Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Azure Security Cookbook

You're reading from   Azure Security Cookbook Practical recipes for securing Azure resources and operations

Arrow left icon
Product type Paperback
Published in Mar 2023
Publisher Packt
ISBN-13 9781804617960
Length 372 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Steve Miles Steve Miles
Author Profile Icon Steve Miles
Steve Miles
Arrow right icon
View More author details
Toc

Table of Contents (15) Chapters Close

Preface 1. Part 1: Azure Security Features
2. Chapter 1: Securing Azure AD Identities FREE CHAPTER 3. Chapter 2: Securing Azure Networks 4. Chapter 3: Securing Remote Access 5. Chapter 4: Securing Virtual Machines 6. Chapter 5: Securing Azure SQL Databases 7. Chapter 6: Securing Azure Storage 8. Part 2: Azure Security Tools
9. Chapter 7: Using Advisor 10. Chapter 8: Using Microsoft Defender for Cloud 11. Chapter 9: Using Microsoft Sentinel 12. Chapter 10: Using Traffic Analytics 13. Index 14. Other Books You May Enjoy

Introduction to Azure Identity Services

Before we look at any recipes, we will first introduce some concepts surrounding Microsoft Identity services. This will assist us in establishing a foundation of knowledge to build upon. We will start by looking at Active Directory (AD).

What is AD?

AD provides Identity and Access Management (IAM) and Information Protection services for traditional Windows Server environments. It was first included with Windows Server 2000 as an installable service.

AD provides different services in its portfolio and is used as a generic and umbrella term in many cases.

These individual services in Azure AD include the following:

  • AD Domain Services (AD DS)
  • AD Federation Services (AD FS)
  • AD Certificate Services
  • AD Rights Management Services

In this next section, we will introduce Azure AD and look at its relationship with AD, a similar name but with different functions, capabilities, and use cases.

When is AD not AD? When it is Azure AD!

Before we go any further, we should clear one thing up: there is a common misconception that Azure AD must just be a cloud-based Software-as-a-Service (SaaS) version, but it is not!

It is easy enough why people (wrongly) think this may be the case; after all, Exchange Online and SharePoint Online are indeed exactly that, SaaS versions of their traditional infrastructure deployed platforms; if only it were that simple, though.

In many ways, Azure AD is like AD on the surface; they are both Identity Providers (IDPs) and provide IAM controls. Still, at the same time, they function differently and don’t yet provide a complete parity of capabilities, although quite close.

It is worth noting that Azure AD is constantly evolving to meet the requirements and demands of authentication and authorization of workloads and services to bring capabilities in line with those available in AD, such as Kerberos realms within Azure AD.

At the time of publishing this book, you cannot use Azure AD to 100% replace the provided capabilities of AD.

Depending on the scenario, it may be the case that your environments will never be 100% cloud-based for identity services. You may remain with Hybrid identity services – that is, both AD and Azure AD coexist in a connected and synchronized state.

What is Azure AD?

Azure AD is a SaaS identity management solution that is fully managed and provides functions such as an IDP and IAM for managing and securing access to resources based on Role-Based Access Control (RBAC).

As Azure AD is provided as a fully managed service, there is no installable component such as Windows Servers and Domain Controllers (DC); zero infrastructure needs to be deployed by you.

The primary cloud authentication protocol used by Azure AD is based around using OpenID, OAuth, and Graph, whereas AD uses Kerberos and NTLM.

What is Hybrid Identity?

The hybrid identity approach allows you to synchronize objects, such as user objects and their passwords, between AD and Azure AD directories.

The main driver for hybrid identity within an organization is legacy AD-integrated applications that do not support cloud identity authentication protocols.

This capability provides users access to AD authenticated, and Azure AD authenticated using a single Common Identity and password.

The password synced to Azure AD is a hash of the stored hashed password; passwords are never stored in Azure AD, only the password hash. This capability is referred to as same sign-on, meaning you will be prompted each time to enter the same credentials when you wish to authenticate to resources.

This capability should not be confused with single sign-on (SSO), which does not prompt you again when accessing resources. The following diagram shows the relationship between AD and Azure AD:

Figure 1.1 – AD and Azure as a relationship

Figure 1.1 – AD and Azure as a relationship

Azure AD Connect is a free downloadable tool that synchronizes objects between AD and Azure AD’s IDP directories; this establishes hybrid identities. Azure AD Connect provides additional functionality and capabilities and allows for Self-Service Password Reset (SSPR) through additional configuration.

You can continue learning more, should you wish, about hybrid identities and Azure AD Connect, by going to https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect.

You have been reading a chapter from
Azure Security Cookbook
Published in: Mar 2023
Publisher: Packt
ISBN-13: 9781804617960
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime