Azure Active Directory in Security Operations

This architecture shows how Security Operations Center (SOC) teams can incorporate Azure Active Directory (Azure AD) identity and access capabilities into an overall integrated and layered zero-trust security strategy.

Network security dominated SOC operations when all services and devices were contained on managed networks in organizations. However, Gartner predicts that through 2022, the market size of cloud services will grow at a rate nearly three times that of overall IT services. As more companies embrace cloud computing, there's a shift toward treating user identity as the primary security boundary.

Securing identities in the cloud is a high priority.

The zero trust security model treats all hosts as if they're internet-facing, and considers the entire network to be potentially compromised and hostile. This approach focuses on building strong authentication, authorization, and encryption, while also providing compartmentalized access and better operational agility.

Gartner promotes an adaptive security architecture that replaces an incident response-based strategy with a prevent-detect-respond-predict model. Adaptive security combines access control, behavioral monitoring, usage management, and discovery with continuous monitoring and analysis.

The Microsoft Cybersecurity Reference Architecture (MCRA) describes Microsoft's cybersecurity capabilities and how they integrate with existing security architectures, including cloud and hybrid environments, that use Azure AD for Identity-as-a-Service (IDaaS).

This article advances the zero-trust, adaptive security approach to IDaaS, emphasizing components available on the Azure AD platform.

Use cases

  • Design new security solutions
  • Enhance or integrate with existing implementations
  • Educate SOC teams

Architecture

Azure AD related security capabilities

  1. Credential management controls authentication.
  2. Provisioning and entitlement management define the access package, assign users to resources, and push data for attestation.
  3. The authorization engine evaluates the access policy to determine access. The engine also evaluates risk detections, including user/entity behavioral analytics (UEBA) data, and checks device compliance for endpoint management.
  4. If authorized, the user or device gains access per conditional access policies and controls.
  5. If authorization fails, users can do real-time remediation to unblock themselves.
  6. All session data is logged for analysis and reporting.
  7. The SOC team's security information and event management system (SIEM) receives all log, risk detection, and UEBA data from cloud and on-premises identities.

Components

The following security processes and components contribute to this Azure AD IDaaS architecture.

Credential management

Credential management includes services, policies, and practices that issue, track, and update access to resources or services. Azure AD credential management includes the following capabilities:

  • Self-service password reset (SSPR) lets users self-serve and reset their own lost, forgotten, or compromised passwords. SSPR not only reduces helpdesk calls, but provides greater user flexibility and security.

  • Password writeback syncs passwords changed in the cloud with on-premises directories in real time.

  • Banned passwords analyzes telemetry data exposing commonly used weak or compromised passwords, and bans their use globally throughout Azure AD. You can customize this functionality for your environment, and include a list of custom passwords to ban within your own organization.

  • Smart lockout compares legitimate authentication attempts with brute-force attempts to gain unauthorized access. Under the default smart lockout policy, an account locks out for one minute after 10 failed sign-in attempts. As sign-in attempts continue to fail, the account lockout time increases. You can use policies to adjust the settings for the appropriate mix of security and usability for your organization.

  • Multi-factor authentication (MFA) requires multiple forms of authentication when users attempt to access protected resources. Most users are familiar with using something they know, like a password, when accessing resources. MFA asks users to also demonstrate something that they have, like access to a trusted device, or something that they are, like a biometric identifier. MFA can use different kinds of authentication methods like phone calls, text messages, or notification through the authenticator app.

  • Passwordless authentication replaces the password in the authentication workflow with a smartphone or hardware token, biometric identifier, or PIN. Microsoft passwordless authentication can work with Azure resources like Windows hello for business, and the Microsoft authenticator app on mobile devices. You can also enable passwordless authentication with FIDO2 compatible security keys, which use WebAuthn and the FIDO alliance‚Äôs Client-to-Authenticator (CTAP) protocol.

App provisioning and entitlement

Conditional access policies and controls

A conditional access policy is an if-then statement of assignments and access controls. You define the response ("do this") to the reason for triggering your policy ("if this"), enabling the authorization engine to make decisions that enforce organizational policies. With Azure AD conditional access, you can control how authorized users access your apps. The Azure AD What If tool can help you understand why a conditional access policy was or wasn't applied, or if a policy would apply to a user in a specific circumstance.

Conditional access controls work in conjunction with conditional access policies to help enforce organizational policy. Azure AD conditional access controls let you implement security based on factors detected at the time of the access request, rather than a one-size fits all approach. By coupling conditional access controls with access conditions, you reduce the need to create additional security controls. As a typical example, you can allow users on a domain-joined device to access resources using SSO, but require MFA for users off-network or using their own devices.

Azure AD can use the following conditional access controls with conditional access policies:

Risk detection

Azure Identity Protection includes several policies that can help your organization manage responses to suspicious user actions. User risk is the probability that a user identity is compromised. Sign-in risk is the probability that a sign-in request isn't coming from the user. Azure AD calculates sign-in risk scores based on the probability of the sign-in request originating from the actual user, based on behavioral analytics.

  • Azure AD risk detections use adaptive machine learning algorithms and heuristics to detect suspicious actions related to user accounts. Each detected suspicious action is stored in a record called a risk detection. Azure AD calculates user and sign-in risk probability using this data, enhanced with Microsoft's internal and external threat intelligence sources and signals.

  • You can use the Identity Protection risk detection APIs in Microsoft Graph to expose information about risky users and sign-ins.

  • Real-time remediation allows users to unblock themselves by using SSPR and MFA to self-remediate some risk detections.

Logging

Azure AD audit reports provide traceability for Azure activities with audit logs, sign-in logs, and risky sign-in and risky user reports. You can filter and search the log data based on several parameters, including service, category, activity, and status.

You can route Azure AD log data to endpoints like:

You can also use the Microsoft Graph reporting API to retrieve and consume Azure AD log data within your own scripts.

On-premises and hybrid considerations

Authentication methods are key to securing your organization's identities in a hybrid scenario. Microsoft provides specific guidance on choosing a hybrid authentication method with Azure AD.

Azure Advanced Threat Protection (AATP) can use your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions. AATP focuses on UEBA to identify insider threats and flag risk. Even if an identity becomes compromised, AATP can help identify the compromise based on unusual user behavior.

AATP is integrated with MCAS to extend protection to cloud apps. You can use MCAS to create session policies that protect your files on download. For example, you may automatically set view-only permissions on any file downloaded by specific types of users.

You can use AATP with Azure identity protection to help protect user identities that are synchronized to Azure with Azure AD Connect.

Azure Application Proxy lets users access on-premises web applications from remote clients. With Application Proxy, you can monitor all sign-in activities for your applications in one place. You can provide secure remote access to on-premises apps, and use Azure features like conditional access for these applications.

If some of your apps already use an existing delivery controller or network controller to provide off-network access, you can integrate them with Azure AD. Several partners including Akamai, Citrix, F5 Networks, and Zscaler offer solutions and guidance for integration with Azure AD

Pricing

Azure Active Directory pricing ranges from free, for features like SSO and MFA, to Premium P2, for features like PIM and Entitlement Management. For pricing details, see Azure Active Directory pricing.

Next steps