Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Azure Security Cookbook
Azure Security Cookbook

Azure Security Cookbook: Practical recipes for securing Azure resources and operations

Arrow left icon
Profile Icon Steve Miles
Arrow right icon
Free Trial
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7 (21 Ratings)
Paperback Mar 2023 372 pages 1st Edition
eBook
Can$27.99 Can$40.99
Paperback
Can$50.99
Subscription
Free Trial
Arrow left icon
Profile Icon Steve Miles
Arrow right icon
Free Trial
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7 (21 Ratings)
Paperback Mar 2023 372 pages 1st Edition
eBook
Can$27.99 Can$40.99
Paperback
Can$50.99
Subscription
Free Trial
eBook
Can$27.99 Can$40.99
Paperback
Can$50.99
Subscription
Free Trial

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Azure Security Cookbook

Securing Azure AD Identities

Azure Active Directory (Azure AD) is a multi-tenant cloud-based identity and access management solution that is part of Microsoft’s Entra Identity platform product family.

You can read more about Entra and its integrated hybrid and multi-cloud identity and access solutions family at the following Microsoft site: https://www.microsoft.com/en-us/security/business/microsoft-entra.

In this chapter, you will learn how to secure and protect Azure AD identities.

We will break down this chapter into sections that cover how you can review your environments, including security posture, tenant-level identity and access management, password management and protection, security defaults, multi-factor authentication, and Conditional Access. We will then look at implementing Identity Protection and Identity Management services.

By the end of this chapter, you will have covered the following recipes to create secure Azure AD identities:

  • Reviewing Azure AD Identity Secure Score
  • Implementing Azure AD tenant Identity and Access Management
  • Implementing Azure AD Password Protection
  • Implementing Self-Service Password Reset
  • Implementing Azure AD security defaults
  • Implementing Azure AD multi-factor authentication
  • Implementing Conditional Access policies
  • Implementing Azure AD Identity Protection
  • Implementing Azure AD Privileged Identity Management

Introduction to Azure Identity Services

Before we look at any recipes, we will first introduce some concepts surrounding Microsoft Identity services. This will assist us in establishing a foundation of knowledge to build upon. We will start by looking at Active Directory (AD).

What is AD?

AD provides Identity and Access Management (IAM) and Information Protection services for traditional Windows Server environments. It was first included with Windows Server 2000 as an installable service.

AD provides different services in its portfolio and is used as a generic and umbrella term in many cases.

These individual services in Azure AD include the following:

  • AD Domain Services (AD DS)
  • AD Federation Services (AD FS)
  • AD Certificate Services
  • AD Rights Management Services

In this next section, we will introduce Azure AD and look at its relationship with AD, a similar name but with different functions, capabilities, and use cases.

When is AD not AD? When it is Azure AD!

Before we go any further, we should clear one thing up: there is a common misconception that Azure AD must just be a cloud-based Software-as-a-Service (SaaS) version, but it is not!

It is easy enough why people (wrongly) think this may be the case; after all, Exchange Online and SharePoint Online are indeed exactly that, SaaS versions of their traditional infrastructure deployed platforms; if only it were that simple, though.

In many ways, Azure AD is like AD on the surface; they are both Identity Providers (IDPs) and provide IAM controls. Still, at the same time, they function differently and don’t yet provide a complete parity of capabilities, although quite close.

It is worth noting that Azure AD is constantly evolving to meet the requirements and demands of authentication and authorization of workloads and services to bring capabilities in line with those available in AD, such as Kerberos realms within Azure AD.

At the time of publishing this book, you cannot use Azure AD to 100% replace the provided capabilities of AD.

Depending on the scenario, it may be the case that your environments will never be 100% cloud-based for identity services. You may remain with Hybrid identity services – that is, both AD and Azure AD coexist in a connected and synchronized state.

What is Azure AD?

Azure AD is a SaaS identity management solution that is fully managed and provides functions such as an IDP and IAM for managing and securing access to resources based on Role-Based Access Control (RBAC).

As Azure AD is provided as a fully managed service, there is no installable component such as Windows Servers and Domain Controllers (DC); zero infrastructure needs to be deployed by you.

The primary cloud authentication protocol used by Azure AD is based around using OpenID, OAuth, and Graph, whereas AD uses Kerberos and NTLM.

What is Hybrid Identity?

The hybrid identity approach allows you to synchronize objects, such as user objects and their passwords, between AD and Azure AD directories.

The main driver for hybrid identity within an organization is legacy AD-integrated applications that do not support cloud identity authentication protocols.

This capability provides users access to AD authenticated, and Azure AD authenticated using a single Common Identity and password.

The password synced to Azure AD is a hash of the stored hashed password; passwords are never stored in Azure AD, only the password hash. This capability is referred to as same sign-on, meaning you will be prompted each time to enter the same credentials when you wish to authenticate to resources.

