Category: Azure


How to choose between authn methods:

https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn#comparing-methods

 

 

 

This feature allows you to migrate from federated authentication to cloud authentication by using a staged approach:

Moving away from federated authentication has implications. For example, if you have any of the following:

  • an on-premises MFA server => you must be moved to Azure MFA first
  • are using smart cards for authentication
  • other federation only features

These features should be taken into consideration prior to switching to cloud authentication. Before trying this feature, we suggest you review our guide on choosing the right authentication method. See this table for more details.

  • You have an Azure AD tenant with federated domains.
  • You have decided to move to either Password Hash Sync + Seamless SSO (Option A), or Pass-through Authentication + Seamless SSO (Option B). Although seamless SSO is optional, we recommend enabling seamless SSO to achieve a silent sign-in experience for users using domain joined machines from inside corporate network.
  • You have configured all the appropriate tenant branding and Conditional Access policies you need for users who are being migrated over to cloud authentication.
  • If you plan to use Azure Multi-Factor Authentication, we recommend you use converged registration for Self-service Password Reset (SSPR) and Azure MFA to get your users to register their authentication methods once.
  • To use this feature, you need to be Global Administrator on your tenant.

To enable Seamless SSO on a specific AD forest, you need to be Domain Administrator.

Articles:

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Staged-rollout-to-cloud-authentication-now-in-public-preview/ba-p/827830

 

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout

Note:

  1. Removing the user from the group disables staged rollout for the user.
  2. If you wish to disable staged rollout feature, please slide the feature back to ‘OFF’ state to turn off staged rollout.

 

 

Microsoft Office 365 roadmap:

For significant updates, Office customers are initially notified by the O365 roadmap: https://www.microsoft.com/en-us/microsoft-365/roadmap

As an update gets closer to rolling out, it is communicated through your Office 365 Message center.

Microsoft Azure roadmap:

https://azure.microsoft.com/en-us/updates/

Microsoft cloud platform:

https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security

Azure AD – APP registration concepts

App registration concepts:

The application registration in your tenant enables you and others to authenticate against your Azure Active Directory. Another option is to authentication through an application secret. A default application registration on its own cannot do much more than validating that the user has valid login credentials.

Video:

https://www.linkedin.com/learning/microsoft-graph-for-developers/registering-your-application-in-azure-ad

Example:

Create Client Id and Client Secret for Azure Active Directory

https://docs.marketo.com/pages/releaseview.action?pageId=12983390

Articles:

https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios

https://www.re-mark-able.net/understanding-azure-active-directory-application-registrations/

https://dev.to/omiossec/azure-ad-app-registration-an-introduction-46gg

Content: The Microsoft Identity Platform (MIP) and Azure AD app registration. It offers developers a simple and secure way to provide secure sign-in to an app or/and access to other Azure resources like Graph API, SharePoint, … It’s also capable to protect in house API. It let Ops manage assignation and rapidly grant or revoke permissions.

To do that you need to register the application in Azure Active Directory and use one of the authentication/authorization libraries provided by Microsoft.

The MIP uses the OAuth 2.0 and OpenID authorization flow model which define four actors during the authentication flow:

  • The user, the resources owner, he/she use the application/web pages and give permission
  • The application, it acts as an OAuth client, it requests token and consumes resources on behalf of the user
  • The Microsoft Identity platform, the authorization server. It issues tokens, grant or deny access to resources and verify users and applications claims
  • The user’s resources, on a Resource Server, it’s the access point for the user’s data. It’s generally based on Graph API

OAuth 2.0 and OpenID are the two faces of the same coin. OpenID is used for authentication (AuthN) and OAuth 2.0 for authorization (AuthZ).

The process uses endpoints. You can get the information by using PowerShell and the AZ Module to query the oAuth 2.0 metadata document.

$TennantId = (Get-AzTenant).id[0] 

$oAuth2TenantInfmation = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$($TennantId)/v2.0/.well-known/openid-configuration" -Method get 

The $oAuth2TenantInfmation contains all the endpoints and information you need.

To get the authorization endpoint:

$oAuth2TenantInfmation.authorization_endpoint 

In the AuthN phase, the user is redirected to an endpoint in Azure (https://login.microsoftonline.com/**/oauth2/v2.0/authorize where Tenant ID is used for the current tenant, Common for any works or Microsoft account, Consumers for Microsoft account only and Organization for works account only).

The user enters his/her credential, consents to the permissions and get a token (ID_token) to return to the application (via the return URL). The application can verify the token to identify the user.

