Office 365

Basic Identity Services and Identity Types of Azure AD

June 15, 2022 By Everton

Identity Types within Azure AD

There are four identity types within Azure Active Directory

The variations of each identity type and the benefits and use cases:

User
Service Principal
Managed Identity
Device

User identity – a representation of an entity that is managed by Azure AD both employees and guests are represented as users. A guest is external to the company, like a business partner or vendor collaborating with employees. Azure AD (B2B) business-to-business collaboration: A feature within external Identities that includes the capability to add guest users. Enables organizations to securely share applications and services with guest users from other organizations.

Service Principal – An identity for an application, Enables features like authentication and authorization of the application to resources that are secured by the Azure AD tenant. An application must first be registered with Azure AD to enable identity and access integration. Once registered, a service principal is created in each Azure AD tenant where the application is used to enable authentication and authorization in resource access.

Managed Identity – A special type of service principal that is automatically managed in Azure AD. This eliminates the need for admins and developers to manage credentials. Managed identities come in two varieties.

User-assigned – which can be shared by multiple resources and has a lifecycle independent of these resources. eg: (You could assign this user-assigned ID to many virtual machines).

System-assigned – which is tied to the lifecycle of a specific service or resource and cannot be shared. eg: (when the system or resource is retired and deleted that system-assigned identity is deleted with it).

The following table summarizes the differences between system-assigned and user-assigned managed identities:

The preference when you have a choice would be to use system-assigned managed identities over user-assigned as they minimize our administrative effort.

Managed Identity / System Assigned vs User-assigned-identity — Managed Identity – system-assigned or user-assigned Identity

Device Identity – entities can be:

Azure AD-registered – provides users with support for bring-your-own-device (BYOD) mobile device scenarios.

Azure AD-joined – A device joined to Azure AD through an organizational account, which is then used to sign into the device.

Hybrid Azure AD-joined – Domain joined to Azure AD and on-premises Active Directory.

Benefits of Device registration

Single sign-on (SSO) – registering and joining devices to Azure AD gives users single sign-on (SSO) to cloud-based resources.
Azure AD-joined devices also benefit from the SSO experience to resources and apps that reply on on-premises Active Directory.
Device Management – registration enables device management options with Intune to control how an organization’s devices are used.

Mobile device management (MDM) for company-owned devices

Mobile application management (MAM) for personal devices. (BYOD)

Overview of the Hybrid of the Hybrid Identity Model

All of these scenarios require an on-premise Active Directory (source of truth).

Azure AD password hash-synchronization – The simplest way to enable authentication for on-premises directory objects in Azure AD. The user is authenticated by Azure AD.

Azure AD pass-through authentication (PTA) – While password-hash is synchronized to Azure AD, the user is authenticated directly against your on-premises Active Directory. Can be used to enforce Active Directory restrictions not present in Azure AD, like “login hours”.

Azure AD Federation authentication – Authentication for organizations that need advanced measures not currently supported in Azure AD, like smart cards and certificates. Again, Azure AD passes the request to on-premises Active Directory.

Why are External Identities Necessary?

Employees today are more commonly working with people both inside and outside of their organization.
External users (vendors, partners) may need access to resources inside your organization.
Azure AD External Identities is a set of capabilities that enables organizations to allow access to external users.

Types of External Identities

Enable your customer’s partners, and other guest users to “bring their own identities” to sign in.

Two different types of Azure AD External Identities:

B2B (business-to-business) – collaboration allows you to share apps and resources with external users.

B2C (business-to-consumer) – is an identity management solution for consumer-facing apps.

Azure AD B2B (business-to-business) – Enables organizations to share apps and resources with guest users from organizations, partners and collaborators use their own identity management solutions, so there is no external admin overhead:

Uses an invitation and redemption process.
Can perform SSPR through their usual process. (identity is managed elsewhere).
Admins can also enable self-service sign-up user flows to allow external users to sign up without admin intervention.