This capability should not be confused with single sign-on (SSO), which does not prompt you again when accessing resources. The following diagram shows the relationship between AD and Azure AD:

Figure 1.1 – AD and Azure as a relationship

Figure 1.1 – AD and Azure as a relationship

Azure AD Connect is a free downloadable tool that synchronizes objects between AD and Azure AD’s IDP directories; this establishes hybrid identities. Azure AD Connect provides additional functionality and capabilities and allows for Self-Service Password Reset (SSPR) through additional configuration.

You can continue learning more, should you wish, about hybrid identities and Azure AD Connect, by going to https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect.

Technical requirements

For this chapter, the following are required for the recipes:

  • A machine with a modern browser such as Edge or Chrome and internet access; this machine can be a client or server operating system. We will use a Windows 10 Microsoft Surface laptop with a Chrome browser for the recipe examples.
  • An Azure AD tenancy; you may use an existing one or sign up for free: https://azure.microsoft.com/en-us/free.
  • Access to the Global Administrator role for the tenancy.
  • Some cloud-only test user created accounts as part of the Azure AD tenancy.
  • You will require Azure AD Premium licenses or trial licenses. The following steps will guide you on activating a free trial if you do not already have a license:
    1. From the Azure portal, go to Azure AD | Licenses | All products, then click Try/Buy from the top toolbar.
    2. Select the AZURE AD PREMIUM P2 free trial and click Activate:
Figure 1.2 – Azure AD Premium P2 free trial activation

Figure 1.2 – Azure AD Premium P2 free trial activation

Reviewing Azure AD Identity Secure Score

Azure AD Identity Secure Score enables you to make informed decision-making to protect your Azure AD tenancy.

This recipe will teach you how to monitor and improve your Azure AD Identity Secure Score.

We will take you through reviewing the Azure AD Identity Secure Score dashboard for your Azure AD tenancy environments and look at the actionable insights available to improve your secure score and security posture.

Getting ready

This recipe requires the following:

  • A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
  • You should sign into the Azure portal with an account with the Global Administrator role

How to do it…

This recipe consists of the following tasks:

  • Reviewing Identity Secure Score
  • Updating the improvement actions status

Task – Reviewing Identity Secure Score

Perform the following steps:

  1. From the Azure portal, go to Azure Active Directory | Security | Identity Secure Score.

Alternatively, in the search bar, type azure ad identity secure score; click on Azure AD Identity Secure Score from the list of services shown.

  1. You will now see the Identity Secure Score blade.
  2. The top section of the Identity Secure Score screen represents your identity security posture:
Figure 1.3 – Secure Score screen

Figure 1.3 – Secure Score screen

This area of the screen shows three aspects to review:

  • Secure Score for Identity is a percentage of your alignment with Microsoft’s best practice security recommendations
  • Comparison is your security posture management compared to other tenants of a similar size
  • Score history is a trend graph over time
  1. The lower section of the Identity Secure Score screen provides a list of recommended and possible security Improvement actions.

Each recommended improvement action has a Score Impact, User Impact, Implementation Cost, Max Score possible, and Current Score:

Figure 1.4 – The Improvement actions screen

Figure 1.4 – The Improvement actions screen

  1. Click Download; you can access the improvement actions in a CSV file:
Figure 1.5 – Improvement actions download

Figure 1.5 – Improvement actions download

  1. By clicking on an Improvement action, you can see further information:
Figure 1.6 – Improvement actions information

Figure 1.6 – Improvement actions information

With that, you have reviewed Identity Secure Score. In the next task, we will update the status of improvement actions.

Task – Updating the improvement actions status

Perform the following steps:

  1. Select an Improvement action and click to open it.
  2. From the Improvement action screen, on the STATUS section, select the status you wish to update the action to and then click Save:
Figure 1.7 – Improvement actions status options

Figure 1.7 – Improvement actions status options

With that, you have updated the status of improvement actions. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we reviewed the information presented in the Azure AD identities Secure Score and took action from available insights.

  • The Azure ID Identity Secure Score overlaps with the identity score used for the Microsoft secure score, which means the recommendations will be the same.
  • The Azure AD Identity Secure Score provides a value of between 1% and 100%, representing how well your Azure AD tenancy is secured based on Microsoft’s best practices and recommendations.

You can also see actionable improvement insights on how your score can be improved and each improvement’s impact on the secure score.

The dashboard and a score history timeline show a comparison of your environment’s Azure AD tenancy to a tenancy of the same size and industry average.

Your environment’s Azure AD tenancy identity settings are compared with best practice recommendations once a day (approx 1:00 A.M. PST); changes made to an improvement action may not be reflected in the score for up to 48 hours.

