Azure Active Directory in Security Operations
This architecture shows how Security Operations Center (SOC) teams can incorporate Azure Active Directory (Azure AD) identity and access capabilities into an overall integrated and layered zero-trust security strategy.
Network security dominated SOC operations when all services and devices were contained on managed networks in organizations. However, Gartner predicts that through 2022, the market size of cloud services will grow at a rate nearly three times that of overall IT services. As more companies embrace cloud computing, there's a shift toward treating user identity as the primary security boundary.
Securing identities in the cloud is a high priority.
Verizon's 2020 data breach investigations report stated that 37% involved use of stolen credentials, and 22% of data breaches involved phishing.
A 2019 IBM study of data breach incidents reported that the average global cost of a data breach was $3.9M, with the US average cost closer to $8.2M.
The Microsoft 2019 security intelligence report reported that phishing attacks increased by a margin of 250% between January and December of 2018.
The zero trust security model treats all hosts as if they're internet-facing, and considers the entire network to be potentially compromised and hostile. This approach focuses on building strong authentication, authorization, and encryption, while also providing compartmentalized access and better operational agility.
Gartner promotes an adaptive security architecture that replaces an incident response-based strategy with a prevent-detect-respond-predict model. Adaptive security combines access control, behavioral monitoring, usage management, and discovery with continuous monitoring and analysis.
The Microsoft Cybersecurity Reference Architecture (MCRA) describes Microsoft's cybersecurity capabilities and how they integrate with existing security architectures, including cloud and hybrid environments, that use Azure AD for Identity-as-a-Service (IDaaS).
This article advances the zero-trust, adaptive security approach to IDaaS, emphasizing components available on the Azure AD platform.
- Design new security solutions
- Enhance or integrate with existing implementations
- Educate SOC teams
- Credential management controls authentication.
- Provisioning and entitlement management define the access package, assign users to resources, and push data for attestation.
- The authorization engine evaluates the access policy to determine access. The engine also evaluates risk detections, including user/entity behavioral analytics (UEBA) data, and checks device compliance for endpoint management.
- If authorized, the user or device gains access per conditional access policies and controls.
- If authorization fails, users can do real-time remediation to unblock themselves.
- All session data is logged for analysis and reporting.
- The SOC team's security information and event management system (SIEM) receives all log, risk detection, and UEBA data from cloud and on-premises identities.
The following security processes and components contribute to this Azure AD IDaaS architecture.
Credential management includes services, policies, and practices that issue, track, and update access to resources or services. Azure AD credential management includes the following capabilities:
Self-service password reset (SSPR) lets users self-serve and reset their own lost, forgotten, or compromised passwords. SSPR not only reduces helpdesk calls, but provides greater user flexibility and security.
Password writeback syncs passwords changed in the cloud with on-premises directories in real time.
Banned passwords analyzes telemetry data exposing commonly used weak or compromised passwords, and bans their use globally throughout Azure AD. You can customize this functionality for your environment, and include a list of custom passwords to ban within your own organization.
Smart lockout compares legitimate authentication attempts with brute-force attempts to gain unauthorized access. Under the default smart lockout policy, an account locks out for one minute after 10 failed sign-in attempts. As sign-in attempts continue to fail, the account lockout time increases. You can use policies to adjust the settings for the appropriate mix of security and usability for your organization.
Multi-factor authentication (MFA) requires multiple forms of authentication when users attempt to access protected resources. Most users are familiar with using something they know, like a password, when accessing resources. MFA asks users to also demonstrate something that they have, like access to a trusted device, or something that they are, like a biometric identifier. MFA can use different kinds of authentication methods like phone calls, text messages, or notification through the authenticator app.
Passwordless authentication replaces the password in the authentication workflow with a smartphone or hardware token, biometric identifier, or PIN. Microsoft passwordless authentication can work with Azure resources like Windows hello for business, and the Microsoft authenticator app on mobile devices. You can also enable passwordless authentication with FIDO2 compatible security keys, which use WebAuthn and the FIDO alliance’s Client-to-Authenticator (CTAP) protocol.
App provisioning and entitlement
Entitlement management is an Azure AD identity governance feature that enables organizations to manage identity and access lifecycle at scale. Entitlement management automates access request workflows, access assignments, reviews, and expirations.
Azure AD provisioning lets you automatically create user identities and roles in applications that users need to access. You can configure Azure AD provisioning for third-party software-as-a-service (SaaS) apps like SuccessFactors, Workday, and many more.
Seamless single sign-on (SSO) automatically authenticates users to cloud-based applications once they sign into their corporate devices. You can use Azure AD seamless SSO with either password hash synchronization or pass-through authentication.
Attestation with Azure AD access reviews help meet monitoring and auditing requirements. Access reviews let you do things like quickly identify the number of admin users, make sure new employees can access needed resources, or review users' activity to determine whether they still need access.
Conditional access policies and controls
A conditional access policy is an if-then statement of assignments and access controls. You define the response ("do this") to the reason for triggering your policy ("if this"), enabling the authorization engine to make decisions that enforce organizational policies. With Azure AD conditional access, you can control how authorized users access your apps. The Azure AD What If tool can help you understand why a conditional access policy was or wasn't applied, or if a policy would apply to a user in a specific circumstance.