Azure AD B2C (business-to-consumer) – Enables external users to use their preferred social, work, or local identities for single sign-on to an organization’s apps. External users are managed in the Azure AD B2C directory, separately from the organization’s employee and partner directory.

A customer identity access management (CIAM) solution.
Supports millions of users and billions of authentications per day.
Automatically handles threats like denial-of-service, password spray, or brute-force attacks.

Microsoft 365 EnterPrise Tenant Sign-up

February 21, 2020 By Everton

What is Microsoft M365?

Microsoft 365 for enterprise consists of: Office 365, Windows 10 Enterprise, Enterprise Mobility + Security

Although designed for large organizations, Microsoft 365 for enterprise can also be used for medium-sized and small businesses that need the most advanced security and productivity capabilities.


Local and cloud-based apps and productivity services	Includes both Office 365 ProPlus, the latest Office apps for your PC and Mac (such as Word, Excel, PowerPoint, Outlook, and others), and a full suite of online services for email, file storage and collaboration, meetings, and more.
Windows 10 Enterprise	Addresses the needs of both large and midsize organizations, providing users with the most productive and secure version of Windows and IT professionals with comprehensive deployment, device, and app management.
Device management and advanced security services	Includes Microsoft Intune, which is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce to be productive while keeping your corporate data protected.

Manage your enterprise deployment with modern tools from Microsoft 365 or M365. Empower your users and IT to benefit from the easy deployment and productivity enhancements from Windows 10, while still maintaining your standards for security and manageability. Microsoft 365 for enterprise documentation and resources

In our post today we want to sign-up for a Microsoft 365 Trial account and setup some basic settings to protect the account. 365

There a several versions of Microsoft 365; however we’ll be dealing with the Enterprise and Business versions of Microsoft 365.

We need to first sign-up for a free trial account by visiting the sign-up link

Once we have signed up for a Microsoft M365 trial we can setup some basic security policies, here are several screen using the wizard from the default setup screen. We have already added our domain.onmicrosoft domain and created a administrators account, the following policies are for protecting the domain.

Microsoft 365 for enterprise deployment guide

The Microsoft 365 for enterprise deployment guide steps you through the correct and required configuration of Microsoft 365 for enterprise products and features.

To deploy Microsoft 365 for enterprise yourself, you can:

Deploy the foundation infrastructure for built-in security and integration for simplified management, which makes it easier to ensure your client software is updated with the latest productivity and security enhancements. The foundation infrastructure is organized as a series of numbered phases that build upon each other and towards an environment that supports Microsoft 365 for enterprise workloads and scenarios.If you are a smaller or newer organization, follow the phases in order to methodically build out your infrastructure.However, you can deploy phases or the portions of phases of this infrastructure in any order as needed, one after the other or in parallel, to integrate with your current infrastructure, fit your IT plans and resources, and meet your business needs. For a simplified deployment for non-enterprises, click here.If you are an enterprise organization, view the phases as layers of IT infrastructure, rather than a defined path, and determine how to best work toward eventual adherence to the requirements of each layer across your organization.
Deploy key productivity workloads and scenarios on top of your infrastructure. These unlock creativity and teamwork in your organization.

Here’s the relationship between the foundation infrastructure and the workloads and

Listed below are several resources to assist you in realizing the value of Microsoft 365; and how this productivity suite can secure, defend and safeguard your enterprise in today’s modern world of security threats.

Azure Command – Gets subscribed SKUs to Microsoft services.

May 23, 2018 By Everton

Get-AzureADSubscribedSku is a Azure PowerShell Command to get the subscribed SKUs to Microsoft services. This will display the Office 365 SkU’s you have in your Tenant. We’ll open a PowerShell window and type in the Azure AD Command > Get-AzureADSubscribedSku and it will look something similar to this below, with your subscriptions displayed.

Description

The Get-AzureADSubscribedSku cmdlet gets subscribed SKUs to Microsoft services.