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

Implementing Azure AD tenant Identity and Access Management

Account compromise is one of the biggest threat vectors to protect against, and those with privileged access roles will be the focus of attacks. There are often too many users assigned privileged accounts, with more access than is required for a user to carry out their role. There is often insufficient RBAC in place, and the principle of least privilege should be adopted for these privileged administrator roles.

While we need to limit the number of user accounts that have the Global Administrator role, there should also not be a single point of compromise for the Global Administrator role. Having more than one account with the Global Administrator role is important. It is crucial to have an emergency account in case of a breach or conditional access lockout of a Global Administrator role assigned. Global Administrator role accounts can use a buddy system to monitor each other’s accounts for signs of a breach.

This recipe will teach you to ensure you only have the users assigned with the least privileges required for their role and ensure you have a minimum of two accounts assigned the Global Administrator role.

We will take you through the steps to implement these tasks.

Getting ready

This recipe requires the following:

  • A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
  • You should sign in with an account that has the Global Administrator role

How to do it…

This recipe consists of the following tasks:

  • Implementing least privileged administrative roles
  • Designating more than one Global Administrator

Task – implementing least privileged administrative roles

Perform the following steps:

  1. From the Azure portal, go to Azure Active Directory | Roles and administrators.
  2. From the All roles section, select the Global administrator role:

Figure 1.8 – Azure AD Roles and Administrators screen

Figure 1.8 – Azure AD Roles and Administrators screen

  1. From the Assignments section, identify only the accounts required to have the Global Administrators role; ensure you have at least two or no more than five accounts with the Global Administrator role.

Select a user for users who no longer require the Global Administrator role and then click Remove assignments from the top toolbar:

Figure 1.9 – The Remove assignments screen

Figure 1.9 – The Remove assignments screen

  1. From Azure Active Directory | Roles and administrators | All roles | Global administrator, we can now see that the user has been removed from the Global Administrator role:
Figure 1.10 – Global Administrator Assignments screen

Figure 1.10 – Global Administrator Assignments screen

  1. To reassign least privileged admin users to roles required to complete their tasks, navigate to Azure Active Directory | Users. Select and click the users to assign roles.
  2. From the User blade for the user selected to assign a directory role, go to Assigned roles from the Manage section and click Add assignments:
Figure 1.11 – The Assigned roles screen

Figure 1.11 – The Assigned roles screen

  1. From the Directory roles pop-up screen, locate the directory role you wish to assign from the list of all available roles; select the directory role to assign and click Add:
Figure 1.12 – The Directory roles assignment screen

Figure 1.12 – The Directory roles assignment screen

  1. Your user will now have the required least privileged admin role assigned and no longer have the highly privileged Global Administrator role:
Figure 1.13 – User administrator | Assignments

Figure 1.13 – User administrator | Assignments

With that, you have learned how to use least privileged roles. In the next task, we will designate more than one Global Administrator for the tenancy.

Task – designating more than one Global Administrator

Perform the following steps:

  1. From the Azure portal, go to Azure Active Directory | Roles and administrators | All roles | Global Administrator.
  2. From the Assignments blade, click Add assignments and locate the user(s) to add to the Global Administrators role:
Figure 1.14 – Global administrator – the Add assignments screen

Figure 1.14 – Global administrator – the Add assignments screen

  1. Select the user, and then click Add:
Figure 1.15 – Global administrator – The Add assignments screen

Figure 1.15 – Global administrator – The Add assignments screen

  1. You will now see that the user(s) have been assigned the Global Administrator role:
Figure 1.16 – Global administrator | Assignments

Figure 1.16 – Global administrator | Assignments

With that, you have created more than one Global Administrator role. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we looked at limiting the number of users with the Global Administrator role and ensuring you only had the users assigned with the least required privileges for their role. In our example, we removed the Global Administrator role from a user and reassigned them to the User Administrator role, which was the least privileges required for their tasks.

We then ensured you had a minimum of two accounts assigned the Global Administrator role by adding a user to this role. The Microsoft recommendation is for a minimum of two users and no more than five for this role.

There’s more…

Azure AD user accounts with the highest privileged role of Global Administrator will be the primary goal for compromise by bad actors. This is because this role has access to every administrative setting in your environment’s Azure AD tenancy at the read and modify permission level.

Microsoft recommends that you assign user accounts with less privileged roles. This limits the user’s scope of permissions through RBAC to only be able to do what a user needs to do for their job function.

The following are some of the many roles that can be considered to reduce the use of the Global Administrator role but still have enough access for a user to be able to perform their duties:

  • Application Administrator
  • Authentication Administrator
  • Azure DevOps Administrator
  • Azure Information Protection Administrator
  • Billing Administrator
  • Compliance Administrator
  • Conditional Access Administrator
  • Directory Readers
  • Exchange Administrator
  • SharePoint Administrator
  • Privileged Role Administrator
  • Security Administrator
  • User Administrator

Should you require further information on least privileged roles, you can refer to the following Microsoft Learn articles:

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

Implementing Azure AD Password Protection

Users often make poor choices when creating passwords, making them easy targets and victims of dictionary-based attacks.

