34,79 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
Exam preparation for the AZ-500 means you’ll need to master all aspects of the Azure cloud platform and know how to implement them. With the help of this book, you'll gain both the knowledge and the practical skills to significantly reduce the attack surface of your Azure workloads and protect your organization from constantly evolving threats to public cloud environments like Azure.
While exam preparation is one of its focuses, this book isn't just a comprehensive security guide for those looking to take the Azure Security Engineer certification exam, but also a valuable resource for those interested in securing their Azure infrastructure and keeping up with the latest updates. Complete with hands-on tutorials, projects, and self-assessment questions, this easy-to-follow guide builds a solid foundation of Azure security. You’ll not only learn about security technologies in Azure but also be able to configure and manage them. Moreover, you’ll develop a clear understanding of how to identify different attack vectors and mitigate risks.
By the end of this book, you'll be well-versed with implementing multi-layered security to protect identities, networks, hosts, containers, databases, and storage in Azure – and more than ready to tackle the AZ-500.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 389
Veröffentlichungsjahr: 2021
Ähnliche
Microsoft Azure Security Technologies Certification and Beyond
Gain practical skills to secure your Azure environment and pass the AZ-500 exam
David Okeyode
BIRMINGHAM—MUMBAI
Microsoft Azure Security Technologies Certification and Beyond
Copyright © 2021 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Wilson Dsouza
Publishing Product Manager: Vijin Boricha
Senior Editor: Athikho Sapuni Rishana
Content Development Editor: Sayali Pingale
Technical Editor: Shruthi Shetty
Copy Editor: Safis Editing
Project Coordinator: Neil Dmello
Proofreader: Safis Editing
Indexer: Tejal Daruwale Soni
Production Designer: Nilesh Mohite
First published: September 2021
Production reference: 1070921
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
978-1-80056-265-3
www.packt.com
I am grateful to many people who have helped and supported me through the process of writing this book. To my wife and best friend, Brenda Tao. To my parents, who taught me everything I know (Jacob and Hope Okeyode). And to the three best sisters and encouragers in the world (Pemi, Elizabeth, and Esther). I love you all.
– David Okeyode
Contributors
About the author
David Okeyode is a cloud security architect at the Prisma cloud speedboat at Palo Alto Networks. Before that, he was an independent consultant helping companies secure their cloud environments through private expert-level training and assessments. He holds 15 professional certifications across the Azure and AWS platforms, including the Azure Security Engineer, Azure DevOps, and AWS Security Specialist certifications. He has also authored two cloud computing courses for the popular cybersecurity training platform Cybrary.
David has over a decade of experience in cybersecurity (consultancy, design, and implementation) and over 6 years of experience as a trainer. He has worked with organizations of different sizes, from start-ups to major enterprises to government organizations.
David has developed multiple vulnerable-by-design automation templates that can be used to practice cloud penetration testing techniques. He regularly speaks about cloud security at major industry events, such as Microsoft Future Decoded and the European Information Security Summit.
David is married to a lovely girl who makes the best banana cake in the world. They love traveling the world together and intend to do missions in Asia very soon!
About the reviewers
Dharam Chhatbar is a seasoned information security professional who has more than 11 years of experience in various verticals of InfoSec, delivering impactful and high-quality risk-reduction work. He has helped secure many banks and retail firms and is currently working at a top Fortune 500 company. He holds a master's degree, is a fervent learner, and has earned several global certifications, such as CISSP, GSLC (GIAC), CCSP, CSSLP, GMOB, and some related to the cloud, such as Azure (AZ500), GCP (PCSE), and AWS (SAA). His key competencies include vulnerability management, application security, cloud security, VA/PT, and managing teams/vendors. He has also reviewed the book CISSP (ISC)² Certification Practice Exams and Tests by Ted Jordan.
I would like to thank my parents, Bina and Jagdish; my wife, Chaital; and my sister, Hina, for their continued support and encouragement with everything that I do and for motivating me to always achieve my ambitions.
Rod Trent is a security CSA for Microsoft and an Azure Sentinel global SME helping customers migrate from existing SIEMs to Azure Sentinel to achieve the promise of better security through improved efficiency without compromise.
Rod is a husband, dad, and recently a first-time grandfather. He spends his spare time (if such a thing does truly exist) simultaneously watching episodes of The Six Million Dollar Man and writing KQL queries.
Table of Contents
Preface
Section 1: Implement Identity and Access Security for Azure
Chapter 1: Introduction to Azure Security
Technical requirements
Shared responsibility model
Setting up a practice environment
Create a free trial Azure subscription
Summary
Questions
Further reading
Chapter 2: Understanding Azure AD
What Azure AD is not (what is Azure AD?)
Azure AD versus on-premises AD
Azure AD – an identity provider for Microsoft cloud services
Azure AD – an identity provider for modern applications
Modern authentication protocols
Hands-on exercise – review your Azure AD tenant
Hands-on exercise – add a custom domain to Azure AD (optional)
Azure AD editions
Hands-on exercise – sign up for an Azure AD Premium P2 trial
Azure AD object management
Azure AD users
Azure AD groups
Azure AD and Azure RBAC roles
Service principals
Hands-on exercise – Azure AD user creation and group management
Hands-on exercise – Azure AD role assignment
Summary
Questions
Further reading
Chapter 3: Azure AD Hybrid Identity
Technical requirements
Implementing Azure AD hybrid identity
Azure AD Connect
Preparing for Azure AD Connect installation
Hands-on exercise – deploying an Azure VM hosting an AD domain controller
Hands-on exercise – preparing for Azure AD Connect deployment
Selecting a hybrid identity authentication method
Federation
Pass-Through Authentication (PTA)
Azure AD Connect deployment options
Hands-on exercise – deploying Azure AD Connect PHS
Implementing password writeback
Summary
Questions
Further reading
Chapter 4: Azure AD Identity Security
Technical requirements
Implementing Azure AD Password Protection
Hands-on exercise – Configuring the custom banned password list feature of Azure AD Password Protection
Securing Azure AD users with multi-factor authentication (MFA)
Hands-on exercise – Enabling MFA by changing user state
Implementing conditional access policies
Conditional access – How policies are evaluated
Conditional access best practices
Hands-on exercise – Implementing conditional access
Protecting identities with Azure AD Identity Protection
Identity protection – risk categories
Identity protection – detection types
Identity protection – risk levels
Identity protection – policies
Exercise – Implementing Azure AD Identity Protection
Summary
Question
Further reading
Chapter 5: Azure AD Identity Governance
Technical requirements
Protecting privileged access using Azure AD Privileged Identity Management (PIM)
What is Azure AD PIM?
How does Azure AD PIM work?
Exercise – Azure AD Privileged Identity Management
Configuring PIM access reviews
Exercise – Create an access review and review PIM auditing features
Summary
Questions
Further reading
Section 2: Implement Azure Platform Protection
Chapter 6: Implementing Perimeter Security
Technical requirements
Securing the Azure virtual network perimeter
Implementing Azure Distributed Denial of Service (DDoS) Protection
Hands-on exercise – provisioning resources for the exercises in Chapters 6 and 7
Hands-on exercise – implementing the Azure DDoS protection Standard
Implementing Azure Firewall
Hands-on exercise – implementing Azure Firewall
Implementing a Web Application Firewall (WAF) in Azure
Application Gateway WAF
Front Door WAF
Hands-on exercise – configuring a WAF on Azure Application Gateway
Summary
Questions
Further reading
Chapter 7: Implementing Network Security
Technical requirements
Implementing virtual network segmentation
Implementing NSGs
Implementing ASGs
Hands-on exercise – Configuring NSGs and ASGs
Implementing platform service network security
Firewall for PaaS services (and firewall exceptions)
Service endpoints
Hands-on exercise: Configuring a firewall and service endpoints on a storage account
Securing Azure network hybrid connectivity
Implementing Azure Bastion
Hands-on exercise: Configuring Azure Bastion
Hands-on exercise: Cleaning up resources
Summary
Question
Further reading
Chapter 8: Implementing Host Security
Technical requirements
Hands-on exercise – provisioning resources for this chapter's exercises
Using hardened baseline VM images
Protecting VMs from viruses and malware
Hands-on exercise deploying the Microsoft Antimalware extension for Azure
Implementing system update management for VMs
Hands-on exercise – implementing Azure Automation Update Management
Implementing vulnerability assessment for VMs
Encrypting VM disks with Azure Disk Encryption
Hands-on exercise – implementing Azure Disk Encryption
Securing management ports with JIT VM access
Hands-on exercise – enabling JIT VM access
Summary
Questions
Further reading
Chapter 9: Implementing Container Security
Technical requirements
An overview of containerization in Azure
Hands-on exercise – providing resources for the chapter exercises
Introducing ACR
ACR pricing tiers
ACR security best practices
Configuring service firewall rules for ACR
Restricting access using a private endpoint
Using Azure AD RBAC for secure authentication and access control
Implementing container image vulnerability and compliance scanning