This is the basic authentication/authorization process with OpenID/oAuth 2.0

Microsoft provides several libraries and frameworks to deal with the authorization/authentication process see

To be able to sign in and access resources an application needs to be registered to Azure Active Directory. But before going further in application registration there are few other concepts to understand.

First, you need to determine who will use the application? There are several cases:

  • Restricted to one Azure AD tenant, this is the case for most in house applicationThe endpoints URI contain the tenant ID
  • Open to any Azure AD tenants, this is the case for multi-tenant applications
    The endpoints URI contains organizations
  • Open to anyone including other Azure AD tenants and Microsoft accounts, this the case for public applications
    The endpoints URL contain Common (or consumers if the application only accept Microsoft account)

Another thing is how the application works and behaves. It will determine which client library to use and how permissions consent.

We need to look at how the application interacts with the user. Does the application interact directly with the user or does it need to work whiteout any user interactions?

In other words, for an application that reads the user calendar, does it read it only when the user opens the application or every time in a background task on the server side.

In the same way how the application works, is it a Front/back application, an API or desktop application?

How can we register the application, as we see we may need a URI, sometimes a certificate or a secret?

App registration can be done in the Azure Portal or by using PowerShell. For PowerShell, you will need the AZ module. It works with Windows PowerShell 5.1 and PowerShell core

install-module name AZ scope CurrentUser  

Import-module name AZ 



Login-AzAccount 



$ApplicationName = "DemoDev-To" 

$ApplicationUri = "https://DemoDev-To.azurewebsites.net" 

$ApplicationReplyUri = @("https://DemoDev-To.azurewebsites.net/signin-oidc","https://localhost:44321/signin-oidc") 

$AzureApplicationObject = New-AzADApplication -DisplayName $ApplicationName -IdentifierUris $ApplicationUri -ReplyUrls $ApplicationReplyUri HomePage $ApplicationUri 

The ApplicationName will be displayed in the Azure Portal and will later identify the application.

For the ReplyUrls parameter, I used an array and not a string. An application can have multiple environments (Dev/UAT/Prod) and respond to different URI.

The $AzureApplicationObject contains the configuration result. You will get two important ID, ObjectID and ApplicationID. These two objects will be needed to configure the client library.

HomePage is not needed but it helps to identify the application later in the Portal.

Now let’s try to create a Secret based application registration.

$ApplicationName = "DemoDev-To-Key"  

$ApplicationUri = "https://DemoDev-To-Key.azurewebsites.net"  



$ApplicationReplyUri = @("https://DemoDev-To-Key.azurewebsites.net/signin-oidc","https://localhost:44321/signin-oidc")  



$AzureApplicationObject = New-AzADApplication -DisplayName $ApplicationName -IdentifierUris $ApplicationUri -ReplyUrls $ApplicationReplyUri HomePage $ApplicationUri  



$AppPlainTextPassWord = "SomethingYouCanType"  





$SecureStringPassword = ConvertTo-SecureString -String $AppPlainTextPassWord -AsPlainText -Force 



$StartDate = get-date 

$EndDate = $startDate.AddYears(2)  



New-AzADAppCredential -ObjectId $AzureApplicationObject.ObjectID -Password $SecureStringPassword -startDate $StartDate -enddate $EndDate 

Get-AzADApplication -ObjectId $AzureApplicationObject.ObjectID | New-AzADServicePrincipal -startDate $StartDate -enddate $EndDate 

`

Application is now created in Azure AD, you can now start to assign users.

Graph explorer: 

https://developer.microsoft.com/en-us/graph/graph-explorer

https://graphexplorer.azurewebsites.net/

News from ignite 2019:

https://developer.microsoft.com/en-us/office/blogs/ignite-2019-microsoft-graph-news/

 

Resources for MS graph API:

https://docs.microsoft.com/en-us/graph/security-concept-overview

https://github.com/microsoftgraph/security-api-solutions/tree/master/Samples/PowerShell

https://www.petri.com/exploring-office-365-graph-explorer

 

How to access Azure AD using Microsoft GRAPH:

https://www.bing.com/videos/search?q=how+to+access+azure+AD+using+microsoft+graph&qpvt=how+to+access+azure+AD+using+microsoft+graph&FORM=VDRE

Previous:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api-quickstart

 

New MS graph API add-on for splunk:

https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Introducing-the-new-Microsoft-Graph-Security-API-add-on-for/ba-p/815972

 

 

 

https://adsecurity.org/wp-content/uploads/2019/08/2019-BlackHat-US-Metcalf-Morowczynski-AttackingAndDefendingTheMicrosoftCloud.pdf

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-logs-overview

 

By default the log events are stored for 90 days. You have to archive the logs to storage account if you want to keep more than 90 days.

 

 

By default log is stored in 90 days you have to archive the logs to storage account if you want to keep them more that 90 days.

 

 

Introduction:

https://docs.microsoft.com/en-us/azure/automation/automation-intro

How to:

Getting Around the Basics of Azure Automation for Office 365

 

Automation runbook gallery:

https://docs.microsoft.com/en-us/azure/automation/automation-runbook-gallery

 

Redirect Azure automation output to a file ( or blob container in Azure terminology) ?

https://docs.microsoft.com/en-us/azure/automation/automation-runbook-output-and-messages

https://social.msdn.microsoft.com/Forums/en-US/8ac6068f-5bb6-49e2-b63c-8852ef6b6bb1/azure-runbook-output-to-blob-container

 

Process automation for Intune and AzureAD:

Process automation for Intune and Azure AD with Azure Automation

 

 

Here are resources about Azure and Office365,

let me summarize:

Office365 : is an offer of MS services and hosted applications – Saas ; in clear you pay for a service (sharepoint,exchange,office…) and you don’t manage the infra behind (like CPU,RAM,Storage,Security)

Azure: is a cloud (private/public) offer – paas/Iaas ; compared to Office365, MS provide just the plumbery (hyper-v, Storage, CPU, RAM, network) and you manage the applications, the Operating system, the security and patches, the applications ; in short “it is like a lego or a Mecano!”, and with Azure you can mix your on-premises IT infra with Azure in the cloud (and vice-versa)

Web resources for Azure:

Domains FAQ: https://docs.microsoft.com/en-us/office365/admin/setup/domains-faq

Domain take over: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover

Azure tips and tricks: https://azure.microsoft.com/en-us/blog/azure-tips-and-tricks-become-more-productive-with-azure/

Azure subscription and naming convention: https://blogs.technet.microsoft.com/dsilva/2017/11/10/azure-subscription-governance-resource-group-and-naming-convention-strategies/

Azure RBAC: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

Manage VM: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/

Main: http://www.windowsazure.com

Azure cost calculator: https://azure.microsoft.com/en-us/pricing/calculator/?scenario=full

White papers: http://aka.ms/livresblancs

Azure health status: https://status.azure.com/en-us/status

Choose the right authentication method: https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn

AzureAD connect: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

Other resources:

To go deeper: https://docs.microsoft.com/en-us/azure/

Forum: https://azure.microsoft.com/en-us/support/community/

Seyf’s blog: https://seyfallah-it.blogspot.com/

Web resources for Office 365:

Office 365 for business get started: https://support.office.com/en-us/article/Get-started-with-Office-365-for-business-d6466f0d-5d13-464a-adcb-00906ae87029

Roadmap: https://products.office.com/en-us/business/office-365-roadmap

Fasttrack: http://fasttrack.microsoft.com/office/drive-value/engage

Productivity library (scenarios): http://fasttrack.microsoft.com/office/envision/productivitylibrary

Technical decks: https://channel9.msdn.com/Events/Ignite/2016?sort=status&direction=desc&r%5B0%5D=Office%20365&page=2

Technical references: https://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx

Videos: https://www.youtube.com/user/OfficeGarageSeries

eLearning: https://mooc.office365-training.com/en/

‘In the Cloud’: http://blogs.technet.com/b/in_the_cloud/

Office blog: http://blogs.office.com/    and   http://office.microsoft.com/en-us/

Intune blog: http://blogs.technet.com/b/microsoftintune/

Azure AD Resources

Domains FAQ: https://docs.microsoft.com/en-us/office365/admin/setup/domains-faq

Domain take over: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover

Azure tips and tricks: https://azure.microsoft.com/en-us/blog/azure-tips-and-tricks-become-more-productive-with-azure/

Azure subscription and naming convention: https://blogs.technet.microsoft.com/dsilva/2017/11/10/azure-subscription-governance-resource-group-and-naming-convention-strategies/

Azure RBAC: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

Manage VM: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/

Main: http://www.windowsazure.com

Azure cost calculator: https://azure.microsoft.com/en-us/pricing/calculator/?scenario=full

White papers: http://aka.ms/livresblancs

Azure health status: https://status.azure.com/en-us/status

Choose the right authentication method: https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn

AzureAD connect: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

Other resources:

To go deeper: https://docs.microsoft.com/en-us/azure/

Forum: https://azure.microsoft.com/en-us/support/community/

Seyf’s blog: https://seyfallah-it.blogspot.com/