This recipe will teach you how to implement Azure AD password protection in your environment’s AD tenancy. We will take you through customizing your smart lockout threshold and creating a global and custom banned password list.

Getting ready

This recipe requires the following:

  • A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
  • You should sign in with an account that has the Global Administrator role
  • We will use Azure AD Premium licenses for this and future recipes

How to do it…

This recipe consists of the following task:

  • Configuring password protection

Task – configuring password protection

Perform the following steps:

  1. From the Azure portal, go to Azure Active Directory and then click Security under the Manage section from the side menu.
  2. Select Authentication Methods under the Manage section from the side menu.
  3. Select Password protection under the Manage section from the side menu.
  4. From the Custom smart lockout section, set the Lockout threshold and Lockout duration in seconds properties as required; review the information in the tooltips by clicking on the i symbol:
Figure 1.17 – Azure AD Premium P2 free trial activation

Figure 1.17 – Azure AD Premium P2 free trial activation

  1. From the Custom banned password section, select Yes, enter strings that are to be banned, and click Save; review the information in the tooltips by clicking on the i symbol. It can take several hours to apply the band password list:
Figure 1.18 – Azure AD Premium P2 free trial activation

Figure 1.18 – Azure AD Premium P2 free trial activation

With that, you have configured password protection. This concludes the hands-on tasks for this recipe.

How it works…

You only need to add key terms such as password or contoso and the algorithm will automatically consider and block all variants of common character substitutions, such as Pa$sw0rd1! or C@ntos0!.

The banned password list may have a maximum of 1,000 key terms. The minimum length of a term string is 4 characters, where 16 characters is the maximum and are case-sensitive.

This recipe looked at customizing your smart lockout threshold to protect against brute-force attack methods. We also looked at creating a global and custom banned password list to protect against dictionary and password spray attacks and enforce the use of strong passwords.

Both of these measures, when implemented, can offer significant protection for your environment’s Azure AD tenancy.

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

Implementing a Self-Service Password Reset

Users will sometimes forget their passwords; to prevent intervention by an Azure AD administrator, a self-service password reset (SSPR) can be implemented. This allows users to click on the Can’t access your account? link on the sign-in page for the portal or Microsoft Cloud service they are trying to access.

This recipe will teach you how to implement SSPR in your environment’s AD tenancy. We will take you through enabling SSPR for a selected scope and review the available settings, then carry out a user registration for SSPR and test its operation to confirm the function is working.

Getting ready

This recipe requires the following:

  • A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
  • You should sign in with an account that has the Global Administrator role
  • Optionally, pre-create an Azure AD Security group called SSPR-Test-Group and add members to test with

How to do it…

This recipe consists of the following task:

  • Configuring Self-Service Password Reset

Task – configuring Self-Service Password Reset

Perform the following steps:

  1. From the Azure portal, go to Azure Active Directory and then click Password under the Manage section from the side menu.
  2. From Properties, under the Manage section from the side menu, choose Selected under Self-service password reset enabled; review the information in the tooltips on this page by clicking on the i symbol:
Figure 1.19 – Password reset | Properties

Figure 1.19 – Password reset | Properties

  1. Click on the No groups Selected hyperlink and then browse and select the group to enable SSPR. Then, click Save:
Figure 1.20 – Password reset selected groups

Figure 1.20 – Password reset selected groups

  1. From Authentication methods, under the Manage section from the side menu, select as required the Number of methods required to reset setting.
  2. Then, select as required the Methods available to users setting:
Figure 1.21 – Authentication methods

Figure 1.21 – Authentication methods

  1. From Registration, under the Manage section from the side menu, select Yes for Require users to register when signing in?.
  2. Select the Number of days before users are asked to re-confirm their authentication information setting as required.
  3. From Notifications, under the Manage section from the side menu, select Notify users on password resets? as required.
  4. From Notifications, under the Manage section from the side menu, select the Notify users on password resets? and Notify all admins when other admins reset their password? settings as required.
  5. From Customization, under the Manage section from the side menu, select the Customize helpdesk link? and Custom helpdesk email or URL settings as required.
  6. Review the settings configured from Administrator Policy in the Manage section from the side menu.

With that, you have configured SSPR. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we looked at how we can implement SSPR when users forget their password for a portal or Microsoft Cloud service they are trying to access.

This prevents intervention from an Azure AD administrator, which reduces the burden on these roles and also protects against loss of productivity.