Hands-on exercise – securing ACR
Introducing AKS
Understanding the AKS architecture
AKS security best practices
Limiting access to the API server using authorized IP address ranges
Implementing a private AKS cluster using a private endpoint
Controlling access to cluster resources using Kubernetes RBAC and Azure AD
Regularly upgrading the cluster control plane
Regularly applying OS updates to worker nodes
Implementing pod-managed identities
Cleaning up the resources
Summary
Questions
Further reading
Section 3: Secure Storage, Applications, and Data
Chapter 10: Implementing Storage Security
Technical requirements
Azure Storage overview
Azure Blob service hierarchy
Azure Files service hierarchy
Implementing encryption at rest
Implementing encryption in transit
Hands-on exercise – provisioning a storage account with encryption in transit enforced
Configuring storage account authorization
Protect access to the Storage account keys
Grant limited access to using Shared Access Signatures (SAS)
Implementing storage account key management with Key Vault
Disabling key-based authorization options
Disabling anonymous (unauthenticated) Blob access
Implementing Azure AD authorization for the Blob service
Implementing ADDS or Azure ADDS authentication for Azure Files
Hands-on exercise – configuring storage account access controls
Implementing Azure Defender for Storage
Cleaning up resources
Summary
Question
Further reading
Chapter 11: Implementing Database Security
Technical requirements
Database options in Azure
Azure SQL deployment options
Implementing defense in depth for Azure SQL
Protecting Azure SQL against unauthorized network connections
Implementing IP firewall rules
Implementing server-level firewall rules
Implementing database-level firewall rules
Implementing Azure SQL private endpoints
Hands-on exercise – provisioning resources for chapter exercises
Hands-on exercise – implementing network access control
Protecting Azure SQL against unauthorized user access
Hands-on exercise – implementing Azure AD authentication and authorization
Protecting Azure SQL against vulnerabilities
Enabling Azure SQL database auditing
Implementing Azure Defender for SQL
Protecting Azure SQL against data leakage and theft (database encryption)
Implementing Transparent Data Encryption (TDE) – encryption at rest
Implementing encryption in transit
Implementing Azure SQL Database Always Encrypted
Hands-on exercise – implementing Always Encrypted
Cleaning up resources
Summary
Question
Further reading
Chapter 12: Implementing Secrets, Keys, and Certificate Management with Key Vault
Technical requirements
Introducing Azure Key Vault
Understanding secrets, keys, and certificates
Understanding Key Vault pricing tiers
Managing access to Key Vault
Hands-on exercise – managing access to Key Vault resources
Protecting Key Vault resources
Hands-on exercise – protecting Key Vault resources
Cleaning up resources
Summary
Question
Further reading
Chapter 13: Azure Cloud Governance and Security Operations
Technical requirements
Implementing Azure cloud governance
Understanding management groups
Understanding Azure Policy
Understanding Azure RBAC
Hands-on exercise – implementing management groups and Azure Policy
Understanding logging and monitoring
Azure Service Health
Azure Monitor
Log Analytics
Addressing cloud security challenges with Security Center
Cloud Security Posture Management
Cloud Compliance Posture Management
Threat protection
Managing security operations with Azure Sentinel
Data collection
Detecting threats
Investigating incidents
Responding to incidents
Hands-on exercise – implementing Azure Sentinel
Cleaning up resources
Summary
Questions
Further reading
Assessments
Chapter 1 – Introduction to Azure Security
Chapter 2 – Understanding Azure AD
Chapter 3 – Azure AD Hybrid Identity
Chapter 4 – Azure AD Identity Security
Chapter 5 – Azure AD Identity Governance
Chapter 6 – Implementing Perimeter Security
Chapter 7 – Implementing Network Security
Chapter 8 – Implementing Host Security
Chapter 9 – Implementing Container Security
Chapter 10 – Implementing Storage Security
Chapter 11 – Implementing Database Security
Chapter 12 – Implement Secrets, Keys, and Certificate Management with Key Vault
Chapter 13 – Azure Cloud Governance and Security Operations
Other Books You May Enjoy
Section 1: Implement Identity and Access Security for Azure
A common attack entry point for Azure environments is identity compromise. This is why mitigating identity security risks and configuring secure access is a key component of a comprehensive Azure security strategy. In this section, you will gain a clear understanding of Azure Active Directory (Azure AD), Microsoft's cloud-based identity and access management service, and how to secure your cloud identities using features such as multi-factor authentication, password protection, conditional access, identity protection, and privileged identity management. Not only will just the concepts and theory be made clear; we will also walk through many exercises as well!
This part of the book comprises the following chapters:
Chapter 1, Introduction to Azure SecurityChapter 2, Understanding Azure ADChapter 3, Azure AD Hybrid IdentityChapter 4, Azure AD Identity SecurityChapter 5, Azure AD Identity GovernanceChapter 1: Introduction to Azure Security
Security is a core component of any well-architected environment, and this is no different for Azure. Every workload that your organization implements in Azure needs to be implemented with security in mind. The risk associated with not doing this could range from an attacker being able to use your Azure resources to mine cryptocurrency at your expense to an attacker being able to gain access to sensitive customer data that could result in massive fines or sanctions against your company. It could also lead to reputation damage that may lead to customers moving to a competitor.
But how does cloud security work? Is it different from traditional security? Do you have to unlearn everything that you know about managing on-premises security and start from the beginning? You'll be glad that the answer to that latter question is "No." The principles of digital security are the same whether your workload sits in a traditional on-premises data center or in a cloud environment such as Microsoft Azure. The way you apply those principles, however, is quite different. Some of those differences are due to the dynamic and elastic nature of cloud environments. The ability to rapidly provision and release resources introduces new challenges that traditional security models struggle to address effectively, but we'll be covering how to solve this in this book – that is, we'll focus on how we apply security principles to secure dynamic Azure environments.
In any discussion on Azure security, it is critical to understand the "shared responsibility model," that is, which security tasks are handled by the cloud provider (Microsoft in this case) and which tasks are handled by the cloud consumers (us). In this chapter, I will introduce this concept and show how cloud security responsibilities vary depending on the type of service that you are using in Azure – Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS). I will also walk you through how to set up an Azure subscription that you can use to follow along with the hands-on sections of this book.
In this chapter, we're going to cover the following topics; however, feel free to skip to the next chapter if the information covered is already familiar to you:
Shared responsibility modelSetting up a practice environmentTechnical requirements
To follow along with the instructions in this chapter, you'll need the following:
An outlook.com account that you will use to sign up for your Azure subscription. Make sure that this is an account that you have not previously used to sign up for a free trial Azure subscription. This is because every Microsoft account is entitled to only one free trial signup. You can sign up for a new outlook.com account by going to https://outlook.live.com/owa/ and clicking Create free account.A PC with a web browser: The PC can run Windows, macOS, or GUI-based Linux, as long as it has a web browser installed and it has internet connectivity.A credit card: This will be needed during the sign-up process to validate your identity. The credit card will not be charged during the trial. You have to explicitly convert a free trial subscription to a pay-as-you-go subscription for it to be charged.A valid phone number: This will also be needed to validate your identity.Shared responsibility model
As organizations transition their workloads from their on-premises data centers to the Azure cloud platform, the responsibility of security also shifts. One of these shifts is that you are no longer solely responsible (as an organization) for all aspects of security as you may be used to in a traditional environment. Security is now a concern that both the cloud provider (Microsoft) and the cloud customers (us) share. This is called the shared responsibility model and all cloud providers, including Microsoft's competitors such as AWS and GCP, follow this model as well.
The diagram in Figure 1.1 clearly highlights this. It is from a whitepaper on the shared security model that was published by Microsoft. You can download the whitepaper from this URL: https://azure.microsoft.com/en-gb/resources/shared-responsibility-for-cloud-computing/. In the diagram, the gray represents the security responsibilities that are transferred to Microsoft when we adopt Azure, while the blue represents security responsibilities that we still have to take care of as Azure customers:
Figure 1.1 – Shared responsibilities for different cloud service models
One of the things that I would like to highlight in the diagram is that regardless of the cloud service model that we are using in Azure – IaaS, PaaS, or SaaS – we are never without security responsibility. Here are some other lessons that I want you to take from this section:
Your security responsibility varies depending on the model of service that you are using in Azure.If you are using an IaaS service such as a virtual machine, you have more security responsibilities to take care of. For example, you are responsible for patching the operating system of your Azure-hosted virtual machines.
