Azure Security Cookbook

Securing Azure AD Identities

Azure Active Directory (Azure AD) is a multi-tenant cloud-based identity and access management solution that is part of Microsoft’s Entra Identity platform product family.

You can read more about Entra and its integrated hybrid and multi-cloud identity and access solutions family at the following Microsoft site: https://www.microsoft.com/en-us/security/business/microsoft-entra.

In this chapter, you will learn how to secure and protect Azure AD identities.

We will break down this chapter into sections that cover how you can review your environments, including security posture, tenant-level identity and access management, password management and protection, security defaults, multi-factor authentication, and Conditional Access. We will then look at implementing Identity Protection and Identity Management services.

By the end of this chapter, you will have covered the following recipes to create secure Azure AD identities:

Reviewing Azure AD Identity Secure Score
Implementing Azure AD tenant Identity and Access Management
Implementing Azure AD Password Protection
Implementing Self-Service Password Reset
Implementing Azure AD security defaults
Implementing Azure AD multi-factor authentication
Implementing Conditional Access policies
Implementing Azure AD Identity Protection
Implementing Azure AD Privileged Identity Management

Introduction to Azure Identity Services

Before we look at any recipes, we will first introduce some concepts surrounding Microsoft Identity services. This will assist us in establishing a foundation of knowledge to build upon. We will start by looking at Active Directory (AD).

What is AD?

AD provides Identity and Access Management (IAM) and Information Protection services for traditional Windows Server environments. It was first included with Windows Server 2000 as an installable service.

AD provides different services in its portfolio and is used as a generic and umbrella term in many cases.

These individual services in Azure AD include the following:

AD Domain Services (AD DS)
AD Federation Services (AD FS)
AD Certificate Services
AD Rights Management Services

In this next section, we will introduce Azure AD and look at its relationship with AD, a similar name but with different functions, capabilities, and use cases.

When is AD not AD? When it is Azure AD!

Before we go any further, we should clear one thing up: there is a common misconception that Azure AD must just be a cloud-based Software-as-a-Service (SaaS) version, but it is not!

It is easy enough why people (wrongly) think this may be the case; after all, Exchange Online and SharePoint Online are indeed exactly that, SaaS versions of their traditional infrastructure deployed platforms; if only it were that simple, though.

In many ways, Azure AD is like AD on the surface; they are both Identity Providers (IDPs) and provide IAM controls. Still, at the same time, they function differently and don’t yet provide a complete parity of capabilities, although quite close.

It is worth noting that Azure AD is constantly evolving to meet the requirements and demands of authentication and authorization of workloads and services to bring capabilities in line with those available in AD, such as Kerberos realms within Azure AD.

At the time of publishing this book, you cannot use Azure AD to 100% replace the provided capabilities of AD.

Depending on the scenario, it may be the case that your environments will never be 100% cloud-based for identity services. You may remain with Hybrid identity services – that is, both AD and Azure AD coexist in a connected and synchronized state.

What is Azure AD?

Azure AD is a SaaS identity management solution that is fully managed and provides functions such as an IDP and IAM for managing and securing access to resources based on Role-Based Access Control (RBAC).

As Azure AD is provided as a fully managed service, there is no installable component such as Windows Servers and Domain Controllers (DC); zero infrastructure needs to be deployed by you.

The primary cloud authentication protocol used by Azure AD is based around using OpenID, OAuth, and Graph, whereas AD uses Kerberos and NTLM.

What is Hybrid Identity?

The hybrid identity approach allows you to synchronize objects, such as user objects and their passwords, between AD and Azure AD directories.

The main driver for hybrid identity within an organization is legacy AD-integrated applications that do not support cloud identity authentication protocols.

This capability provides users access to AD authenticated, and Azure AD authenticated using a single Common Identity and password.

The password synced to Azure AD is a hash of the stored hashed password; passwords are never stored in Azure AD, only the password hash. This capability is referred to as same sign-on, meaning you will be prompted each time to enter the same credentials when you wish to authenticate to resources.

This capability should not be confused with single sign-on (SSO), which does not prompt you again when accessing resources. The following diagram shows the relationship between AD and Azure AD:

Figure 1.1 – AD and Azure as a relationship

Azure AD Connect is a free downloadable tool that synchronizes objects between AD and Azure AD’s IDP directories; this establishes hybrid identities. Azure AD Connect provides additional functionality and capabilities and allows for Self-Service Password Reset (SSPR) through additional configuration.

You can continue learning more, should you wish, about hybrid identities and Azure AD Connect, by going to https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect.

Reviewing Azure AD Identity Secure Score

Azure AD Identity Secure Score enables you to make informed decision-making to protect your Azure AD tenancy.

This recipe will teach you how to monitor and improve your Azure AD Identity Secure Score.

We will take you through reviewing the Azure AD Identity Secure Score dashboard for your Azure AD tenancy environments and look at the actionable insights available to improve your secure score and security posture.

Getting ready

This recipe requires the following:

A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
You should sign into the Azure portal with an account with the Global Administrator role

How to do it…

This recipe consists of the following tasks:

Reviewing Identity Secure Score
Updating the improvement actions status

Task – Reviewing Identity Secure Score

Perform the following steps:

From the Azure portal, go to Azure Active Directory | Security | Identity Secure Score.