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

Implementing Azure AD security defaults

The perimeter vanishes with the rise in hybrid working and a remote workforce on unsecured devices outside of secure corporate networks. Now, it is commonplace to be targeted by identity-related attacks such as password spray and phishing. However, with basic security adoption, such as blocking legacy authentication and multi-factor authentication (MFA), 99.9% of these identity-related attacks can be stopped. However, we must balance security with productivity.

Because security can require skills and money, Microsoft is providing no-cost preconfigured secure settings by default to provide a basic level of security for everybody.

This recipe will teach you how to implement the Azure AD security defaults in your environment’s AD tenancy.

Getting ready

This recipe requires the following:

  • A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
  • You should sign into the Azure portal with an account with the Global Administrator, Security Administrator, or Conditional Access Administrator role

How to do it….

This recipe consists of the following task:

  • Enabling security defaults

Task – enabling security defaults

Perform the following steps:

  1. From the Azure portal, go to Azure Active Directory and click Properties in the Manage section from the side menu.
  2. Then, click the Manage Security Defaults hyperlink, select Yes under Enable security defaults, and click Save:
Figure 1.22 – The Enable security defaults screen

Figure 1.22 – The Enable security defaults screen

With that, you have enabled security defaults. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we looked at enabling security defaults in your environment’s Azure AD tenancy.

The security defaults are Microsoft-recommended security mechanisms with preconfigured security settings that, once enabled, are automatically enforced in your tenant to protect against the most common identity-based attacks.

The following are the enforced settings:

  • Azure MFA for all users and administrators
  • Blocking of legacy authentication protocols
  • Protection of privileged access activities, such as Azure portal access

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

Implementing Azure AD multi-factor authentication

We must adopt a zero-trust strategy in the perimeter-less world of cloud services and hybrid working more than ever. This means that we must assume breach and never trust, always verify.

Azure AD MFA provides an additional layer of defense; we never trust a single authentication method and must assume that the traditional password method has been compromised. Microsoft studies show that when you implement MFA, your accounts are more than 99.9% less likely to be compromised.

This recipe will teach you how to implement Azure AD MFA in your environment’s AD tenancy.

Getting ready

This recipe requires the following:

  • A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com.
  • You should sign into the Azure portal with an account with the Global Administrator role.
  • You will require Azure AD Premium licenses or trial licenses.
  • If you have Security Defaults enabled, you will automatically have MFA enabled for all users and administrators using the free benefits of Azure AD. Using one of the paid Azure AD Premium licenses provides additional capabilities, such as the additional authentication methods of verification codes, text messages, or phone calls, as well as the following:
    • Azure AD Premium P1: This license includes Azure Conditional Access for MFA
    • Azure AD Premium P2: This license adds risk-based Conditional access to MFA through Information Protection

How to do it…

This recipe consists of the following task:

  • Configuring MFA

Task – configuring MFA

Perform the following steps:

  1. From the Azure portal, go to Azure Active Directory, click Security in the Manage section from the side menu, and then click Multifactor authentication.
  2. From the Multifactor authentication | Getting started blade, click the Additional cloud-based multifactor authentication settings hyperlink under the Configure section heading:
Figure 1.23 – Multifactor authentication | Getting started

Figure 1.23 – Multifactor authentication | Getting started

  1. Two tabs are available from the new multi-factor authentication page that opens; select the user’s tab and then users to enable MFA:
Figure 1.24 – MFA configuration screen

Figure 1.24 – MFA configuration screen

  1. From the user pane on the right, click on the Manage user settings hyperlink in the quick steps section:
Figure 1.25 – MFA selected user pane

Figure 1.25 – MFA selected user pane

  1. On the Manage user settings pop-up screen, select any of the three options as required and then select save:
Figure 1.26 – Manage user settings pop-up screen

Figure 1.26 – Manage user settings pop-up screen

  1. Click Enable on the user pane screen from Step 4 of this recipe. From the About enabling multi-factor auth pop-up screen that appears, read the provided links, click enable multi-factor auth, and click close on the Updates successful screen.
  2. To disable a user for MFA, select the user from the user pane, click Disable in the quick steps section, select Yes on the pop-up screen, and click Close:
Figure 1.27 – Disabling MFA for a user

Figure 1.27 – Disabling MFA for a user

  1. You may bulk update enabling users for MFA by selecting the bulk update button and uploading a CSV file; a template file will be provided that you can download.
  2. Once the user tab configuration is complete, select the service settings tab in the multi-factor authentication browser window:
Figure 1.28 – The service settings tab’s settings

Figure 1.28 – The service settings tab’s settings

  1. From the service settings screen, set the required options and click save. Note the verification options section.

With that, you have configured MFA. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we looked at how to enable Azure AD MFA in our environment’s Azure AD tenancy to provide an additional layer of security for users to sign to protect their identity from compromise.