If you are using a PaaS service such as Azure App Service, you have fewer security responsibilities to take care of. For example, you are not responsible for patching the operating system used by the service, but you are still responsible for how you configure the service and also for controlling access to it.
If you are using a SaaS service such as Azure Search, you have even fewer security responsibilities, but you are still responsible for controlling access to your data.
Not fulfilling your security responsibilities leaves you exposed to threats and attacks in those areas.Have a good look at the diagram again. Wherever you see blue in the diagram, if you do not have a strategy to address those responsibilities, you are leaving yourself exposed to threats! Don't worry too much about this right now – by the end of this book, you'll be equipped with the knowledge and skills that you need to effectively take care of these security responsibilities.
In this section, we established the foundational concept of shared security responsibilities in Azure. This clarified for us what we are responsible for depending on the service model that we are using. In the next section, we will set up a test environment that we can use to practice the implementation of security controls in Azure.
Setting up a practice environment
One of the best ways to learn a new concept is through hands-on practice. This book includes walk-throughs that allow you to gain a practical experience of the concepts being discussed:
Figure 1.2 – Practice environment
To follow along with these walk-throughs, you will need access to an Azure subscription, and I will be walking you through how to sign up for one if you do not have an existing subscription now. If you have an existing subscription that you can use, feel free to skip the next section.
Create a free trial Azure subscription
To set up a free trial subscription, follow these steps:
Open a browser window and browse to https://signup.azure.com/.In the Sign in window, enter your Outlook.com account and click Next:Figure 1.3 – Enter your email address
In the Your profile window that opens, the Country/Region, First name, Last name, and Email address fields should already be completed using information from your email profile. Enter the right values if the auto-completed values are not correct.Enter your phone number (without the country code).Skip Company VatID. Leave it empty and click Next. Depending on your Country/Region setting, this field may not be displayed, or you may be presented with a different option:Figure 1.4 – Enter your profile information
In the Identity verification by phone section, ensure your country code and phone number are correct, then click on Text me:Figure 1.5 – Enter your phone number for identity verification
A verification code will be sent to your phone number. Enter the verification code and click Verify code.In the Identity verification by card section, fill in Cardholder Name (as it appears on your credit card), Card number, Expires, and CVV:Figure 1.6 – Enter your credit card information
Enter your address information and click Next.In the Agreement section, select only I agree to the subscription agreement, offer details, and privacy statement and click on Sign up:Figure 1.7 – Conclude the sign-up process
Important note
Clicking on subscription agreement, offer details, and privacy statement will take you to the respective documentation, where you can read the details to stay informed of what you are agreeing to when signing up.
The signup process will begin. It should only take a few minutes, after which you will be redirected to the Azure portal.
To verify your subscription, in the Azure portal, click on Microsoft Azure in the top-left corner and click on Subscriptions under Navigate:Figure 1.8 – Verify your new subscription
In the Subscriptions window, you should see a subscription named Free Trial:Figure 1.9 – Your new trial subscription
Congratulations! You now have an Azure subscription that you can use to follow along with the rest of the book.
Summary
In this chapter, we saw how cloud security is similar to yet different from traditional security. We also discussed the shared security model concept and highlighted how we have fewer security responsibilities when we adopt a cloud platform such as Microsoft Azure, but we are never without security responsibilities! And finally, I walked you through the process of setting up an Azure subscription, which puts you in a great place to follow along with the hands-on sections in the rest of this book.
Azure security is a deep and complex topic and we're only just getting started. In the next chapter, we'll start discussing one of the most important aspects of implementing security for your Azure environments – securing identity and access using Azure Active Directory.
Questions
As we conclude, here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:
True or false: When a workload is migrated from on-premises to Azure, you offload all security responsibilities to Microsoft.a. True
b. False
Which cloud service model requires the greatest security effort on the part of the customer?a. Infrastructure as a Service (IaaS)
b. Platform as a Service (PaaS)
c. Software as a Service (SaaS)
True or false: The principles of digital security are the same whether your workload sits in a traditional on-premises data center or in a cloud environment such as Microsoft Azure.a. True
b. False
Which security responsibility is solely that of the cloud provider when we move to Azure?a. Network controls
b. Client and endpoint protection
c. Physical security
d. Identity and access management
Further reading
To learn more on the topics covered in this chapter, you can refer to the following links:
Azure shared security responsibility documentation: https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibilityChapter 2: Understanding Azure AD
Many cloud-related security breaches start with a compromised user identity. Once an attacker gets a foot in the door using the compromised credential, they can escalate privileges or gather intelligence to move further in the attack chain. This is why securing identity is important in any discussion on cloud security. This chapter will equip you with a thorough understanding of Azure Active Directory (Azure AD) – Microsoft's cloud-based identity and access management service, which functions as the identity provider for Azure and other cloud services. The foundational concepts discussed in this chapter are needed to fully grasp the identity security topics covered in the third and fourth chapters. Here are the topics that we will cover in this chapter with accompanying hands-on exercises:
What Azure AD is not (what is Azure AD?)Modern authentication protocolsAzure AD editionsAzure AD object managementWhat Azure AD is not (what is Azure AD?)