Alternatively, in the search bar, type azure ad identity secure score; click on Azure AD Identity Secure Score from the list of services shown.

You will now see the Identity Secure Score blade.
The top section of the Identity Secure Score screen represents your identity security posture:

Figure 1.3 – Secure Score screen

This area of the screen shows three aspects to review:

Secure Score for Identity is a percentage of your alignment with Microsoft’s best practice security recommendations
Comparison is your security posture management compared to other tenants of a similar size
Score history is a trend graph over time

The lower section of the Identity Secure Score screen provides a list of recommended and possible security Improvement actions.

Each recommended improvement action has a Score Impact, User Impact, Implementation Cost, Max Score possible, and Current Score:

Figure 1.4 – The Improvement actions screen

Click Download; you can access the improvement actions in a CSV file:

Figure 1.5 – Improvement actions download

By clicking on an Improvement action, you can see further information:

Figure 1.6 – Improvement actions information

With that, you have reviewed Identity Secure Score. In the next task, we will update the status of improvement actions.

Task – Updating the improvement actions status

Perform the following steps:

Select an Improvement action and click to open it.
From the Improvement action screen, on the STATUS section, select the status you wish to update the action to and then click Save:

Figure 1.7 – Improvement actions status options

With that, you have updated the status of improvement actions. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we reviewed the information presented in the Azure AD identities Secure Score and took action from available insights.

The Azure ID Identity Secure Score overlaps with the identity score used for the Microsoft secure score, which means the recommendations will be the same.
The Azure AD Identity Secure Score provides a value of between 1% and 100%, representing how well your Azure AD tenancy is secured based on Microsoft’s best practices and recommendations.

You can also see actionable improvement insights on how your score can be improved and each improvement’s impact on the secure score.

The dashboard and a score history timeline show a comparison of your environment’s Azure AD tenancy to a tenancy of the same size and industry average.

Your environment’s Azure AD tenancy identity settings are compared with best practice recommendations once a day (approx 1:00 A.M. PST); changes made to an improvement action may not be reflected in the score for up to 48 hours.

Implementing Azure AD tenant Identity and Access Management

Account compromise is one of the biggest threat vectors to protect against, and those with privileged access roles will be the focus of attacks. There are often too many users assigned privileged accounts, with more access than is required for a user to carry out their role. There is often insufficient RBAC in place, and the principle of least privilege should be adopted for these privileged administrator roles.

While we need to limit the number of user accounts that have the Global Administrator role, there should also not be a single point of compromise for the Global Administrator role. Having more than one account with the Global Administrator role is important. It is crucial to have an emergency account in case of a breach or conditional access lockout of a Global Administrator role assigned. Global Administrator role accounts can use a buddy system to monitor each other’s accounts for signs of a breach.

This recipe will teach you to ensure you only have the users assigned with the least privileges required for their role and ensure you have a minimum of two accounts assigned the Global Administrator role.

We will take you through the steps to implement these tasks.

Getting ready

This recipe requires the following:

A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
You should sign in with an account that has the Global Administrator role

How to do it…

This recipe consists of the following tasks:

Implementing least privileged administrative roles
Designating more than one Global Administrator

Task – implementing least privileged administrative roles

Perform the following steps:

From the Azure portal, go to Azure Active Directory | Roles and administrators.
From the All roles section, select the Global administrator role:

Figure 1.8 – Azure AD Roles and Administrators screen

From the Assignments section, identify only the accounts required to have the Global Administrators role; ensure you have at least two or no more than five accounts with the Global Administrator role.

Select a user for users who no longer require the Global Administrator role and then click Remove assignments from the top toolbar:

Figure 1.9 – The Remove assignments screen

From Azure Active Directory | Roles and administrators | All roles | Global administrator, we can now see that the user has been removed from the Global Administrator role:

Figure 1.10 – Global Administrator Assignments screen

To reassign least privileged admin users to roles required to complete their tasks, navigate to Azure Active Directory | Users. Select and click the users to assign roles.
From the User blade for the user selected to assign a directory role, go to Assigned roles from the Manage section and click Add assignments:

Figure 1.11 – The Assigned roles screen

From the Directory roles pop-up screen, locate the directory role you wish to assign from the list of all available roles; select the directory role to assign and click Add:

Figure 1.12 – The Directory roles assignment screen

Your user will now have the required least privileged admin role assigned and no longer have the highly privileged Global Administrator role:

Figure 1.13 – User administrator | Assignments

With that, you have learned how to use least privileged roles. In the next task, we will designate more than one Global Administrator for the tenancy.

Task – designating more than one Global Administrator

Perform the following steps:

From the Azure portal, go to Azure Active Directory | Roles and administrators | All roles | Global Administrator.
From the Assignments blade, click Add assignments and locate the user(s) to add to the Global Administrators role:

Figure 1.14 – Global administrator – the Add assignments screen

Select the user, and then click Add:

Figure 1.15 – Global administrator – The Add assignments screen

You will now see that the user(s) have been assigned the Global Administrator role:

Figure 1.16 – Global administrator | Assignments

With that, you have created more than one Global Administrator role. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we looked at limiting the number of users with the Global Administrator role and ensuring you only had the users assigned with the least required privileges for their role. In our example, we removed the Global Administrator role from a user and reassigned them to the User Administrator role, which was the least privileges required for their tasks.

