I as an Azure Admin created an Azure User in AD - User1.
User1 is logged into Azure Portal.
As an admin, i want to end the User1's Active Sesson of Portal with a specific Time.
How do i do that?
I have tried:
Azure AD Condtional Access - Need Azure Premium P1 for this and it seems costly as its per user basis cost. I have large number of users with whom i need to set Session timeout and kill active session regularly. Which i am feeling will cost a lot for simple work. Also 1 Hour is minimum time that can be set here. Cannot set less then that.
Condtional Access Cost Details - https://azure.microsoft.com/en-in/pricing/details/active-directory/
Let me know if you know any other method or if my calculation for Azure Premium P1 is not correct.
Your calculation for Azure Active directory premium p1 is correct. Earlier it is done by using PowerShell as per this link but this is not recommended and going to depreciated.
Related
I have a requirement whereby I need to retain logs from Azure for more than 30 – 90 days automatically (the log retention is set by MSFT).
The logs that i need to retain are from approval logs from AzureAD ID Governance.
I have thought about using a PowerShell script that logs its output to a storage account or OneDrive using RunBooks but that seems to open up a log of complexity.
Have you come across any better solutions or ideas that might be better than my current thoughts?
You need to archive the logs to a storage account using Azure Monitor. There is a pricing calculator that shows how much it will cost per year of storage. Unless archiving to a storage account was enabled, it's not possible to retain sign-in logs for more than the default (7 days for Azure AD free or 30 days for Azure AD premium).
You can use audit log retention policies set how long you want to maintain the logs.
I want to monitor their on-premise AD infrastructure with Azure Monitor and want to monitor and generate reports on these metrics
a. Details of disabled users currently in in AD
b. Users with password not required
c. Users with password never expiry
d. Users with “Kerberos pre-authentication disabled”
e. Users not logged on for last 90 days
f. Stale computers/Computers inactive for last 90 days
g. Objects trusted to authenticate for delegation
h. Uptime of AD infra (average uptime of all domain controllers)
Does Active Directory health check solution on Log Analytics meets all these expectations?
I don't think the AD Health check solution (which is more of an AD assessment) can help with all of your above tasks.
From what I know, this solution consists of "several health check assessments which run on regular intervals in domain controllers to identify issues and risks and provide recommendations to improve the existing infrastructure up to Microsoft best practices.", as described in this community article.
Possible solution:
If you know where to get all this information from Event Viewer or other log file on the system, you can use the Azure Monitoring Agent or the Log Analytics agent (MMA) to monitor specific events or specific log records/lines from various custom logs on the server.
AMA Agent = https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows
Data collection for specific events = https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent
If you prefer the classic MMA agent (which will be replaced by the AMA agent above in about 2 years), you can look here:
MMA Agent = https://learn.microsoft.com/en-us/azure/azure-monitor/agents/log-analytics-agent
Custom Log collection = https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-custom-logs
As part of a tenant migration, one of our users migrated an Azure subscription from one tenant to another. All RBAC dropped off (as expected), but they did not take note of the user & roles prior to transfer.
Is it possible to obtain a cached role/config view of an Azure subscription or once it is transferred, is it completely wiped?
Is it possible to sync users from cloud Azure Active Directory to on premise AD? On premise is a bit wrong here because it is actually a virtual network in Azure with a Windows Server virtual machine AD. I started with Azure AD and therefore all users are there but I would like to sync them to this virtual machine AD in a virtual network in Azure. I tried Azure AD Connect but this works to sync form on premise to Azure AD. How can I do it the other way around?
Is it possible to sync users from cloud Azure Active Directory to on
premise AD?
For now, it is not possible.
Here the feedback about it, maybe you can vote up it, that feedback will be monitored and reviewed by the Microsoft engineering teams.
As a workaround, we can use powershell to export Azure AD users' information to local file, then use that file to create users in on premise AD.
Here a similar case about you, please refer to it.
Hope this helps.
I have written a custom algorithm to do the process and it works for me so far so well.
I would state the approach that I have followed. This process will get executed after user logs in through Single Sign On.
Step-by-step process to be followed once the user is validated with AD.
Fetch User Manager Chain for the user with Indian Region Filter
through Graph API
https://graph.microsoft.com/v1.0/users/${usermail}?$expand=manager($levels=max;
Convert User Chain Nested Objects to Array of Users
Loop user array in reverse
For every traversal, check if the user present (match with Object ID)
If User Present in Database,
a. Compare user data with OIDC :id:
b. On Variance, call update() to keep data in sync with AD information
User not Present in DB,
a. Call insert() to insert the user data to the database
Note:
I am calling this process every time a user logs in and it is able to insert any new users or update the data in the database if it doesn't match with AAD. This would be an efficient approach if the management chain is around 10. I couldn't find a way to do this thing anywhere else so came up with this process.
In the Azure Portal under Azure Active Directory I am looking for a way to persist the Audit and Sign-in activity data for 1-year or longer. Azure AD Premium 1-2 seems to only allow for a maximum of 30 days. I am in search of a method, preferably inside of the Azure ecosystem, to store this data longer. In my attempts to Google a solution, I found the ability to export the Azure Activity Log data to general purpose storage, but I do not see that option from within Azure Active Directory.
Is the only option to create a script to move this data to a more permanent location, or is there a way to extend the data retention for these logs within Azure?
I'm new to all things Azure, so if I am missing any obvious things, please inform me.
For now, AAD doesn't support increasing the data retention for Audit logs within Azure Active Directory.
Depending on your license, Azure Active Directory Actions stores activity reports for the following durations:
Report Azure AD Free Azure AD Premium P1 Azure AD Premium P2
Directory Audit 7 days 30 days 30 days
Sign-in Activity 7 days 30 days 30 days
If you need data for duration that is longer than 30 days, you can pull the data programmatically using the reporting API and store it on your side. Alternatively, you can integrate audit logs into your SIEM systems.
Hope this helps!