Since the first concept and launch of Cloud Services almost 20 years ago, cloud providers have been on a constant security improvement race in order to offer the best solutions to keep the user data safe and better management of who has access to this data. Identity and Access Management (IAM) solutions have been provided since the early ’90s, as an additional layer of security over your business’s network of teams or departments. It gives you full control of who has the authorization to perform certain actions or control resources within your enterprise.
As an organization administrator it is critical to have total visibility of your environment structure and avoid being affected by compromised credentials and data breach.
Microsoft Azure Identity and Access Management
Being the only giant enterprise operating system at the time, Microsoft’s efforts of providing a reliable service came also with the need to provide a solution for the compliance and management of each individual resource access, this gave birth to Microsoft Active Directory(AD), now living in a cloud computing, and offering services to organizations across the globe Microsoft’s Azure Identity and Access Management (IAM) is an identity validations and data access system that helps guard sensitive data, applications, and other critical resources on data centers and into the cloud by assigning specific roles and permissions within the environment such as organization administrator, editor, or viewer.
Microsoft Azure Performance Features
Azure IAM security best practices enables you to provide user-specific security credentials and assign roles to each organization created in your environment. Some features that allow this type of security level are:
Using Azure AD Application Proxy, on-prem applications such as Internet information Services (IIS), Sharepoint and Outlook Web application, can be published in your private network while still providing secure access to members out of your network. This feature gives remote access to various on-prem applications with a wide variety of Software-as-a-Service (SaaS) applications supported by Azure Active Directory. Using a cloud-reverse-proxy, employees may login to company apps remotely through their own devices and be authenticated.
Azure RBAC is a credential validation system that is integrated in Azure Resource Manager that provides access management of resources within Azure cloud services. RBAC enables you to control every section or access responsibility a user has. You may restrict a user to be active or manage only virtual networks and another user of your choice to control all resources in an organization. This may be done applying some Azure predefined roles:
- Owner: Access is granted to all resources including the right to assign and approve the access of other members.
- Contributor: Can manage and create all kinds of Azure resources but will not be able to grant access to other users.
- Reader: Can only view existing Azure resources.
- User Access Admin: Enables you to manage all user access to Azure resources.
Security Monitoring, Alerts and ML-based Reports
Identifying inconsistent access patterns can help you protect your company, this can all be done using security monitoring, alerts and machine learning. Usage reports can be accessed using Azure AD gaining visibility of the security and integrity of your organization; these reports fall into different categories:
- Anomaly reports: Contain sign-in events that have been found to be anomalous. The goal is to make users aware of such activity and enable users to determine whether an event is suspicious.
- Integrated Application reports: Provide insights of how cloud applications are being used in your environment. Thousands of cloud applications can be integrated to Azure AD.
- Error reports: Errors that might occur while provisioning external applications or accounts will be displayed here.
- User-specific reports: Sign on and off activity tracker.
- Activity logs: The last 24 hours, last 7 days, or last 30 days, of activities in your organization will be displayed here, group activity changes, password resets, and registration activity will also be displayed.
Multi-factor authentication method requires more than a single method of verification, like relying solely on a password. Multi-Factor helps to protect the access of date and applications whilst adding a second layer of authentication such as confirmation by; Phone, text messages, authentication apps or random generation verification codes
Identity Protection is a service that provides an overall view into potential vulnerabilities and risks detections that affect your organization’s identity. Taking part in Azure AD Anomalous Activity reports it makes the detection of real-time anomalies using a new risk detection report.
Azure AD Identity Protection
Azure admins can review previous detections and take immediate actions on them as needed. Three types of reports are available when investigating identity protection:
- Risky Users: to find users at risk, detect details, risky sign-ins history, confirm or dismiss user compromise and block users from signing in.
- Risky sign-ins: Contains a detailed report on sign-ins that are classified as risks, compromised, safe, remediated or dismissed risks, device, application and location information for the past 30 days.
- Risk detections: Informs about the last 90 days data, risk detections including type, risks triggered at the same time, signing attempt locations and links to more details on Microsoft Cloud App Security.
Privileged Identity Management
Users may need to carry out privileged operations in Microsoft 365 or Azure environments as well as other Microsoft online services or other SaaS. This means that organizations need to give users privileged and permanent access in Azure AD. These accesses may pose a threat to cloud-hosted resources since organizations can’t monitor enough the users and what they are doing with these privileges.
Azure AD IAM help to mitigate the risk of compromised access or breaches by performing the following actions:
- See which users are Azure AD administrators.
- Enable on-demand, just-in-time (JIT) administrative access to Microsoft services such as Microsoft 365 and Intune.
- Get reports about administrator access history and changes in administrator assignments.
- Get alerts about access to a privileged role.
Azure AD Identity Access Management Pricing
Azure AD IAM comes in different editions based on your business requirements. There are three tiers: free is available with one of the commercial services and two premium versions available through Microsoft representatives, the Cloud Solution Provider and Open Volume License Program.
- Free Version: Is included by default when a subscription for a commercial service is processed, e.g. Dynamics 365, Azure, Power Platform and Intune.
- Premium P1: Architectured to provide business that requires a more complex identity and access management control. It enables hybrid users to access on-prem and cloud capabilities, all the needs for information work and admins in hybrid organizations will be provided in this tier.
- Premium P2: Includes every feature of all other Azure Active Directory editions and also comes enhanced with advanced identity protection solutions and privileged identity management capabilities.
Azure AD Identity Access Management can be used and licensed in a few different ways, based on your business needs. Some users already partake on Azure Identity Access Management but using other Microsoft solutions, prices for this services are offered as follows:
|Purchase Method||Free||Premium P1||Premium P2|
|Microsoft representative||Included with Office 365||Included with Office 365||Included with Office 365|
|Online||Included with Office 365||$6 user/month*||$9 user/month*|