We then ensured you had a minimum of two accounts assigned the Global Administrator role by adding a user to this role. The Microsoft recommendation is for a minimum of two users and no more than five for this role.

There’s more…

Azure AD user accounts with the highest privileged role of Global Administrator will be the primary goal for compromise by bad actors. This is because this role has access to every administrative setting in your environment’s Azure AD tenancy at the read and modify permission level.

Microsoft recommends that you assign user accounts with less privileged roles. This limits the user’s scope of permissions through RBAC to only be able to do what a user needs to do for their job function.

The following are some of the many roles that can be considered to reduce the use of the Global Administrator role but still have enough access for a user to be able to perform their duties:

Application Administrator
Authentication Administrator
Azure DevOps Administrator
Azure Information Protection Administrator
Billing Administrator
Compliance Administrator
Conditional Access Administrator
Directory Readers
Exchange Administrator
SharePoint Administrator
Privileged Role Administrator
Security Administrator
User Administrator

Should you require further information on least privileged roles, you can refer to the following Microsoft Learn articles:

Assigning Azure roles using the Azure portal: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
Azure AD built-in roles: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
What are the default user permissions in Azure Active Directory?: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
Least privileged roles by task in Azure Active Directory: https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task

Implementing Azure AD Password Protection

Users often make poor choices when creating passwords, making them easy targets and victims of dictionary-based attacks.

This recipe will teach you how to implement Azure AD password protection in your environment’s AD tenancy. We will take you through customizing your smart lockout threshold and creating a global and custom banned password list.

Getting ready

This recipe requires the following:

A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
You should sign in with an account that has the Global Administrator role
We will use Azure AD Premium licenses for this and future recipes

How to do it…

This recipe consists of the following task:

Configuring password protection

Task – configuring password protection

Perform the following steps:

From the Azure portal, go to Azure Active Directory and then click Security under the Manage section from the side menu.
Select Authentication Methods under the Manage section from the side menu.
Select Password protection under the Manage section from the side menu.
From the Custom smart lockout section, set the Lockout threshold and Lockout duration in seconds properties as required; review the information in the tooltips by clicking on the i symbol:

Figure 1.17 – Azure AD Premium P2 free trial activation

From the Custom banned password section, select Yes, enter strings that are to be banned, and click Save; review the information in the tooltips by clicking on the i symbol. It can take several hours to apply the band password list:

Figure 1.18 – Azure AD Premium P2 free trial activation

With that, you have configured password protection. This concludes the hands-on tasks for this recipe.

How it works…

You only need to add key terms such as password or contoso and the algorithm will automatically consider and block all variants of common character substitutions, such as Pa$sw0rd1! or C@ntos0!.

The banned password list may have a maximum of 1,000 key terms. The minimum length of a term string is 4 characters, where 16 characters is the maximum and are case-sensitive.

This recipe looked at customizing your smart lockout threshold to protect against brute-force attack methods. We also looked at creating a global and custom banned password list to protect against dictionary and password spray attacks and enforce the use of strong passwords.

Both of these measures, when implemented, can offer significant protection for your environment’s Azure AD tenancy.

Implementing a Self-Service Password Reset

Users will sometimes forget their passwords; to prevent intervention by an Azure AD administrator, a self-service password reset (SSPR) can be implemented. This allows users to click on the Can’t access your account? link on the sign-in page for the portal or Microsoft Cloud service they are trying to access.

This recipe will teach you how to implement SSPR in your environment’s AD tenancy. We will take you through enabling SSPR for a selected scope and review the available settings, then carry out a user registration for SSPR and test its operation to confirm the function is working.

Getting ready

This recipe requires the following:

A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
You should sign in with an account that has the Global Administrator role
Optionally, pre-create an Azure AD Security group called SSPR-Test-Group and add members to test with

How to do it…

This recipe consists of the following task:

Configuring Self-Service Password Reset

Task – configuring Self-Service Password Reset

Perform the following steps:

From the Azure portal, go to Azure Active Directory and then click Password under the Manage section from the side menu.
From Properties, under the Manage section from the side menu, choose Selected under Self-service password reset enabled; review the information in the tooltips on this page by clicking on the i symbol:

Figure 1.19 – Password reset | Properties

Click on the No groups Selected hyperlink and then browse and select the group to enable SSPR. Then, click Save:

Figure 1.20 – Password reset selected groups

From Authentication methods, under the Manage section from the side menu, select as required the Number of methods required to reset setting.
Then, select as required the Methods available to users setting:

Figure 1.21 – Authentication methods

From Registration, under the Manage section from the side menu, select Yes for Require users to register when signing in?.
Select the Number of days before users are asked to re-confirm their authentication information setting as required.
From Notifications, under the Manage section from the side menu, select Notify users on password resets? as required.
From Notifications, under the Manage section from the side menu, select the Notify users on password resets? and Notify all admins when other admins reset their password? settings as required.
From Customization, under the Manage section from the side menu, select the Customize helpdesk link? and Custom helpdesk email or URL settings as required.
Review the settings configured from Administrator Policy in the Manage section from the side menu.