Azure AD MFA requires us to provide one or more additional factors as a method to authenticate in addition to the password factor.

We can use the following authentication factors:

  • Something we know (password)
  • Something we own (device)
  • Something we are (biometrics)

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

Implementing Conditional Access policies

There must be a balance of protecting an organization’s resources while ensuring every user, wherever they are, is empowered to be productive whenever.

To further strengthen our Azure AD identities, we can use insights from identity-driven signal data to make informed access control decisions and then use those decisions to enforce access policies.

MFA works alongside Conditional Access to provide further granular control of access.

Conditional Access is based on an IF/THEN approach. This approach means that IF signal information collected from the sign-in process matches certain criteria, THEN decisions are made based on the information as to whether access will be allowed or blocked.

Conditional Access will also determine whether the user will be required to perform additional authentication methods or take other actions, such as resetting their password. This is represented in the following diagram:

Figure 1.29 – Conditional Access concept

Figure 1.29 – Conditional Access concept

The following are some common Conditional Access policies:

  • Require MFA for all users
  • Require MFA for Microsoft portals/services access
  • Require password reset for risky users
  • Block the use of legacy authentication protocols
  • Require hybrid-joined or compliant devices
  • Allow or deny from specific locations

This recipe will teach you how to implement Conditional Access policies in your environment’s AD tenancy. We will take you through enabling conditional access policies and configuring them to restrict user access to apps based on if a set of conditions have been met.

Getting ready

This recipe requires the following:

  • A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com.
  • You should sign into the Azure portal with an account with the Global Administrator role.
  • You will require Azure AD Premium licenses or trial licenses.
  • If you have Security Defaults enabled, you will automatically have MFA enabled for all users and administrators using the free benefits of Azure AD. Using one of the paid Azure AD Premium licenses provides additional capabilities such as the additional authentication methods of verification codes, text messages, or phone calls, as well as the following:
    • Azure AD Premium P1: This license includes Azure Conditional Access for MFA
    • Azure AD Premium P2: This license adds risk-based Conditional access to MFA

How to do it…

This recipe consists of the following task:

  • Configuring Conditional Access

Task – configuring Conditional Access

Perform the following steps:

  1. From the Azure portal, go to Azure Active Directory, click Security in the Manage section from the side menu, and then click Conditional Access in the Protect section.
  2. Click + New Policy from the top toolbar in the Conditional Access Policies blade:
Figure 1.30 – Conditional Access | Policies

Figure 1.30 – Conditional Access | Policies

  1. Select a Name for your policy from the New conditional access policy blade.
  2. From the Assignments section, select which users and groups this policy will apply to:
Figure 1.31 – User settings

Figure 1.31 – User settings

  1. From the Cloud apps or actions section, select whether this policy will apply to Cloud apps or Actions; we will select Cloud apps:
Figure 1.32 – Apps setting

Figure 1.32 – Apps setting

  1. From the Include tab, we will click Select apps, search for Azure Management, tick the check box next to Microsoft Azure Management app in the list, and click Select. Note the warning dialog box about not locking yourself out:
Figure 1.33 – App selection

Figure 1.33 – App selection

  1. Click the Conditions settings, set any required conditions, or leave it unconfigured:
Figure 1.34 – Conditions settings

Figure 1.34 – Conditions settings

  1. From Grant, under the Access controls section, click on 0 controls selected, set it to Grant access, tick Require multifactor authentication, and then click Select:
Figure 1.35 – Access settings

Figure 1.35 – Access settings

  1. In the Enable policy section, leave it set to Report-only, then click Create.
  2. Your policy will now appear in the policies list:
Figure 1.36 – Access policies list

Figure 1.36 – Access policies list

With that, you have configured Conditional Access. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we looked at how we can implement Conditional Access policies in addition to MFA to layer on an additional layer of defense while maintaining the users’ productivity needs.

We configured a Conditional Access policy to a set of selected users (or groups) that required MFA when they accessed the Azure portal; this was enabled by selecting the Microsoft Azure Management app.

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

Implementing the Azure AD Identity Protection service

We need solutions that provide remediation actions based on threat intelligence insights. Using policies, we can detect and respond to identity-based threats automatically; this allows us to react quicker and does not rely on human operator intervention.

This recipe will teach you how to implement Azure AD Identity Protection in your environment’s AD tenancy.

We will take you through setting up risk policies, MFA registration policies, investigation, reports, and how to remediate identified risks.