Conditional access controls work in conjunction with conditional access policies to help enforce organizational policy. Azure AD conditional access controls let you implement security based on factors detected at the time of the access request, rather than a one-size fits all approach. By coupling conditional access controls with access conditions, you reduce the need to create additional security controls. As a typical example, you can allow users on a domain-joined device to access resources using SSO, but require MFA for users off-network or using their own devices.
Azure AD can use the following conditional access controls with conditional access policies:
Role-based access control (RBAC) lets you configure and assign appropriate roles to users who need to do administrative or specialized tasks with Azure resources. You can use RBAC to create or maintain separate dedicated admin-only accounts, scope access to roles you set up, time limit access, or grant access through approval workflows.
Privileged identity management (PIM) helps reduce the attack vector for your organization by letting you add additional monitoring and protection to administrative accounts. With Azure AD PIM, you can manage and control access to resources within Azure, Azure AD, and other Microsoft 365 services with just-in-time (JIT) access and just-enough-administration (JEA). PIM provides a history of administrative activities and a change log, and alerts you when users are added or removed from roles you define.
You can use PIM to require approval or justification for activating administrative roles. Users can maintain normal privileges most of the time, and request and receive access to roles they need to complete administrative or specialized tasks. When they complete their work and sign out, or the time limit on their access expires, they can reauthenticate with their standard user permissions.
Microsoft cloud app security (MCAS) is a cloud app security broker (CAS-B) that analyzes traffic logs to discover and monitor the applications and services in use in your organization. With MCAS, you can:
- Create policies to manage interaction with apps and services
- Identify applications as sanctioned or unsanctioned
- Control and limit access to data
- Apply information protection to guard against information loss
The access control page in the SharePoint admin center provides several ways to control access to SharePoint and OneDrive content. You can choose to block access, allow limited, web-only access from unmanaged devices, or control access based on network location.
You can scope application permissions to specific Exchange Online mailboxes by using ApplicationAccessPolicy from the Microsoft Graph API.
Endpoint management controls how authorized users can access your cloud apps from a broad range of devices, including mobile and personal devices. You can use conditional access policies to restrict access only to devices that meet certain security and compliance standards. These managed devices require a device identity.
Azure Identity Protection includes several policies that can help your organization manage responses to suspicious user actions. User risk is the probability that a user identity is compromised. Sign-in risk is the probability that a sign-in request isn't coming from the user. Azure AD calculates sign-in risk scores based on the probability of the sign-in request originating from the actual user, based on behavioral analytics.
Azure AD risk detections use adaptive machine learning algorithms and heuristics to detect suspicious actions related to user accounts. Each detected suspicious action is stored in a record called a risk detection. Azure AD calculates user and sign-in risk probability using this data, enhanced with Microsoft's internal and external threat intelligence sources and signals.
You can use the Identity Protection risk detection APIs in Microsoft Graph to expose information about risky users and sign-ins.
Real-time remediation allows users to unblock themselves by using SSPR and MFA to self-remediate some risk detections.
Azure AD audit reports provide traceability for Azure activities with audit logs, sign-in logs, and risky sign-in and risky user reports. You can filter and search the log data based on several parameters, including service, category, activity, and status.
You can route Azure AD log data to endpoints like:
- Azure Storage accounts
- Azure Monitor logs
- Azure event hubs
- SIEM solutions like Azure Sentinel, ArcSight, Splunk, SumoLogic, other external SIEM tools, or your own solution.
You can also use the Microsoft Graph reporting API to retrieve and consume Azure AD log data within your own scripts.
On-premises and hybrid considerations
Authentication methods are key to securing your organization's identities in a hybrid scenario. Microsoft provides specific guidance on choosing a hybrid authentication method with Azure AD.
Azure Advanced Threat Protection (AATP) can use your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions. AATP focuses on UEBA to identify insider threats and flag risk. Even if an identity becomes compromised, AATP can help identify the compromise based on unusual user behavior.
AATP is integrated with MCAS to extend protection to cloud apps. You can use MCAS to create session policies that protect your files on download. For example, you may automatically set view-only permissions on any file downloaded by specific types of users.
Azure Application Proxy lets users access on-premises web applications from remote clients. With Application Proxy, you can monitor all sign-in activities for your applications in one place. You can provide secure remote access to on-premises apps, and use Azure features like conditional access for these applications.
If some of your apps already use an existing delivery controller or network controller to provide off-network access, you can integrate them with Azure AD. Several partners including Akamai, Citrix, F5 Networks, and Zscaler offer solutions and guidance for integration with Azure AD
Azure Active Directory pricing ranges from free, for features like SSO and MFA, to Premium P2, for features like PIM and Entitlement Management. For pricing details, see Azure Active Directory pricing.
- Zero Trust security
- Zero Trust Deployment Guide for Microsoft Azure Active Directory
- Overview of the security pillar
- Azure Security Compass
- Azure Active Directory demo tenant (requires a Microsoft Partner Network account), or Enterprise Mobility + Security free trial
- Azure Active Directory deployment plans