With that, you have configured SSPR. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we looked at how we can implement SSPR when users forget their password for a portal or Microsoft Cloud service they are trying to access.

This prevents intervention from an Azure AD administrator, which reduces the burden on these roles and also protects against loss of productivity.

Implementing Azure AD security defaults

The perimeter vanishes with the rise in hybrid working and a remote workforce on unsecured devices outside of secure corporate networks. Now, it is commonplace to be targeted by identity-related attacks such as password spray and phishing. However, with basic security adoption, such as blocking legacy authentication and multi-factor authentication (MFA), 99.9% of these identity-related attacks can be stopped. However, we must balance security with productivity.

Because security can require skills and money, Microsoft is providing no-cost preconfigured secure settings by default to provide a basic level of security for everybody.

This recipe will teach you how to implement the Azure AD security defaults in your environment’s AD tenancy.

Getting ready

This recipe requires the following:

A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
You should sign into the Azure portal with an account with the Global Administrator, Security Administrator, or Conditional Access Administrator role

How to do it….

This recipe consists of the following task:

Enabling security defaults

Task – enabling security defaults

Perform the following steps:

From the Azure portal, go to Azure Active Directory and click Properties in the Manage section from the side menu.
Then, click the Manage Security Defaults hyperlink, select Yes under Enable security defaults, and click Save:

Figure 1.22 – The Enable security defaults screen

With that, you have enabled security defaults. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we looked at enabling security defaults in your environment’s Azure AD tenancy.

The security defaults are Microsoft-recommended security mechanisms with preconfigured security settings that, once enabled, are automatically enforced in your tenant to protect against the most common identity-based attacks.

The following are the enforced settings:

Azure MFA for all users and administrators
Blocking of legacy authentication protocols
Protection of privileged access activities, such as Azure portal access

Implementing Azure AD multi-factor authentication

We must adopt a zero-trust strategy in the perimeter-less world of cloud services and hybrid working more than ever. This means that we must assume breach and never trust, always verify.

Azure AD MFA provides an additional layer of defense; we never trust a single authentication method and must assume that the traditional password method has been compromised. Microsoft studies show that when you implement MFA, your accounts are more than 99.9% less likely to be compromised.

This recipe will teach you how to implement Azure AD MFA in your environment’s AD tenancy.

Getting ready

This recipe requires the following:

A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com.
You should sign into the Azure portal with an account with the Global Administrator role.
You will require Azure AD Premium licenses or trial licenses.
If you have Security Defaults enabled, you will automatically have MFA enabled for all users and administrators using the free benefits of Azure AD. Using one of the paid Azure AD Premium licenses provides additional capabilities, such as the additional authentication methods of verification codes, text messages, or phone calls, as well as the following:
- Azure AD Premium P1: This license includes Azure Conditional Access for MFA
- Azure AD Premium P2: This license adds risk-based Conditional access to MFA through Information Protection

How to do it…

This recipe consists of the following task:

Configuring MFA

Task – configuring MFA

Perform the following steps:

From the Azure portal, go to Azure Active Directory, click Security in the Manage section from the side menu, and then click Multifactor authentication.
From the Multifactor authentication | Getting started blade, click the Additional cloud-based multifactor authentication settings hyperlink under the Configure section heading:

Figure 1.23 – Multifactor authentication | Getting started

Two tabs are available from the new multi-factor authentication page that opens; select the user’s tab and then users to enable MFA:

Figure 1.24 – MFA configuration screen

From the user pane on the right, click on the Manage user settings hyperlink in the quick steps section:

Figure 1.25 – MFA selected user pane

On the Manage user settings pop-up screen, select any of the three options as required and then select save:

Figure 1.26 – Manage user settings pop-up screen

Click Enable on the user pane screen from Step 4 of this recipe. From the About enabling multi-factor auth pop-up screen that appears, read the provided links, click enable multi-factor auth, and click close on the Updates successful screen.
To disable a user for MFA, select the user from the user pane, click Disable in the quick steps section, select Yes on the pop-up screen, and click Close:

Figure 1.27 – Disabling MFA for a user

You may bulk update enabling users for MFA by selecting the bulk update button and uploading a CSV file; a template file will be provided that you can download.
Once the user tab configuration is complete, select the service settings tab in the multi-factor authentication browser window:

Figure 1.28 – The service settings tab’s settings

From the service settings screen, set the required options and click save. Note the verification options section.

With that, you have configured MFA. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we looked at how to enable Azure AD MFA in our environment’s Azure AD tenancy to provide an additional layer of security for users to sign to protect their identity from compromise.

Azure AD MFA requires us to provide one or more additional factors as a method to authenticate in addition to the password factor.

We can use the following authentication factors:

Something we know (password)
Something we own (device)
Something we are (biometrics)

Implementing Conditional Access policies

There must be a balance of protecting an organization’s resources while ensuring every user, wherever they are, is empowered to be productive whenever.

To further strengthen our Azure AD identities, we can use insights from identity-driven signal data to make informed access control decisions and then use those decisions to enforce access policies.

MFA works alongside Conditional Access to provide further granular control of access.