Getting ready

This recipe requires the following:

  • A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
  • You should sign in to the Azure portal with an account with the Global Administrator role
  • You will require Azure AD Premium licenses or trial licenses

How to do it…

This recipe consists of the following task:

  • Configuring Identity Protection

Task – configuring Identity Protection

Perform the following steps:

  1. From the Azure portal, go to Azure Active Directory, click Security in the Manage section from the side menu, and then click Identity Protection in the Protect section.
  2. From the Identity Protection blade, click User risk policy:
Figure 1.37 – User risk policy

Figure 1.37 – User risk policy

  1. From Assignments, click All users, review the available options, and select as required. You can set it to include or exclude.
  2. From User risk, select the risk level controls options to be enforced: High, Medium and above, or Low and above. Then, click Done.
  3. Click Block access from the Access section under Controls and select the controls to be enforced. You can set it to Block or Allow access and Require password change. Then, click Done:
Figure 1.38 – User risk policy settings screen

Figure 1.38 – User risk policy settings screen

  1. Select On under Enforce policy, and then click Save.
  2. Complete the same steps but this time for Sign-in risk policy:
Figure 1.39 – Sign-in risk policy settings screen

Figure 1.39 – Sign-in risk policy settings screen

With that, you have configured Identity Protection. This concludes the hands-on tasks for this recipe.

How it works…

This recipe looked at how to implement Azure AD Identity Protection.

A risk policy will monitor for identity risks, which, when detected, enforce remediation measures, which are the controls that have been set, such as blocking or allowing access and requiring a password change by the user.

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

Implementing Azure AD Privileged Identity Management

To protect your environment’s Azure AD tenancy and improve your security posture, you should implement a robust privileged identity protection strategy for roles and resources.

This recipe will teach you to implement Azure AD Privileged Identity Management (PIM) in your environment’s AD tenancy.

We will take you through configuring a user to be assigned a privileged access role in your Azure AD tenancy so that the user’s activity may be controlled.

Getting ready

This recipe requires the following:

  • A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
  • You should sign into the Azure portal with an account with the Global Administrator role
  • You will require Azure AD Premium licenses or trial licenses

How to do it…

This recipe consists of the following task:

  • Configuring Privileged Identity Management

Task – configuring Privileged Identity Management

Perform the following steps:

  1. From the Azure portal, search for Azure AD Privileged Identity Management and select access.
  2. From Azure AD Privileged Identity Management, select Azure Resources and click Discover resources:
Figure 1.40 – The Privileged Identity Management screen

Figure 1.40 – The Privileged Identity Management screen

  1. Select your Subscription from the Azure resources blade and click Manage resource from the top toolbar. Click OK on the pop-up screen, then close the Discovery page:
Figure 1.41 – The Azure resources blade

Figure 1.41 – The Azure resources blade

  1. Click the subscription listed on the Azure resources page; the Overview page will open. From the left menu, click Roles in the Manage section:
Figure 1.42 – Manage resources screen

Figure 1.42 – Manage resources screen

  1. From the Roles blade, click + Add assignments from the top toolbar.
  2. From the Select role drop-down menu, select a role you want to be controlled via PIM. In our example, we will select the Azure Arc Kubernetes Admin role:
Figure 1.43 – Select role

Figure 1.43 – Select role

  1. Click the No member selected under Select member(s) hyperlink and search and select a user from your Azure AD tenant to be assigned this role:
Figure 1.44 – Select member(s)*

Figure 1.44 – Select member(s)*

  1. Click Next >.
  2. Select eligible under assignment type from the setting tab and set the assignment start and end date/times properties. Then, click Assign.
  3. You will now see information from the Overview page regarding this new assignment:
Figure 1.45 – Assignments on the Overview page

Figure 1.45 – Assignments on the Overview page

  1. From Assignments, in the Manage section, you will see your assignment listed:
Figure 1.46 – Assignments

Figure 1.46 – Assignments

  1. You should receive an email notification regarding this assignment; you can update or remove this assignment and create an access review for ongoing governance:
Figure 1.47 – Assignment notification email

Figure 1.47 – Assignment notification email

With that, you have configured Privileged Identity Management. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we looked at how to configure Privileged Identity Management. We assigned a user the Azure Arc Kubernetes Admin role.

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

Left arrow icon Right arrow icon

Key benefits

  • Dive into practical recipes for implementing security solutions for Microsoft Azure resources
  • Learn how to implement Microsoft Defender for Cloud and Microsoft Sentinel
  • Work with real-world examples of Azure Platform security capabilities to develop skills quickly

Description

With evolving threats, securing your cloud workloads and resources is of utmost importance. Azure Security Cookbook is your comprehensive guide to understanding specific problems related to Azure security and finding the solutions to these problems. This book starts by introducing you to recipes on securing and protecting Azure Active Directory (AD) identities. After learning how to secure and protect Azure networks, you’ll explore ways of securing Azure remote access and securing Azure virtual machines, Azure databases, and Azure storage. As you advance, you’ll also discover how to secure and protect Azure environments using the Azure Advisor recommendations engine and utilize the Microsoft Defender for Cloud and Microsoft Sentinel tools. Finally, you’ll be able to implement traffic analytics; visualize traffic; and identify cyber threats as well as suspicious and malicious activity. By the end of this Azure security book, you will have an arsenal of solutions that will help you secure your Azure workload and resources.

