REST API), it does not have the capability you're looking for. What you would need to do is look for ITFM (IT Financial Management) Systems that has support for Azure. Off the top of my head, two tools come to my mind - Cloudyn & Cloud Cruiser. You can learn more about it here: https://azure.microsoft.com/en-in/documentation/articles/billing-usage-rate-card-overview/. You could always consume the Billing/Usage REST API to create a solution of your own. If you're writing your own solution, you may want to check out Billing Samples on GitHub.
I know it is possible to add co-administrators to my subscription but I can't find any way to add a user space. I mean something that would allow users to see only their own storage and services created within the subscription.
I'm not worried about usage quotas but just would like to separate my users into distinct areas, so they don't interfere with each other.
Is there any way to do/achieve that?
Cheers,
Jacek
Currently in a subscription it is not possible to do so in Windows Azure. One possible solution would be to create separate subscription for each user and make them co-administrator on that subscription so that they will only see that subscription. This will obviously add more management headaches for you.
Again, not a fool-proof solution but when we were developing Azure Management Studio at Cerebrata (Disclosure - I was Founder of Cerebrata though now I'm not associated with it), we came up with something called Profiles. Basically what you do is put some resources (like storage accounts, cloud services etc.) and grant permissions on these resources in a profile and save that profile. You can then distribute this profile file to your user. When they run Azure Management Studio, they can load this profile file and will only see the things you included in that profile file. Again it is very specific to the tool only, is not as comprehensive as it does not include everything that Windows Azure offers and as and when you change storage credentials etc., you would need to regenerate that profile file.
No that is not possible.
The Co-Admins have complete control for the services in the account (non billing) as a whole and all the Services (Storage, Virtual Machine, Websites etc) are equally accessible to every administrator and co-administrator.
I want to outsource the development of a WordPress website that will be hosted in Azure. Is there a way to create a Cloud Service that I can give someone access to, but at the same time not giving them my Azure subscription credentials?
From an Azure subscription perspective, you can only grant co-admin privilege; a co-admin gets full access to a subscription. This leaves you with a few options (I'm sure you can think of others):
Set up a separate subscription solely for the outsourced WordPress work. At completion of project, you can choose to remove the co-admin rights of the subscription
Grant admin access to the WordPress site, along with specific Azure resource keys (e.g. storage account namespace+key; service bus, MySQL credentials, etc.) for your developer to do the work. You can always change access keys once the project is completed
Have your developer set up WordPress in their own subscription, and then transfer the contents to your subscription when the project is complete.
EDIT - I slightly misunderstood the question, and was thinking the outsourced dev needed certain subscription-level resources. As Mike pointed out, source control is a good solution for Web Sites. You'd still need to set up resources such as Storage accounts if you don't want to set them up as co-admin.
If you are using Cloud Services then you could set up continuous integration between TFS and your cloud service. This would allow you to give the other person their own accounts to your TFS source code. Thus they check in and trigger the build, and it deploys. They don't have access.
If you don't have to have Cloud Service then you also have the same option with Windows Azure Web Sites (it's under development so this should be fine to run in even under the free, and bump up if you want to load test, etc.). With that you can give ftp access only, or also set up TFS or GIT source control integration.