Conditional Access is based on an IF/THEN approach. This approach means that IF signal information collected from the sign-in process matches certain criteria, THEN decisions are made based on the information as to whether access will be allowed or blocked.

Conditional Access will also determine whether the user will be required to perform additional authentication methods or take other actions, such as resetting their password. This is represented in the following diagram:

Figure 1.29 – Conditional Access concept

The following are some common Conditional Access policies:

Require MFA for all users
Require MFA for Microsoft portals/services access
Require password reset for risky users
Block the use of legacy authentication protocols
Require hybrid-joined or compliant devices
Allow or deny from specific locations

This recipe will teach you how to implement Conditional Access policies in your environment’s AD tenancy. We will take you through enabling conditional access policies and configuring them to restrict user access to apps based on if a set of conditions have been met.

Getting ready

This recipe requires the following:

A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com.
You should sign into the Azure portal with an account with the Global Administrator role.
You will require Azure AD Premium licenses or trial licenses.
If you have Security Defaults enabled, you will automatically have MFA enabled for all users and administrators using the free benefits of Azure AD. Using one of the paid Azure AD Premium licenses provides additional capabilities such as the additional authentication methods of verification codes, text messages, or phone calls, as well as the following:
- Azure AD Premium P1: This license includes Azure Conditional Access for MFA
- Azure AD Premium P2: This license adds risk-based Conditional access to MFA

How to do it…

This recipe consists of the following task:

Configuring Conditional Access

Task – configuring Conditional Access

Perform the following steps:

From the Azure portal, go to Azure Active Directory, click Security in the Manage section from the side menu, and then click Conditional Access in the Protect section.
Click + New Policy from the top toolbar in the Conditional Access Policies blade:

Figure 1.30 – Conditional Access | Policies

Select a Name for your policy from the New conditional access policy blade.
From the Assignments section, select which users and groups this policy will apply to:

Figure 1.31 – User settings

From the Cloud apps or actions section, select whether this policy will apply to Cloud apps or Actions; we will select Cloud apps:

Figure 1.32 – Apps setting

From the Include tab, we will click Select apps, search for Azure Management, tick the check box next to Microsoft Azure Management app in the list, and click Select. Note the warning dialog box about not locking yourself out:

Figure 1.33 – App selection

Click the Conditions settings, set any required conditions, or leave it unconfigured:

Figure 1.34 – Conditions settings

From Grant, under the Access controls section, click on 0 controls selected, set it to Grant access, tick Require multifactor authentication, and then click Select:

Figure 1.35 – Access settings

In the Enable policy section, leave it set to Report-only, then click Create.
Your policy will now appear in the policies list:

Figure 1.36 – Access policies list

With that, you have configured Conditional Access. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we looked at how we can implement Conditional Access policies in addition to MFA to layer on an additional layer of defense while maintaining the users’ productivity needs.

We configured a Conditional Access policy to a set of selected users (or groups) that required MFA when they accessed the Azure portal; this was enabled by selecting the Microsoft Azure Management app.

Implementing the Azure AD Identity Protection service

We need solutions that provide remediation actions based on threat intelligence insights. Using policies, we can detect and respond to identity-based threats automatically; this allows us to react quicker and does not rely on human operator intervention.

This recipe will teach you how to implement Azure AD Identity Protection in your environment’s AD tenancy.

We will take you through setting up risk policies, MFA registration policies, investigation, reports, and how to remediate identified risks.

Getting ready

This recipe requires the following:

A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
You should sign in to the Azure portal with an account with the Global Administrator role
You will require Azure AD Premium licenses or trial licenses

How to do it…

This recipe consists of the following task:

Configuring Identity Protection

Task – configuring Identity Protection

Perform the following steps:

From the Azure portal, go to Azure Active Directory, click Security in the Manage section from the side menu, and then click Identity Protection in the Protect section.
From the Identity Protection blade, click User risk policy:

Figure 1.37 – User risk policy

From Assignments, click All users, review the available options, and select as required. You can set it to include or exclude.
From User risk, select the risk level controls options to be enforced: High, Medium and above, or Low and above. Then, click Done.
Click Block access from the Access section under Controls and select the controls to be enforced. You can set it to Block or Allow access and Require password change. Then, click Done:

Figure 1.38 – User risk policy settings screen

Select On under Enforce policy, and then click Save.
Complete the same steps but this time for Sign-in risk policy:

Figure 1.39 – Sign-in risk policy settings screen

With that, you have configured Identity Protection. This concludes the hands-on tasks for this recipe.

How it works…

This recipe looked at how to implement Azure AD Identity Protection.

A risk policy will monitor for identity risks, which, when detected, enforce remediation measures, which are the controls that have been set, such as blocking or allowing access and requiring a password change by the user.

Implementing Azure AD Privileged Identity Management

To protect your environment’s Azure AD tenancy and improve your security posture, you should implement a robust privileged identity protection strategy for roles and resources.

This recipe will teach you to implement Azure AD Privileged Identity Management (PIM) in your environment’s AD tenancy.

We will take you through configuring a user to be assigned a privileged access role in your Azure AD tenancy so that the user’s activity may be controlled.

Getting ready

This recipe requires the following:

A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
You should sign into the Azure portal with an account with the Global Administrator role
You will require Azure AD Premium licenses or trial licenses

How to do it…

This recipe consists of the following task:

Configuring Privileged Identity Management

Task – configuring Privileged Identity Management

Perform the following steps:

From the Azure portal, search for Azure AD Privileged Identity Management and select access.
From Azure AD Privileged Identity Management, select Azure Resources and click Discover resources:

Figure 1.40 – The Privileged Identity Management screen

Select your Subscription from the Azure resources blade and click Manage resource from the top toolbar. Click OK on the pop-up screen, then close the Discovery page:

Figure 1.41 – The Azure resources blade

Click the subscription listed on the Azure resources page; the Overview page will open. From the left menu, click Roles in the Manage section:

Figure 1.42 – Manage resources screen

From the Roles blade, click + Add assignments from the top toolbar.
From the Select role drop-down menu, select a role you want to be controlled via PIM. In our example, we will select the Azure Arc Kubernetes Admin role:

Figure 1.43 – Select role

Click the No member selected under Select member(s) hyperlink and search and select a user from your Azure AD tenant to be assigned this role:

Figure 1.44 – Select member(s)*

Click Next >.
Select eligible under assignment type from the setting tab and set the assignment start and end date/times properties. Then, click Assign.
You will now see information from the Overview page regarding this new assignment:

Figure 1.45 – Assignments on the Overview page

From Assignments, in the Manage section, you will see your assignment listed:

Figure 1.46 – Assignments

You should receive an email notification regarding this assignment; you can update or remove this assignment and create an access review for ongoing governance:

Figure 1.47 – Assignment notification email

With that, you have configured Privileged Identity Management. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we looked at how to configure Privileged Identity Management. We assigned a user the Azure Arc Kubernetes Admin role.

Another great book from Steve Miles. I had the opportunity to review his AZ-800 book a couple of weeks ago and it was amazing. I think that his Azure Security Cookbook is equally great! In this book, Steve has broken down the key areas of an Azure architecture and provided step-by-step guidance on how to secure the infrastructure. Sections on Identity, Networking, Endpoints, Storage, and Security tools provide helpful insights into good practices for cloud security. He adds in these guides terminology definitions and references for additional resources. Highly recommended for anyone that may be looking for where to start in securing an Azure infrastructure. Well done, Steve!

Amazon Verified review

CBR May 29, 2023

Before you setup and operate Azure, you should read this book. Start by understanding how to secure Azure Active Directory and learn how to secure remote connectivity, VMs, databases, and storage. There are many other helpful topics including how to get the most out of Advisor. Check this one out!

Tina Goodway Sep 07, 2023

I found this book to be well formatted and easy to follow. Clearly directing you to the relevant places in the Azure portal. Steve is also very knowledgeable and has shared a lot of this in the book. Very useful for anyone looking at better securing their Azure infrastructure.

Ryan Dec 12, 2023

The book is brilliantly structured, offering a series of "recipes" – concise, digestible content that guides readers through enhancing their Azure Security posture.Each section is well crafted, providing clear, step-by-step walkthroughs and valuable advice.The coverage of topics is comprehensive, and the chapters on Securing Azure AD Identities, Azure Networks, Remote Access, Virtual Machines, Azure SQL Databases, and Azure Storage are particularly insightful.Additionally, the inclusion of Advisor, Microsoft Defender for Cloud, and Microsoft Sentinel offers a high-level view into some of Azure's most powerful security tooling.The guidance is practical and easily applicable, making the 'Azure Security Cookbook' a must-read for anyone looking to strengthen their Azure Security framework.

GUNDERSTONE Jun 22, 2023

Author Steve Miles is a Microsoft Azure MVP, MCT, and multi-cloud and hybrid technologies expert. With a career spanning over two decades, he has accumulated extensive knowledge in security, networking, data center infrastructure, managed hosting, and cloud solutions. Steve's experience has been garnered through working in various sectors, including end-user, reseller channel, and vendor spaces. He has collaborated with global networks, data, and app security vendors, international telco hosters, colocation, and data center service providers, and managed hosting and hardware distribution.Steve has held several key roles throughout his career, including network security architect, global solutions architect, public cloud security solutions architect, and Azure practice technical lead. He is employed by a prominent multi-cloud distributor based in the UK and Dublin, where he serves in a cloud and hybrid technology leadership position.Steve is most content when he's in front of a whiteboard, using illustrations to communicate. He is widely recognized for his ability to break down intricate technologies and concepts into relatable, real-world situations using analogies. His first Microsoft certification was on Windows NT, and he has since acquired numerous certifications, including MCP, MCITP, MCSA, and MCSE for Windows Server and other Microsoft products. Additionally, Steve holds multiple Microsoft Fundamentals, Associate, Expert, and Specialty certifications in Azure Security, Identity, Network, M365, and D365.Beyond Microsoft, Steve possesses various security and networking vendor certifications, including PRINCE2 and ITIL. He is affiliated with industry organizations like CIF, ISCA, and IISP. Embracing the multi-cloud aspect of his expertise, he has experience with GCP and AWS, is Alibaba-Cloud-certified, and has been nominated as an Alibaba Cloud MVP.The Azure Security Cookbook covers various critical topics related to securing Azure resources. These topics are organized into chapters.This book is designed for security-oriented professionals who seek to safeguard Azure resources utilizing the native Azure platform's security capabilities and tools. A firm grasp of essential security principles and prior experience with Azure will enable you to comprehend the crucial ideas discussed in the book more efficiently. Additionally, this book is a valuable resource for individuals preparing for Microsoft certification exams with a security component or emphasis.Chapter 1, Securing Azure AD Identities, instructs users on securing and safeguarding Azure AD identities.Readers will gain insights into securing and safeguarding Azure AD identities. The chapter is divided into sections, reviewing your environments, including security posture, tenant-level identity and access management, password management and protection, security defaults, multi-factor authentication, and Conditional Access.The chapter then explores the implementation of Identity Protection and Identity Management services.Upon completing this chapter, you will have learned the following techniques to establish secure Azure AD identities:-- Assessing Azure AD Identity Secure Score-- Executing Azure AD tenant Identity and Access Management-- Employing Azure AD Password Protection-- Enabling Self-Service Password Reset-- Applying Azure AD security defaults-- Incorporating Azure AD multi-factor authentication-- Establishing Conditional Access policies-- Deploying Azure AD Identity Protection-- Utilizing Azure AD Privileged Identity ManagementChapter 2, Securing Azure Networks, explains how to secure and protect Azure networks. This chapter covers topics including implementing Network Security Groups, Azure Firewall, Azure Web Application Firewall, and Azure DDoS.The focus of the topics reviews Zero Trust and defense in depth and how they should be regarded as essential components of a cloud security strategy. It follows that it is crucial to view the network as untrusted and operate under the assumption of a breach.The chapter builds on these principles and explores techniques to enable readers to secure their Azure networks better and effectively.Network protections are reviewed from the perspective of the Open Systems Interconnection (OSI) model, concentrating on solutions for safeguarding Layer 3 (Network), Layer 4 (Transport), and Layer 7 (Application).Upon completing this chapter, readers will have acquired essential skills for securing Azure networks through the following methods:-- Implementing network security groups-- Deploying Azure Firewall-- Utilizing Azure Web Application Firewall-- Applying Azure DDoS protectionChapter 3, Securing Remote Access, focuses on how to secure and protect remote access. The chapter covers implementing the Azure Bastion service, implementing Azure Network Adapter, and implementing Just-in-Time (JIT) VM access.Before deploying resources in Azure, it is essential to consider how to securely, controllably, and provide remote access that can be fully audited.This chapter explores ways to protect networks and the resources they access.Building on the network security aspects discussed in the previous chapter, the author breaks down this chapter into examples demonstrating how to securely extend an on-premises site into Azure using an encrypted virtual network gateway service with Azure Network Adapter.The Azure Bastion service is reviewed. The service enables RDP and SSH access without opening these management ports or assigning public IPs to resources on the virtual network.The chapter concludes with a discussion topic on minimizing exposure for our Azure Virtual Machines (VMs) by limiting inbound traffic and restricting access to management ports via Just-in-Time (JIT) access.After the chapter, readers will have gained insights into the following secure remote access aspects:-- Implementing Azure Network Adapter-- Deploying the Azure Bastion service-- Utilizing JIT VM accessChapter 4, Securing Virtual Machines, focuses on the protection and security of Azure VMs. The chapter is arranged into segments that cover implementing VM Update Management, deploying VM Microsoft antimalware, and applying Disk Encryption for Azure VMs.In Chapter 3, the author discussed methods for securely accessing Azure resources remotely and minimizing exposure to management ports on Azure Virtual Machines (VMs).When creating Azure VMs or any Azure resource, adopting a defense-in-depth (DiD) approach is crucial. This means we should not rely solely on identity, network, or remote access layers to secure our resources. Instead, we should also implement protection controls at the resource layer, often called workload protection.This chapter reviews the subjects of securing and safeguarding Azure VMs. The topics cover utilizing the VM Update Management service, protection through the Microsoft Antimalware service, and disk encryption.Upon completing this chapter, readers will have acquired skills for securing Azure VMs through the following techniques:-- Implementing VM Update Management-- Deploying VM Microsoft Antimalware-- Applying VM Azure Disk EncryptionChapter 5, Securing Azure SQL Databases, explores the various techniques to ensure the safety and protection of Azure databases. The chapter is arranged into segments that cover implementing a service-level IP firewall, setting up a private endpoint, and incorporating Azure AD authentication and authorization.In public cloud provider platforms, the shared responsibility model dictates that while the provider