From my experience, knowing what Azure AD is not is as important as knowing what Azure AD is. Understanding what Azure AD is not will help you avoid some of the common confusion out there about this service, so let's start out with this statement: Azure AD is NOT on-premises Active Directory in Azure! As a matter of fact, it has a different use case and structure from on-premises Active Directory (AD). I personally would have called it Azure Identity Service or some other name to avoid confusion with on-premises Active Directory, but it seems that Microsoft wanted to keep the Active Directory brand name going.
So, if Azure AD is not on-premises AD in Azure, what is it then? I will give you two descriptions to help you understand what it is. Here is the first one: Azure AD is the identity provider for Microsoft cloud services. You may be thinking to yourself, what does that even mean? Let's check it out.
Azure AD versus on-premises AD
Let's have a quick look at the differences between Azure AD and on-premises AD.
Azure AD is queried using the REST API over HTTP (80) and HTTPS (443) instead of LDAP, which is used to query on-premises AD over TCP ports 389 (LDAP) or 686 (LDAPS).
Azure AD uses modern authentication protocols that use web transport such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authorization) instead of Kerberos, which is used by on-premises AD.
Azure AD users and groups are created in a flat structure, and there are no Organizational Units (OUs) or Group Policy Objects (GPOs). On-premises AD has a hierarchical structure with OUs and containers.
Azure AD includes native federation services (for example, it has native federation built in with other Azure AD tenants). It does not rely on (ADFS).
Azure AD – an identity provider for Microsoft cloud services
When a customer signs up for any Microsoft cloud service (an Azure subscription, an Office 365 subscription, or a Dynamics365 subscription), as you did in the first chapter, an Azure AD tenant is transparently created in the background. This is where the identities (users, groups, and service principals) that are allowed to access those services are stored and managed (Figure 2.1):
Figure 2.1 – Azure AD as identity provider for Microsoft Cloud Services
In order to access Microsoft cloud services such as Azure, users are redirected to Azure AD to authenticate. Only when authentication is successfully completed in Azure AD can access be granted.
So, does this mean that for every Microsoft cloud service that you sign up for, you always have to have a brand new separate Azure AD tenant? (By the way, Azure AD tenant refers to a single instance of Azure AD):
Figure 2.2 – A single Azure AD tenant linked with multiple Microsoft cloud services
The answer to that question is NO! Organizations do not have to have different Azure AD tenants for multiple Microsoft cloud services. Multiple cloud service instances can be linked with the same Azure AD tenant. For example, it is common for organizations to implement separate Azure AD subscriptions for development and production workloads. These subscriptions can both be linked with the same Azure AD tenant (Figure 2.2).
Azure AD – an identity provider for modern applications
My second description of Azure AD is related to its use case – the PRIMARY use case of Azure AD is to securely authenticate access to applications that support modern authentication protocols regardless of where they are hosted!
That statement sounds profound but what does it mean? It means that beyond support for Microsoft cloud services, Azure AD can actually provide authentication for any software as a service (SaaS) or hosted application that supports modern authentication protocols (Figure 2.3)! This is powerful as it means that we can centrally manage authentication and access for all our cloud and supported on-premises applications with Azure AD. This includes thousands of SaaS applications, including popular ones such as Salesforce, Box, AWS, and Dropbox. It also includes custom applications that may be hosted on-premises or in the cloud:
Figure 2.3 – Centralized identity management using Azure AD
But what do modern authentication protocols mean? Why do we need them? What was wrong with the authentication protocols that we had?
