March 29, 2021 by
Category:

Introduction

The two most basic IAM processes required to secure access to digital assets are the following:

  • Identify who it is that is trying to access resources by using authentication.
  • Verify that identified users indeed should be authorized to reach the resource they are attempting to access.

On a fundamental level, IAM encompasses the following components:

  • how individuals are identified in a system (understand the difference between identity management and authentication);
  • how roles are identified in a system and how they are assigned to individuals;
  • adding, removing, and updating individuals and their roles in a system;
  • assigning levels of access to individuals or groups of individuals; and
  • protecting the sensitive data within the system and securing the system itself.

What is Azure Active Directory?

It is a cloud-based suite of identity management capabilities that enables you to securely manage access to Azure services and resources for your users. It provides application management, authentication, device management, and hybrid identity.

Azure Ad Concepts

Concept Description
Identity An object that can be authenticated
Account An identity that has data associated with it
Azure AD account An identity created through Azure AD or another Microsoft cloud service
Azure AD tenant/directory A dedicated and trusted instance of Azure AD, a Tenant is automatically created when your organization signs up for a Microsoft cloud service subscription​

•Additional instances of Azure AD can be created​

•Azure AD is the underlying product providing the identity service​

•The term Tenant means a single instance of Azure AD representing a single organization​

•The terms Tenant and Directory are often used interchangeably​

Azure subscription Used to pay for Azure cloud services

Azure Active Directory Editions

Feature Free Microsoft 365 Apps Premium P1 Premium P2
Directory Objects 500,000 objects No object limit No object limit No object limit
Single Sign-On Unlimited Unlimited Unlimited Unlimited
Core Identity and Access X X X X
B2B Collaboration X X X X
Identity & Access for O365 X X X
Premium Features X X
Hybrid Identities X X
Advanced Group Access X X
Conditional Access X X
Privileged Identity Management (PIM) X
Identity Protection X
Identity Governance X

Self-Service Password Reset

  1. .Determine who can use the self-service password reset
  2. Choose the number of authentication methods required and the methods available (email, phone, questions)
  3. You can require users to register for SSPR (same process as MFA)

User Accounts

All users must have an account. The account is used for authentication and authorization. Identity Sources are Cloud, Directory-synchronized, and Guest

Managing User Accounts

One must be a Global Administrator or User Administrator to manage users. User profile(picture, job, contact info) is optional. Deleted users
can be restored for 30 days. Sign-in and audit log information is available.

Bulk User Accounts

Create the comma-separated values (CSV) file with the list of all the users and their properties. Loop through the file processing of each user. Consider error handling, duplicate users, initial password settings, empty properties, and when the account is enabled.

Group Accounts

Group Types

  • Security groups
  • Microsoft 365 groups

Assignment Types

  • Assigned
  • Dynamic User
  • Dynamic Device (Security groups only)

Create or update a dynamic group in Azure Active Directory

In Azure Active Directory (Azure AD), you can also use rules to determine group membership based on user or device properties.

Who can access the data?

Roles:

  • Security Administrator
  • Security Reader
  • Report Reader
  • Global Reader
  • Global Administrator

Leave a Reply

Your email address will not be published. Required fields are marked *