offers security and control mechanisms for the platform hosting the data, the customer is ultimately responsible for properly implementing and configuring these controls and ensuring appropriate governance and operations.It is crucial to emphasize that the customer is responsible for the data stored on these platforms and their operations.An analogy can be drawn between a rented property and the relationship with the landlord. The landlord provides doors, windows, and security measures such as locks, alarms, gated vehicle access, and CCTV monitoring. However, you are responsible for closing the doors, setting the alarm, securing the gates, and operating the CCTV.Failing to enable and configure these platform provider controls to secure your data indicates negligence in your duty of care for that data.This chapter will guide you through securing and protecting Azure databases.Upon completing this chapter, you will have learned the following techniques for securing Azure databases:-- Implementing a service-level IP firewall-- Implementing a private endpoint-- Implementing Azure AD authentication and authorizationChapter 6, Securing Azure Storage, breaks down how to secure and protect Azure storage, covering the following topics:-- Implementing security settings on storage accounts-- Implementing network security-- Implementing encryption.The discussion regarding the shared responsibility model in public cloud platform service providers continues across these topics, as customers are responsible for the security of storage hosted in Azure and for enabling and configuring suitable protection and security controls based on their requirements.By default, Azure Storage accounts have a public endpoint accessible via the Internet. As a result, it is essential to implement security and access control layers as part of our defense-in-depth strategy.This chapter reviews securing and managing access to your Azure storage accounts and examines the security settings that can be configured during storage account creation, network security, and encryption.Chapter 7, Using Advisor, delves into securing and safeguarding Azure environments with the help of the Advisor recommendations engine. The chapter is divided into sections focusing on security recommendations and secure scores, as well as the implementation of these recommendations.Throughout this chapter, you'll discover how to secure and defend Azure environments using the security aspects of the Advisor recommendations engine. While Advisor can also offer recommendations for reliability, performance, cost, and operational excellence, these topics fall outside the scope of this book.This section will divide the chapter into segments covering security recommendations and secure scores, configuring security recommendations, setting up alerts, and carrying out recommendations remediation.By the conclusion of this chapter, you will have acquired the skills to maximize the effectiveness of Advisor:-- Evaluating security recommendations-- Implementing the security recommendationsChapter 8, Utilizing Microsoft Defender for Cloud, showcases the components of Defender for Cloud and illustrates how to activate its advanced security features. Additionally, it demonstrates how to incorporate a regulatory standard into the compliance dashboard and evaluate the environment's regulatory compliance against the added standard.Readers will also better understand how to apply security posture management and workload protection using Microsoft Defender for Cloud.Upon completing this chapter, you will be able to utilize Microsoft Defender for Cloud effectively:-- Examining the components and capabilities of Defender for Cloud-- Activating the advanced security features of Defender for Cloud-- Incorporating a Regulatory Standard into the Regulatory compliance dashboard-- Evaluating your regulatory complianceChapter 9, Utilizing Microsoft Sentinel, guides you through the process of enabling Microsoft Sentinel and reviewing its components. Additionally, it demonstrates how to create automation, set up a data connector, and establish an analytics rule.Sentinel, Microsoft's cloud-based SIEM and SOAR solution, offers comprehensive security and event data aggregation, threat analysis, and response capabilities across public cloud, hybrid, and on-premises environments.You will learn to deploy Microsoft Sentinel, gather data, configure security alerts using analytics, and establish automated responses.Upon completing this chapter, you will be able to utilize Microsoft Sentinel effectively:-- Examining the components of Microsoft Sentinel-- Activating Microsoft Sentinel-- Developing automation-- Setting up a data connector and analytics ruleChapter 10, Using Traffic Analytics, covers the implementation of Traffic Analytics.You will learn to collect NSG flow logs from virtual machines (VMs) to monitor and analyze network traffic.By the end of this chapter, you will have learned the skills required to carry out the following recipe in secure Azure AD:-- Implementing traffic analyticsThe Azure Security Cookbook is invaluable for security-focused professionals seeking to protect their resources using native Azure platform security features and tools. This comprehensive guide offers practical recipes and step-by-step instructions to enhance the security of your Azure environment.As outlined above, throughout the book, the author covers a wide range of vital topics, including securing Azure AD identities, securing Azure networks, securing remote access, securing virtual machines, securing Azure SQL databases, and securing Azure storage. Each chapter provides in-depth explanations, clear instructions, and real-world examples to help readers understand and implement security measures effectively.One of the standout features of this book is its emphasis on practicality. The recipes and techniques provided are theoretical concepts and actionable steps that can be implemented in real-world scenarios. The author's expertise and experience shine through, making the content accessible and relevant to security professionals at all levels.Furthermore, the book's organization and structure make navigating and finding specific solutions to day-to-day security challenges easy. Whether you are a beginner or an experienced Azure user, the book caters to a wide range of skill levels, providing a solid foundation in fundamental security concepts while delving into advanced topics.Additionally, the author's commitment to the technical learning community is evident, as he encourages feedback from readers and acknowledges their valuable time and dedication to learning new skills.In conclusion, the Azure Security Cookbook is a must-have guide for anyone looking to secure their Azure resources effectively. With its practical approach, comprehensive coverage, and expert insights, this book is a valuable reference and guide for security professionals aiming to protect their Azure environment.

Azure Security Cookbook: Practical recipes for securing Azure resources and operations

What do you get with eBook?

Contact Details

Billing Address

Key benefits

Description

Who is this book for?

What you will learn

Product Details

What do you get with eBook?

Contact Details

Billing Address

Product Details

Packt Subscriptions

Frequently bought together

Table of Contents

Recommendations for you

Customer reviews

Filter reviews by

People who bought this also bought

About the author

FAQs

Create a Free Account To Continue Reading

SignIn Free Account To Continue Reading