Modern authentication protocols
To understand why we need modern authentication protocols, let's go back in time to see how things were. Years ago, a typical organization needed only on-premises domain controllers (running Active Directory) to provide authentication for their business applications. This was a time when the users, the servers running the business applications, and the domain controllers lived happily within the same network perimeter. Authentication occurred using either Kerberos or NTLM, which are both protocols designed to authenticate scenarios where both the application and the identity provider lived on the same network. You could tell this from the number of network ports that needed to be opened for Kerberos to work (Figure 2.4).
Times have changed since then! The majority of business applications that organizations use are now cloud-hosted (living in someone else's data centers). It is not practical to expose all the ports that Kerberos alone needs to work to the internet! This was why we needed modern authentication protocols! The most common modern authentication/authorization protocols are OpenID Connect 1.0, SAML 2.0, and OAuth 2.0 (authorization framework):
Figure 2.4 – Legacy authentication protocols
All modern authentication protocols have one thing in common (regardless of the differences in their specific implementations) – they operate using web transport. This means that they can pass authentication and authorization tokens over HTTP and HTTPS, making it easy to deliver authentication and authorization across different environments.
Hands-on exercise – review your Azure AD tenant
Now that you have some understanding of what Azure AD is, let's go to the Azure portal to review the Azure AD tenant that was created for us when we signed up for our Azure subscription in Chapter 1, Introduction to Azure Security. You will need to do this from your Windows or macOS machine with an internet connection:
Open a web browser and browse to the Azure portal URL: https://portal.azure.com.Sign in to the portal using the account that you used to sign up in the previous chapter. Click the portal menu icon in the top-left corner and select Azure Active Directory:Figure 2.5 – Select Azure AD
In the Default Directory | Overview blade, review the information contained in the Tenant information section:Your role shows the role that the signed-in account has in Azure AD. The Global administrator role gives full control to perform all operations on the tenant. We will be covering Azure AD roles in a later discussion.
License shows the current edition of our Azure AD license. Our current license edition is Azure AD Free (license options and differences will be covered later in this chapter).
Tenant ID shows the unique tenant ID of our Azure AD tenant.
Primary domain shows the default domain name that was created for our Azure AD tenant when we signed up for our Azure subscription. This initial domain name is made up of information from the email that we used to sign up with a suffix of onmicrosoft.com. This domain name will be used as the User Principal Name (UPN) suffix of our users. For example, if I create a user called david in my Azure AD tenant, the UPN for my user will be [email protected]. Obviously, this is not ideal for an organization. We can add a custom domain name to replace the default one as the primary and we will be doing this in an optional exercise shortly:
Figure 2.6 – Azure AD tenant information
Still in the Default Directory | Overview blade, click on Users (in the section labeled Manage):Figure 2.7 – Azure AD Users option
You will see a list of users in your Azure AD tenant:Figure 2.8 – Azure AD Users blade
At the moment, we have a single user, but we will be adding more users in later exercises in this book. Leave the browser open for the next exercise.
Hands-on exercise – add a custom domain to Azure AD (optional)
In this exercise, we will be adding a custom domain name to Azure AD. This domain name will be used to replace the onmicrosoft.com default name. This exercise requires you to have a public DNS name that you have purchased from a DNS provider. You must also have the permissions to manage that DNS zone as you will need to create new records as part of this process. In my case, I have purchased azureblueteam.io from GoDaddy (https://godaddy.com) and I will be using this for the instructions:
We will stay in the Users | All Users blade, click on Custom domain names (in the section labeled Manage), then click on Add custom domain:Figure 2.9 – Click to add a custom domain
In the Custom domain name box, enter the public DNS name that you want to add to Azure AD, then click Add domain:Figure 2.10 – Add a custom domain
In the window that opens, make a note of the information displayed as you will need to add the record to your DNS zone for verification. You can choose to use either a TXT record or an MX record. I will be using the TXT record for my verification:Figure 2.11 – Domain name verification record
Head over to your DNS zone and add the required record using the information from Step 3. My DNS provider is GoDaddy and my DNS zone is hosted with them. Make sure to allow some time for the DNS record to replicate:Figure 2.12 – Add a verification record
Back in the Azure portal, click on Verify.After the record is verified successfully, click on the Make primary option to configure the newly verified domain name as the primary domain name of your Azure AD tenant. Click on Yes to confirm:Figure 2.13 – Configure the primary domain name
If you head back to the Default Directory | Custom domain names blade, you should see that your new custom domain is verified and that it is configured as the primary domain name:
Figure 2.14 – Verified primary custom domain name
Now that you have a clearer understanding of what Azure AD is, its use cases, and how to work with it, let's shift our focus to talk about Azure AD editions. The significance of this will become clearer as we get deeper into Azure AD features in later chapters.
