What am I missing here? I'm thinking of moving my data center to Azure. I've created a corporate virtual network that has my ADs, my certificates, basically the family jewels of the company that I'm trying to build in the cloud. I've plugged up every obvious security hole that I can think of except one: the login to the Azure Portal is just a simple user id/password. If someone picked off my Microsoft Live user id, all they need is a password cracker. And a disgruntled or dismissed employee could easily cause havoc. Is there some way to lock down the portal? Does anyone in the security business think these Azure web sites are secure?
You can use Azure AD to properly secure the portal authentication. Azure AD is designed to securely authenticate applications in the cloud and it is supported by the majority of Microsoft solutions like Azure Portal. It will provide features like MFA, access control, self-service password reset, etc.
Although Microsoft Accounts also support some of these features, you can't force your users to specific policies, that's why Azure AD is important for enterprise level security.
Once you create a directory for your company through Azure Portal and synchronize your AD objects with Azure AD using the AAD Connect tool you will be able to login to Azure Portal using your corporate credentials and force users to use Multi-factor authentication or even apply other policies.
Azure Active Directory features and capabilities
Azure Active Directory Hybrid Identity Design Considerations
Integrating your on-premises identities with Azure Active Directory
Related
I have an on-premises Windows server 2022, which is running AD DS, NPS and DHCP. I also have Azure AD subscription, where my users are located. I would like to keep my users database (AD) in the cloud, since currently, I do not have any backup solutions and it is easier for me to manage. I want to have ieee 801.x on premises, as well as VPN service. Is it possible to force the NPS to authenticate against the Azure AD, where all my users are located? If yes, how can this be done?
I know that Azure AD Connect provides hybrid integration, but from what I read, it is only one way, i.e from on-premises AD to cloud synchronization, but not the other way around.
Yes, you are correct that the synchronization is only one-way and the workarounds currently are to use use PowerShell export/import or use a third-party tool. In the NPS article you linked, the on-premises users ultimately authenticate against Azure MFA. The NPS extension acts as an adapter between RADIUS and cloud-based Azure AD Multi-Factor Authentication to provide MFA for the federated or synced users. Your cloud users would just use regular Azure MFA without needing that adapter.
The most common workaround for the user writeback scenario is to create a PowerShell script that scans Azure AD regularly, finds the users in Azure, and then creates an on-premises user with the attributes in Azure AD.
The regular user writeback feature is on the roadmap and actively being worked on though. I've asked for an update from the PG and will edit this post once it is available.
For cloud VPN options, see: Azure AD Authentication - Open VPN.
From their docs - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-how-it-works
As a pre-requisite for Pass-through Authentication to work, users need to be provisioned into Azure AD from on-premises Active Directory using Azure AD Connect. Pass-through Authentication does not apply to cloud-only users.
Doesn't this defeat the whole point of pass-through. If users need to be provisioned in AAD (using AD connect), what's the point of pass through? Or is it just that USERNAMES are provisioned and no passwords..?
Very confusing. Please only respond if you have actually implemented this.
We use this at my work. It's better described here: What is Azure Active Directory Pass-through Authentication?
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.
To use cloud-based services, the account must exist in Azure AD. To use on-premises services, the account must exist on-premises. So everyone's account is actually duplicated between on-premises and Azure AD.
The only purpose of using pass-through authentication is being able to use both cloud and on-premises applications with the same password. Therefore, the password is not stored in Azure AD and Azure AD defers to the on-premises environment to perform the authentication.
This is a licensing related question for Azure Active Directory.
We would like to use Azure AD as a SAML identity provider for our own applications, using the available method in the Azure AD Premium subscription, i.e. by creating a new custom application in the 'enterprise applications' list. Now do I need to assign a Premium license to every user that is going to login to this application via SAML? Or does it suffice to assign this license to the users that are administering the application?
The former case seems more plausible to me, however it would be way too expensive for us, and during testing the custom applications seems to work also for users which do not have the license.
https://azure.microsoft.com/en-us/pricing/details/active-directory/
I am not a licesing expert, that said, Azure AD licenses are per user. Read the doc above. If the app is pre-integrated in the gallery, Azure AD users with the free tier can connect to 10 apps at no cost. If the app is on-premises, that requires Azure Application Proxy which would require Azure AD Basic.
If it's a custom application not in the gallery AD Premium is required. Keep in mind AD premium has a ton more functionality. Conditional Access is a Game Changer. Very powerful. Multifactor Authentication, self service password reset, MIM, SCCM CALs, are all included.
Being able to simplify identity for users and link All applications they use to their AD account is important. Ems gives you the ability to monitor identity with Advanced Threat Analytics etc. It's actually a very useful suite of services and not drastically different in price than stand alone AD premium.
There is an interesting point on license page too
Blockquote
With Azure AD Free and Azure AD Basic, end users who have been assigned access to SaaS apps can get SSO access to up to 10 apps. Admins can configure SSO and change user access to different SaaS apps, but SSO access is only allowed for 10 apps per user at a time. All Office 365 apps are counted as one app.
I do not have much experience with AD in general. I have a web app in Azure and I want to authenticate users in the app using Azure AD and I read a bit about Azure AD B2B option but I simply still do not understand it.
What I do now in steps:
Create a new Azure Directory
In that directory I go to Azure Active Directory (service)
Register my application
Go to Users/all Users/ New guest user and add the users of the application
Job done
What is the difference between me doing this and the Active Directory B2B?
Azure AD business-to-business (B2B) collaboration capabilities enable any organization using Azure AD to work safely and securely with users from any other organization, small or large. Those organizations can be with Azure AD or without, or even with an IT organization or without. +
Organizations using Azure AD can provide access to documents, resources, and applications to their partners, while maintaining complete control over their own corporate data. Developers can use the Azure AD business-to-business APIs to write applications that bring two organizations together in more securely. Also, it's pretty easy for end users to navigate.
Enable users from other organization to access the application is one kind of Azure AD B2B. And the Azure AD B2B is enabled by invite the other users to your organization tenant.
More details bout Azure AD B2B, please refer the link below:
What is Azure AD B2B collaboration
Is it possible to enable multi-factor authentication for getting access to the Azure portal, https://portal.azure.com?
I know there is an MFA server resource in Azure itself, but my understanding is that this is for Azure hosted applications/resources. I initially want to enable MFA for getting access to the portal itself, before setting it up for the different resources themselves in Azure.
Yes, you can.
For example here they say
Add protection for Azure administrator accounts
Multi-Factor Authentication adds a layer of security to your Azure administrator account at no additional cost. When turned on, you need to confirm your identity to spin up a virtual machine, manage storage, or use other Azure services.
Here is one of step-by-step guides.
UPD Feb 2019
Azure is constantly evolving, so many answers and related articles quickly become outdated.
As it is now, MFA is not a free option. I would start reading this Microsoft page for details, in particular:
Multi-Factor Authentication comes as part of the following offerings:
Azure Active Directory Premium licenses
Azure MFA Service (Cloud)
Azure MFA Server
Multi-Factor Authentication for Office 365
Azure Active Directory Global Administrators
EDIT:
The feature I originally mentioned has been replaced by Security Defaults, which includes requiring that all users register for MFA (but non-admin users don't necessarily have to use it), and requires admin users to use MFA.
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
Old response:
There is currently a feature in preview offering a baseline policy to apply MFA to the Azure Portal (and PowerShell and CLI).
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-baseline-protection#require-mfa-for-service-management-preview
This is applicable even at the free level of AAD.