Who is this book for?

This book is for Azure security professionals, Azure cloud professionals, Azure architects, and security professionals looking to implement secure cloud services using Microsoft Defender for Cloud and other Azure security features. A solid understanding of fundamental security concepts and prior exposure to the Azure cloud will help you understand the key concepts covered in the book more effectively. This book is also beneficial for those aiming to take Microsoft certification exams with a security element or focus.

What you will learn

  • Find out how to implement Azure security features and tools
  • Understand how to provide actionable insights into security incidents
  • Gain confidence in securing Azure resources and operations
  • Shorten your time to value for applying learned skills in real-world cases
  • Follow best practices and choices based on informed decisions
  • Better prepare for Microsoft certification with a security element

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Mar 24, 2023
Length: 372 pages
Edition : 1st
Language : English
ISBN-13 : 9781804617960
Category :
Languages :
Concepts :
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Mar 24, 2023
Length: 372 pages
Edition : 1st
Language : English
ISBN-13 : 9781804617960
Category :
Languages :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just Can$6 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just Can$6 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total Can$ 178.97
Mastering Microsoft 365 Defender
Can$63.99
Azure Security Cookbook
Can$50.99
Designing and Implementing Microsoft Azure Networking Solutions
Can$63.99
Total Can$ 178.97 Stars icon

Table of Contents

14 Chapters
Part 1: Azure Security Features Chevron down icon Chevron up icon
Chapter 1: Securing Azure AD Identities Chevron down icon Chevron up icon
Chapter 2: Securing Azure Networks Chevron down icon Chevron up icon
Chapter 3: Securing Remote Access Chevron down icon Chevron up icon
Chapter 4: Securing Virtual Machines Chevron down icon Chevron up icon
Chapter 5: Securing Azure SQL Databases Chevron down icon Chevron up icon
Chapter 6: Securing Azure Storage Chevron down icon Chevron up icon
Part 2: Azure Security Tools Chevron down icon Chevron up icon
Chapter 7: Using Advisor Chevron down icon Chevron up icon
Chapter 8: Using Microsoft Defender for Cloud Chevron down icon Chevron up icon
Chapter 9: Using Microsoft Sentinel Chevron down icon Chevron up icon
Chapter 10: Using Traffic Analytics Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7
(21 Ratings)
5 star 85.7%
4 star 9.5%
3 star 0%
2 star 0%
1 star 4.8%
Filter icon Filter
Top Reviews

Filter reviews by




N/A Feb 21, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Pubblicazioni interessanti scritti con il giusto livello tecnico ma soprattutto chiaro.
Feefo Verified review Feefo
Dwayne Natwick May 23, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Another great book from Steve Miles. I had the opportunity to review his AZ-800 book a couple of weeks ago and it was amazing. I think that his Azure Security Cookbook is equally great! In this book, Steve has broken down the key areas of an Azure architecture and provided step-by-step guidance on how to secure the infrastructure. Sections on Identity, Networking, Endpoints, Storage, and Security tools provide helpful insights into good practices for cloud security. He adds in these guides terminology definitions and references for additional resources. Highly recommended for anyone that may be looking for where to start in securing an Azure infrastructure. Well done, Steve!
Amazon Verified review Amazon
CBR May 29, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Before you setup and operate Azure, you should read this book. Start by understanding how to secure Azure Active Directory and learn how to secure remote connectivity, VMs, databases, and storage. There are many other helpful topics including how to get the most out of Advisor. Check this one out!
Amazon Verified review Amazon
Tina Goodway Sep 07, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I found this book to be well formatted and easy to follow. Clearly directing you to the relevant places in the Azure portal. Steve is also very knowledgeable and has shared a lot of this in the book. Very useful for anyone looking at better securing their Azure infrastructure.
Amazon Verified review Amazon
Ryan Dec 12, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
The book is brilliantly structured, offering a series of "recipes" – concise, digestible content that guides readers through enhancing their Azure Security posture.Each section is well crafted, providing clear, step-by-step walkthroughs and valuable advice.The coverage of topics is comprehensive, and the chapters on Securing Azure AD Identities, Azure Networks, Remote Access, Virtual Machines, Azure SQL Databases, and Azure Storage are particularly insightful.Additionally, the inclusion of Advisor, Microsoft Defender for Cloud, and Microsoft Sentinel offers a high-level view into some of Azure's most powerful security tooling.The guidance is practical and easily applicable, making the 'Azure Security Cookbook' a must-read for anyone looking to strengthen their Azure Security framework.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.