Azure AD editions
The features of Azure AD that you can use depends on the edition of Azure AD that you have, and your licensing based on pricing. For example, if you want to implement advanced identity security capabilities of Azure AD such as Identity Protection and Privileged Identity Management, you need to have the right Azure AD edition that enables these capabilities. We will cover both Identity Protection and Privileged Identity Management in Chapter 4, Azure AD Identity Security.
Before July 2019, we had five editions of Azure AD (Free, Basic, Office 365 Apps, Premium P1, and Premium P2) but after July 2019, we only have four editions (Free, Office 365 Apps, Premium P1, and Premium P2). The reason for bringing this up is to give you a clearer context in case you come across an older blog or document that still references the Basic edition of Azure AD. Just be aware that the "Basic" edition has now gone away!
Alex Simons (https://twitter.com/Alex_A_Simons), the Corporate Vice President of Product Management at the Microsoft Identity division, took to Twitter to announce the end of the Azure AD Basic edition: https://twitter.com/Alex_A_Simons/status/1159556024207962112. I recommend following Alex if you are interested in getting the latest updates on Azure AD.
Here is a short description of the Azure AD editions that we have:
Azure AD Free: This is the edition of Azure AD that is included with new Azure subscriptions. It includes enough features to get us introduced to the capabilities of Azure AD, but it lacks advanced management and security features. It also does not have any Service-Level Agreement (SLA) guarantee!Azure AD Office 365 Apps: This is the edition of Azure AD that is included with new Office 365 subscriptions. It has a few more capabilities than the free edition (capabilities such as Self-Service Password Reset, which allows users to reset their own passwords without the need to contact an administrator) and has an SLA.Azure AD Premium P1: This edition can be purchased as a standalone offering or as part of the Enterprise Mobility Suite (EMS) or Microsoft 365 bundles. It has important security capabilities such as conditional access, Self-Service Password Reset, and so on. If you are interested in implementing identity and access in the best possible secure way, at a minimum, you need to be on the Premium P1 edition.Azure AD Premium P2: This edition includes every feature of all other Azure Active Directory editions enhanced with advanced security capabilities such as Identity Protection and Identity Governance (Privileged Identity Management, access reviews) capabilities. We'll cover what these are in later chapters.For a full comparison of the features of the various Azure AD editions, please refer to this link: https://azure.microsoft.com/en-gb/pricing/details/active-directory/.
Hands-on exercise – sign up for an Azure AD Premium P2 trial
For us to implement the full feature set of Azure AD and gain the experience that we need to not only pass the AZ-500 exam but also to be successful on the job, we need to have the Azure AD Premium P2 license. In this exercise, we will be signing up for the Azure AD Premium P2 trial for our tenant:
In the Azure AD blade in the Azure portal, click on Licenses:Figure 2.15 – Azure AD Licenses
In the Licenses | Overview blade, click on All products, then click on + Try / Buy:Figure 2.16 – Try the Azure AD Premium P2 license
In the Activate blade, click to expand Free trial (under AZURE AD PREMIUM P2), then click on Activate:Figure 2.17 – Activate Azure AD Premium P2 trial license
It could take a few minutes for the license to be activated even after you get a Successful message. You may also need to refresh the browser for the activated trial to be visible. Once this is completed, you should have 100 Azure AD Premium P2 licenses, which we will be assigning to new users in future exercises:Figure 2.18 – Azure AD Premium P2 licenses
In the left-hand menu, click on Overview. The Tenant information section should now display your license as Azure AD Premium P2:Figure 2.19 – Validating tenant license information
Leave the portal open for the upcoming exercises.
Now that you understand the different editions of Azure AD, let's look at how to manage the different objects that Azure AD supports in the next section.
Azure AD object management
There are different types of objects stored in Azure AD, with each object fulfilling a specific role regarding identity and access. The main objects that we will be covering are the following:
UsersGroupsRolesService principalsAt the end of this section, we will be completing some hands-on exercises to create and manage the different object types that we have discussed.
Azure AD users
We mentioned in previous sections of this chapter that the primary use case for Azure AD is to manage secure authenticated access to an organization's Microsoft cloud services and applications that support modern authentication protocols regardless of where they are hosted. For users to be able to access these services that are protected by Azure AD, they need a user account. There are two main types of user accounts in Azure AD – internal and external.
