a few weeks ago, I had a virtual session about Azure Identity security @security summit 2020.
Now, I want to demonstrate my live demo and also explain, why Identity security is highly important in Azure.
Before we start with the Demo, I‘ll explain why Identity security is so important in Azure. For my point of view, identities to secure are the following:
- User login to azure ad
- Service principal in azure ad
- Azure AD devices
There are different options available to secure each of that identities, in my online session I‘ll explain the User login scenarios in front and give a short overview about the Azure AD device options.
Okay let‘s start. User Login security possibilities depends on the Azure AD license which is in place. My recommendation for each off my customer is always: „minimum Azure AD Premium 1“. If you want the whole security features by Azure AD Premium 2 for your users. I know, Azure AD Premium 2 isn’t the cheapest license, but security is always expensive and in that case it’s a good investment.
The Azure AD license is also departed into different Azure license bundles, so it makes absolutely sense to define which features you are planning for your hybrid environment and depending on that result choose the right license bundle.
Here a short overview about license bundles where Azure AD Premium X is included:
Great, when we have the right license in place we can start with the security settings. At the security summit I’ve demonstrate the risk consideration for user and devices. Here is an short overview (I’m sorry it’s in german):
The main part in my short presentation is to demonstrate the four opportunities
- Microsoft Intune
- Azure AD Identity Protection
- Azure MFA
- Azure Conditional Access
The core component in that solution is Azure Conditional Access. If you have the right license in place (min. Azure AD P1), it’s possible to use that functionality and trust me it’s important to use that functionality.
What can you do with Azure Conditional Access?
The official Microsoft answerConditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane.
For me, conditional access is the main component between User/Devices and the Application in the cloud or On-Prem. In my demo, I show the possibilities about conditional access in combination with
- Azure AD Identity Protection
- Azure MFA
- Microsoft InTune
I’ve created a really simple conditional access policy to demonstrate the following scenario:
Scenario 1:User open the Azure Portal (https://portal.azure.com) from On-Prem.
In that scenario the conditional access policy will bypass the user without additional security authentication.
Scenario 2:User open the Azure Portal (https://portal.azure.com) from a tor browser.
That case is a little bit different then scenario 1 because the portal will be opened from a tor browser and in that case Azure AD Identity Protection will enforce a multi factor authentication to validate that the user. There are other options available but for my demo it’s enough. You can see the following information at Azure AD Identity Protection:
Scenario 3:User open the Azure Portal (https://portal.azure.com) outside the company
In that case the Conditional Access Policy will enforce Azure MFA authentication.
Scenario 4:User open the Azure Portal (https://portal.azure.com) outside the company but from an managed and compliant device
In that case the Conditional Access Policy will bypass the user to the Portal without any Azure MFA authentication
Scenario 5:User will open the Azure Portal (https://portal.azure.com) outside the company but with fido2 authentication
In that case everything is fine, the user can login without Azure MFA because it’s an highly secure authentication. For my point of view the best scenario.
Okay and now I will show you my demo Azure Conditional Access policy for that solution:
Step 1: Define the User/groups assigement:
Not the best choice but for my online demo perfect. Normally I will select Directory roles or a group.
Step 2: Define the cloud application to secure:
In my case I only wan’t to secure the Azure Management Portal.
Step 3: Define the conditions:
The HQ location is an named location which I’ve defined before. Named locations are perfect to define HQ or Branch offices, the only thing what you have to know is the public IP based on that location.
Step 4: Define the grant option
And I can define what happens when the condition match. If your device is marked as compliant scenario 4 will apply, if not scenario 3 will apply.
Okay but what’s about scenario 2? In that case I’ve the right license in place (Azure AD P2) and the possibility to configure the “User Risky policy”