Azure Identity Protection – Enterprise Mobility + Security

December 13, 2017 By Everton

Azure Identity Protection

Azure Identity Protection is a feature of Microsoft Enterprise Mobility + Security and is a premium feature in EMS E5. We conducted a test to see if a user would be blocked while trying to log in from 2 separate locations.

We went to https://portal.azure.com/ and logged in with credentials normally from our home office server. I then created a 2012 Server virtual machine setting up and configuring Active Directory and azure AD Connect.

Using the Tor browser I went to portal.azure.com to login with the same user a 2nd time.

Our Results

Your sign-in was blocked

We’ve detected something unusual about this sign-in.

For example, you might be signing in from a new location, device, or app.

Before you can continue, we need to verify your identity. Please contact your admin.

After viewing more details we get a better picture of what scenario is; at this point to see that the user has tried to sign in a second time from an unknown location and has been blocked.

We can see from the message the sign-in was blocked.

Your sign-in was blocked

We’ve detected something unusual about this sign-in. For example, you might be signing in from a new location, device, or app.

Before you can continue, we need to verify your identity. Please contact your admin.

The following information might be useful to your administrator:

App name: Azure Portal
App id: c44b4083-3bb0-49c1-b47d-974e53cbdf3c
IP address: 62.210.129.246
Device identifier: not available
Device platform: Windows 7
Device state: Unregistered
Signed in as rick.admin@nottstruckingltd.onmicrosoft.com
Correlation ID: 46d66b10-4f50-4e10-a5fb-15a11f06135a
Timestamp: 2017-09-18 20:29:55Z

Sign out and sign in with a different account

We will now create a sign-in risk policy. Login to portal.azure.com -> Azure AD Identity Protection ->Sign-in risk policy

Risky sign-ins

Azure Active Directory detects risk event types in real-time and offline.

Each risk event that has been detected for a sign-in of a user contributes to a logical concept called risky sign-in.

A risky sign-in is an indicator of a sign-in attempt that might not have been performed by the legitimate owner of a user account.

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection#what-is-a-user-risk-level

Azure: Fix Unhealthy Identity synchronization

July 31, 2017 By Everton

Azure: Fix Unhealthy Identity synchronization. Yesterday I was in my office 365 portal, just checking an account, when I logged in I was presented with this message “Unhealthy Identity synchronization” on the office 365 portal admin homepage. You may see something like this in your office 365 portal if there is a Sync issue or some other problem with Azure AD Connect. I also received an email about an unhealthy sync. See snapshot of the email.

Subject: Unhealthy Identity synchronization Notification

As you can see below from the image, we haven’t had a directory sync for the last 54 hours.

Last directory sync Warning: last synced 54 hours ago

We will have to click on the link and see what the particular error is reporting with our Azure AD Connect Synchronization or use the link to troubleshoot our error.

Fixing problems with directory synchronization for Office 365

Ok, time now to review the version of AD Connect we are running on our local Active Directory and do a in-place upgrade to solve this issue, often times upgrading the AD Connect Sync client will resolve issues with the synchronization. Let see what’s the current version and what version we are running on our member server and see if we need to do the in-place upgrade.

The current version is 1.1.561.0 so there must be another issue going on, at this point we’ll try and run a few Power Shell Commands to push a sync. We will run

Start-ADSyncSyncCycle -PolicyType Initial  - To push an initial sync over to office 365.

At this point when we ran the command we got a message back stating the sync was busy.

We also ran this command to see the health of the sync:

Get-ADSyncConnectorRunStatus

So we then opened to the Synchronization Scheduler to check the connectors, stopped them and ran a full synchronization, after that we restarted the member server.

This eventually cleared up our sync issue and from the portal we can see a healthy sync.

A great link you can use to troubleshoot your AD Connect Sync; also you may want to keep an eye on your syncs using the Azure AD Connect Health Dashboard that comes with Azure Active Directory Premium.